Login/Register
Run app inside docker container as non-root user with capabilities
Asked Answered
dockerlinux-capabilities
T

0

7

I tried to run a simple python UDP echo-server listening on Port 507 inside a docker container that uses a non-root user. The Dockerfile looks like this:

FROM docker.io/centos

RUN yum -y install iputils iproute
COPY echo-server.py /tmp/
USER 1000
CMD ["python", "/tmp/echo-server.py"]

Since 507 is a well-known port, I also added the capability NET_BIND_SERVICE when issuing docker run but I still get an error:

# docker run --cap-add=NET_BIND_SERVICE 4d1c2301b166
Traceback (most recent call last):
  File "/tmp/echo-server.py", line 12, in <module>
    s.bind(('', port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied

When inspecting the capabilities I could see that the effective capabilities are not set when using a non-root user.

[root@srv-tcn-01 ha-service]# docker run --cap-add=NET_BIND_SERVICE 4d1c2301b166 grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb

Does anyone know how to run a program in a Docker container with a non-root user and certain capabilities?

Tyrannicide answered 9/9, 2016 at 9:12 Comment(2)
No, if the thread has the NET_BIND_SERVICE capability, it does not have to run as root to bind well-known ports. See man7.org/linux/man-pages/man7/capabilities.7.htmlTyrannicide
Just wondering here, what happens if you use port 8080? I wonder if NET_BND_SERVICE does not pass into the user in the container and thus the process is denied the ability to use port < 1024.Ment

© 2022 - 2024 — McMap. All rights reserved.