Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker privileged / capabilities not working with non-root user #38664

Closed
Cherry opened this issue Jan 31, 2019 · 6 comments · Fixed by #41030
Closed

Docker privileged / capabilities not working with non-root user #38664

Cherry opened this issue Jan 31, 2019 · 6 comments · Fixed by #41030

Comments

@Cherry
Copy link

Cherry commented Jan 31, 2019

We're attempting to use the NET_BIND_SERVICE capability to allow non-root users to bind to port 80, and others.

We're using a basic image from https://github.com/jwilder/whoami, which is a simple HTTP server in Go for demonstration purposes. The Dockerfile can be found here: https://github.com/jwilder/whoami/blob/master/Dockerfile.

The specific command we're using is the following:
docker run --rm -it --user 5010:5010 -e PORT=80 --cap-add NET_BIND_SERVICE jwilder/whoami

Running solely this command will replicate the issue as described below.

We've tested running this on CentOS 7, and Ubuntu 16, both resulting in a listen tcp :80: bind: permission denied error, when we'd expect this to work. Example docker version output:

Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        4c52b90
 Built:             Wed Jan  9 19:35:01 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:06:30 2019
  OS/Arch:          linux/amd64
  Experimental:     false

If we manually use setcap on the process, we're able to get this working as follows, but we believe this shouldn't be required:

# this `docker run` command works with or without `--cap-add NET_BIND_SERVICE` - it seems to have no effect at all
docker run --rm -i -e PORT=80 --cap-add NET_BIND_SERVICE jwilder/whoami
# inside container
adduser -D test
apk add --update --no-cache libcap
setcap cap_net_bind_service=+ep /app/http
su test
PORT=80 /app/http

Are we missing something with the capabilities, or is this an issue?

@thaJeztah
Copy link
Member

@tianon - IIRC you looked into something similar at some point

@tianon
Copy link
Member

tianon commented Feb 4, 2019

Yep, that'd be #8460, which includes some discussion around this and "ambient capabilities" which is what I understand this cap-based solution requires.

My personal preference is for the sysctl referenced in that thread since we're in a network namespace anyhow so "privileged ports" really is pretty meaningless.

@Cherry
Copy link
Author

Cherry commented Feb 4, 2019

The suggested sysctl flag in #8460 results in

docker run --rm -it --user 5010:5010 -e PORT=80 --cap-add NET_BIND_SERVICE --sysctl net.ipv4.ip_unprivileged_port_start=0 jwilder/whoami

docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"write sysctl key net.ipv4.ip_unprivileged_port_start: open /proc/sys/net/ipv4/ip_unprivileged_port_start: no such file or directory\"": unknown.

Kernel version: 4.4.0-141-generic.

@tianon
Copy link
Member

tianon commented Feb 4, 2019 via email

@php-coder
Copy link

As #41030 has been merged and #8460 was resolved, this one can be closed also.

@thaJeztah
Copy link
Member

Yes, looks like we should close this one. I don't think there's much more we can do for older kernels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants