Short version:
I can bind to port 80 inside a docker container while running as a non-root user. Please explain.
Long version:
I’m newish to docker, but have a lot of experience otherwise. Everything is making sense to me except this behavior.
I’ve tried with both the Google centos base image, and the latest docker ubuntu image.
I build a docker image off those bases with the following Dockerfile:
FROM marketplace.gcr.io/google/centos7
# or for ubuntu
# FROM ubuntu
# RUN apt-get update -y && apt-get install -y python
RUN groupadd -g 1000 container && useradd -r -u 1000 -g container container
USER container
Great. Then I build and run it with docker run --rm -it <img_name>
, and now I’m in the container with whoami
returning "container". I don’t have root privileges. touch /root/foo
fails with access denied.
Ok, cool. Non-root user, running without root privileges. I can’t sudo
. I can’t su root
. Just like I expect.
Then I run:
python -m SimpleHTTPServer 80
and it happily binds to port 80. I can run curl localhost
inside the container and I get a response.
What’s going on? What am I missing.
Thanks for any help.
I’m running Docker for Mac if it matters. I don’t expect it does. (I expected wrong.)
2
Answers
I just tried this with ubuntu:18.04 image on Linux Host and it fails to bind to port 80.
I repeated on a Mac and the same that is happening to you happened there.
Now on the Mac you CAN bind to lower ports with non root user (just try running
python -m SimpleHTTPServer 80
as your login user) So maybe this is normal on the Mac.This behavior was added in 20.3.0 by changing the value of
net.ipv4.ip_unprivileged_port_start
inside the network namespace to be0
, effectively making all ports unprivileged. Since containers typically run a single app, there’s little value to restricting that app to only listen on privileged ports like you would want on a multi-user host.