Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio to allow running as root by Kamilcuk · Pull Request #938 · fabiolb/fabio

Kamilcuk · 2023-09-07T09:53:50Z

Without the change, the following fails:

$ docker build -t myfabio . && docker run -e CONSUL_HTTP_ADDR=$CONSUL_HTTP_ADDR -e CONSUL_HTTP_AUTH=$CONSUL_HTTP_AUTH --rm -u nobody:nobody --network=host myfabio -registry.consul.addr=http://192.168.40.1:8500 -proxy.addr=0.0.0.0:80
[+] Building 37.2s (23/23) FINISHED                                                                                        docker:default
.....
2023/09/07 09:52:45 [FATAL] listen: Fail to listen. listen tcp 0.0.0.0:80: bind: permission denied
.....

After the change, it works. This is the only change needed to run fabio as non-root. System administrator can choose the user with docker options.

Related: #369 marco-m@c0391d2 #851

tristanmorgan

Looks good to me.

tristanmorgan · 2024-09-03T00:30:18Z

@Kamilcuk can you do a quick rebase, just realised vendoring changes in #951 made this conflict.

aaronhurt · 2024-09-03T02:54:22Z

If your using setcap shouldn’t you be running as non-root? The root user already has permissions.

tristanmorgan · 2024-09-03T04:00:16Z

if you add a USER nobody then also ADD --chown=nobody:nogroup fabio.properties /etc/fabio/fabio.properties or fabio can't read the config.

tristanmorgan · 2024-09-03T23:33:12Z

Sorry @Kamilcuk, can I ask for the changes to be limited to just one feature?
Upgrades to the go toolchain needs to be done in many places like the workflows files so should be a separate (and welcome) PR.

aaronhurt · 2024-09-03T23:49:47Z

This information is already in the docs as well: https://fabiolb.net/faq/binding-to-low-ports/

Kamilcuk · 2024-09-04T06:37:32Z

Hi, I am sorry. Should be ok now. I blame my headache.

tristanmorgan

Testing before this change:

$ docker run --rm -it -p 80:80 -u nobody:nogroup --network=host -v ${PWD}/fabio.properties:/etc/fabio/fabio.properties -e FABIO_proxy_addr=":80;proto=http" -e FABIO_registry_consul_addr=${CONSUL_HTTP_ADDR} fabio:before
....
2024/09/04 23:19:28 [FATAL] listen: Fail to listen. listen tcp :80: bind: permission denied

and after changes applied (and dropping the -v parameter too) the listener succeeds.

tristanmorgan · 2024-09-10T00:49:03Z

related #378

tristanmorgan previously approved these changes Sep 3, 2024

View reviewed changes

tristanmorgan self-requested a review September 3, 2024 03:59

Kamilcuk dismissed tristanmorgan’s stale review via 8ac6e18 September 3, 2024 08:10

Kamilcuk force-pushed the my/fix-docker-non-root branch 2 times, most recently from 8ac6e18 to 59d773a Compare September 3, 2024 08:10

aaronhurt reviewed Sep 3, 2024

View reviewed changes

Comment thread Dockerfile Outdated

aaronhurt reviewed Sep 3, 2024

View reviewed changes

Comment thread Dockerfile Outdated

Kamilcuk force-pushed the my/fix-docker-non-root branch from 59d773a to 3b58d7e Compare September 4, 2024 06:10

Kamilcuk added 2 commits September 4, 2024 08:14

Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio as non root

3a86799

Dockerfile: set user nobody:nogroup

d0058a6

Kamilcuk force-pushed the my/fix-docker-non-root branch from 3b58d7e to d0058a6 Compare September 4, 2024 06:34

tristanmorgan approved these changes Sep 4, 2024

View reviewed changes

tristanmorgan merged commit fbd256f into fabiolb:master Sep 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio to allow running as root#938

Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio to allow running as root#938
tristanmorgan merged 2 commits into
fabiolb:masterfrom
Kamilcuk:my/fix-docker-non-root

Kamilcuk commented Sep 7, 2023 •

edited

Loading

Uh oh!

tristanmorgan left a comment

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

aaronhurt commented Sep 3, 2024

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

Uh oh!

Uh oh!

aaronhurt commented Sep 3, 2024

Uh oh!

Kamilcuk commented Sep 4, 2024 •

edited

Loading

Uh oh!

tristanmorgan left a comment

Uh oh!

tristanmorgan commented Sep 10, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Kamilcuk commented Sep 7, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tristanmorgan left a comment

Choose a reason for hiding this comment

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

aaronhurt commented Sep 3, 2024

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

tristanmorgan commented Sep 3, 2024

Uh oh!

Uh oh!

Uh oh!

aaronhurt commented Sep 3, 2024

Uh oh!

Kamilcuk commented Sep 4, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tristanmorgan left a comment

Choose a reason for hiding this comment

Uh oh!

tristanmorgan commented Sep 10, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Kamilcuk commented Sep 7, 2023 •

edited

Loading

Kamilcuk commented Sep 4, 2024 •

edited

Loading