skip to Main Content

Short version:

I can bind to port 80 inside a docker container while running as a non-root user. Please explain.

Long version:

I’m newish to docker, but have a lot of experience otherwise. Everything is making sense to me except this behavior.

I’ve tried with both the Google centos base image, and the latest docker ubuntu image.

I build a docker image off those bases with the following Dockerfile:

FROM marketplace.gcr.io/google/centos7

# or for ubuntu
# FROM ubuntu
# RUN apt-get update -y && apt-get install -y python

RUN groupadd -g 1000 container && useradd -r -u 1000 -g container container
USER container

Great. Then I build and run it with docker run --rm -it <img_name>, and now I’m in the container with whoami returning "container". I don’t have root privileges. touch /root/foo fails with access denied.

Ok, cool. Non-root user, running without root privileges. I can’t sudo. I can’t su root. Just like I expect.

Then I run:

python -m SimpleHTTPServer 80 and it happily binds to port 80. I can run curl localhost inside the container and I get a response.

What’s going on? What am I missing.

Thanks for any help.

I’m running Docker for Mac if it matters. I don’t expect it does. (I expected wrong.)

2

Answers


  1. I just tried this with ubuntu:18.04 image on Linux Host and it fails to bind to port 80.
    I repeated on a Mac and the same that is happening to you happened there.

    Now on the Mac you CAN bind to lower ports with non root user (just try running python -m SimpleHTTPServer 80 as your login user) So maybe this is normal on the Mac.

    Login or Signup to reply.
  2. This behavior was added in 20.3.0 by changing the value of net.ipv4.ip_unprivileged_port_start inside the network namespace to be 0, effectively making all ports unprivileged. Since containers typically run a single app, there’s little value to restricting that app to only listen on privileged ports like you would want on a multi-user host.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search