4

Is there a way to start a rootless podman container with mapped privileged port (container service is exposed through host's port 1023 or lower)?

Running

$ podman run --rm -it  -p 80:80 nginx:stable-alpine 
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

naturally fails because of insufficient permissions.

$ sudo capsh --caps=CAP_NET_BIND_SERVICE+eip  -- -c 'podman run --rm -it  -p 80:80 nginx:stable-alpine'

runs podman as a root user

$ sudo capsh --caps=CAP_NET_BIND_SERVICE+eip --user=$USER -- -c 'podman run --rm -it  -p 80:80 nginx:stable-alpine'
Unable to set group list for user: Operation not permitted

fails because of su permissions.

So far I ended up with a sub-optimal solution that temporarily allows any process to bind a privileged port for couple of seconds:

sudo sysctl net.ipv4.ip_unprivileged_port_start=80 ;\
( sleep 5 ; sudo sysctl net.ipv4.ip_unprivileged_port_start=1024 ) &\
podman run --rm -it  -p 80:80 nginx:stable-alpine
muru
  • 69,900
  • 13
  • 192
  • 292
czerny
  • 1,577
  • 3
  • 15
  • 20
  • It looks like you've explored all the options: either set `net.ipv4.ip_unprivileged_port_start` to allow unprivileged processes to bind to low-numbered ports, or run `podman` with additional privileges using `capsh`. You're trying to perform a privileged operation as an unprivileged user, so you're going to need some form of privilege escalation. – larsks Oct 14 '22 at 15:29
  • It should be possible to use `setcap` to set the `CAP_NET_BIND_SERVICE` capability on the podman binary itself, but this didn't seem to work in a quick test just now. – larsks Oct 14 '22 at 18:27
  • Maybe in the future it will be possible to run an _nginx_ container with rootless Podman via _socket activation_ and a _systemd system service_ (with [`User=`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=)). _socket activation_ support for __docker.io/library/nginx__ will hopefully be available soon ([my PR was merged](https://github.com/nginxinc/docker-nginx/pull/703)). I don't know the current status regarding Podman support for systemd system services with `User=`. – Erik Sjölund Oct 16 '22 at 08:03
  • The container image __docker.io/library/nginx__ now supports _socket activation_. There is still no support for the systemd environment variables `LISTEN_FDS`, `LISTEN_FDNAMES`, `LISTEN_PID` but the environment variable `NGINX` lets you combine a systemd socket unit with nginx. See also my demo: https://github.com/eriksjolund/podman-nginx-socket-activation The next thing to investigate will be how to combine that with [`User=`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=). – Erik Sjölund Oct 23 '22 at 16:30
  • @czerny How well has your solution held up in practice? I'm facing the same problem and I'm considering using your solution. – Tenders McChiken Jun 12 '23 at 08:58

0 Answers0