Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio to allow running as root #938

Merged
merged 2 commits into from
Sep 4, 2024
Merged

Dockerfile: add CAP_NET_BIND_SERVICE+eip to fabio to allow running as root #938

merged 2 commits into from
Sep 4, 2024

Conversation

Kamilcuk
Copy link
Contributor

@Kamilcuk Kamilcuk commented Sep 7, 2023
edited
Loading

Without the change, the following fails:

$ docker build -t myfabio . && docker run -e CONSUL_HTTP_ADDR=$CONSUL_HTTP_ADDR -e CONSUL_HTTP_AUTH=$CONSUL_HTTP_AUTH --rm -u nobody:nobody --network=host myfabio -registry.consul.addr=http://192.168.40.1:8500 -proxy.addr=0.0.0.0:80
[+] Building 37.2s (23/23) FINISHED                                                                                        docker:default
.....
2023/09/07 09:52:45 [FATAL] listen: Fail to listen. listen tcp 0.0.0.0:80: bind: permission denied
.....

After the change, it works. This is the only change needed to run fabio as non-root. System administrator can choose the user with docker options.

Related: #369 marco-m@c0391d2 #851

tristanmorgan
tristanmorgan previously approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@tristanmorgan tristanmorgan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@tristanmorgan
Copy link
Member

@Kamilcuk can you do a quick rebase, just realised vendoring changes in #951 made this conflict.

@aaronhurt
Copy link
Member

If your using setcap shouldn’t you be running as non-root? The root user already has permissions.

@tristanmorgan tristanmorgan self-requested a review September 3, 2024 03:59
@tristanmorgan
Copy link
Member

if you add a USER nobody then also ADD --chown=nobody:nogroup fabio.properties /etc/fabio/fabio.properties or fabio can't read the config.

@Kamilcuk Kamilcuk force-pushed the my/fix-docker-non-root branch 2 times, most recently from 8ac6e18 to 59d773a Compare September 3, 2024 08:10
@tristanmorgan
Copy link
Member

Sorry @Kamilcuk, can I ask for the changes to be limited to just one feature?
Upgrades to the go toolchain needs to be done in many places like the workflows files so should be a separate (and welcome) PR.

aaronhurt
aaronhurt reviewed Sep 3, 2024
View reviewed changes
aaronhurt
aaronhurt reviewed Sep 3, 2024
View reviewed changes
@aaronhurt
Copy link
Member

This information is already in the docs as well: https://fabiolb.net/faq/binding-to-low-ports/

@Kamilcuk Kamilcuk force-pushed the my/fix-docker-non-root branch from 59d773a to 3b58d7e Compare September 4, 2024 06:10
@Kamilcuk Kamilcuk force-pushed the my/fix-docker-non-root branch from 3b58d7e to d0058a6 Compare September 4, 2024 06:34
@Kamilcuk
Copy link
Contributor Author

Kamilcuk commented Sep 4, 2024
edited
Loading

Hi, I am sorry. Should be ok now. I blame my headache.

tristanmorgan
tristanmorgan approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@tristanmorgan tristanmorgan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing before this change:

$ docker run --rm -it -p 80:80 -u nobody:nogroup --network=host -v ${PWD}/fabio.properties:/etc/fabio/fabio.properties -e FABIO_proxy_addr=":80;proto=http" -e FABIO_registry_consul_addr=${CONSUL_HTTP_ADDR} fabio:before
....
2024/09/04 23:19:28 [FATAL] listen: Fail to listen. listen tcp :80: bind: permission denied

and after changes applied (and dropping the -v parameter too) the listener succeeds.

@tristanmorgan tristanmorgan merged commit fbd256f into fabiolb:master Sep 4, 2024
2 checks passed
@tristanmorgan
Copy link
Member

related #378

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaronhurt aaronhurt aaronhurt left review comments

@tristanmorgan tristanmorgan tristanmorgan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kamilcuk @tristanmorgan @aaronhurt