Why rootless container cannot listen to port 80, even with cap_net_bind_service in bounding set ? #23536
-
From this Containerfile:
The command
But, I am not sure why. I was expecting that cap_net_bind_service would be absent and could explain why. But this is not the case, the capability is present. From container:
cap_net_bind_service is present in Bounding set. Reading this, I would expect the container to be able to For additional investigation, the Comparing with docker, the same command to build and run the image end with the ability to run |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
Careful: the bounding set is a set limiting the capabilities that a file can have (bound). Permitted capabilities are something different, and those are what See also the "Capability bounding set" section in |
Beta Was this translation helpful? Give feedback.
-
A rootless container and rootless user by default can only bind to containers > 1024. This is a hard rule of the OS. You can lower this boundary via a systemctl. https://github.com/containers/podman/blob/main/rootless.md |
Beta Was this translation helpful? Give feedback.
-
I have to find out why docker doesn't have the same behavior. But all your explainations answered my original question. Thanks |
Beta Was this translation helpful? Give feedback.
Careful: the bounding set is a set limiting the capabilities that a file can have (bound). Permitted capabilities are something different, and those are what
--cap-add "cap_net_bind_service"
adds.See also the "Capability bounding set" section in
capabilities(7)
.