7

Let's say I have this Dockerfile.

What would be the best way to run it as non privileged user on port 80? (without adding a webserver in front)?

I tried to set up this: How do I run Node.js on port 80? But I wasn't lucky, I think I don't understand deeply how this work.

Do you think there is an elegant solution to solve this issue? I'm doubtful, but hopeful :)

Community
  • 1
  • 1
Pierre Ozoux
  • 780
  • 7
  • 25
  • 1
    What exactly didn't work when using capabilities? Otherwise, what's speaking against letting Node.js listen on port 3000 and then mapping that port on port 80 on the host, using the '-p 80:3000` flag? – helmbert Jul 09 '15 at 17:08
  • I added a line with `RUN setcap cap_net_bind_service=+ep /path/to/node` as root. The process was still not able to start on port 80. From what I understand it is because it was set during a different "session". About the port, you are right, but it is behind an ssl offloader that by default use backends on port 80, I could change it of course, but I was just wondering how to make it work the proper way. Maybe the proper way is to have a webserver in front? – Pierre Ozoux Jul 09 '15 at 17:31
  • Usually, capabilities set with `setcap` should be persistent. Just to be sure: Did you replace `/path/to/node` with the *actual* path to Node.JS in your Dockerfile? – helmbert Jul 09 '15 at 17:37
  • Yes I did with `/usr/local/bin/node` which is the actual PATH shown by `which node` . – Pierre Ozoux Jul 09 '15 at 18:45

1 Answers1

3

According to this site https://wiki.apache.org/httpd/NonRootPortBinding "setcap" sets the privilege to use Port 80 on kernel level. Containers run inside a namespace inside the hosts machine kernel. So your tutorials only work on Virtual Machines and Dedicated servers. You may have more success with running your docker container on privileged level inside the host kernel:

$ docker run --privileged=true ...

Otherwise you will have to refrain yourself from using privileged ports (< 1024). The "Docker Way" is usually to refrain from using privileged containers and solely rely on port mapping.

According to this Ticket: https://github.com/docker/docker/issues/5650 setcap should generally work with docker containers but will fail, if you use the AUFS filesystem driver. This ticket is from 2014 so this may work with the latest AUFS implementation.

blacklabelops
  • 4,708
  • 5
  • 25
  • 42
  • 1
    Thanks for your answer! but I think it is worst to run a docker container as priviledged than using root inside docker. The thing that is bothering me is that, it is not complaining at all like in the docker issue you point to. – Pierre Ozoux Jul 09 '15 at 18:45
  • Perhaps the setcup command can't persist the setting inside the image and must be executed at container startup inside a docker-entrypoint.sh skript? – blacklabelops Jul 09 '15 at 19:54