hashicorp · nathancoleman · Aug 24, 2023 · Aug 11, 2023 · Aug 17, 2023 · Aug 21, 2023
@@ -0,0 +1,3 @@
+```release-note:bug
+Fix a bug where container user was unable to bind to privileged ports (< 1024). The consul-dataplane container now requires the NET_BIND_SERVICE capability.
+```
@@ -14,6 +14,20 @@ FROM envoyproxy/envoy-distroless:v1.26.4 as envoy-binary
 # TODO once hashicorp/envoy-fips:v1.26.4 is published this should be updated as well
 FROM hashicorp/envoy-fips:v1.26.2 as envoy-fips-binary
 
+# Modify the envoy binary to be able to bind to privileged ports (< 1024)
+FROM alpine:latest AS setcap
+
+ARG BIN_NAME=consul-dataplane
+ARG TARGETARCH
+ARG TARGETOS
+
+COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/
+COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
+
+RUN apk add libcap
+RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy
+RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME
+
 # go-discover builds the discover binary (which we don't currently publish
 # either).
 FROM golang:1.20.7-alpine as go-discover
@@ -28,7 +42,8 @@ RUN apk add dumb-init
 # -----------------------------------
 FROM gcr.io/distroless/base-debian11 AS release-default
 
-ARG BIN_NAME
+ARG BIN_NAME=consul-dataplane
+ENV BIN_NAME=$BIN_NAME
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION
 ARG PRODUCT_NAME=$BIN_NAME
@@ -45,10 +60,10 @@ LABEL name=${BIN_NAME}\
       summary="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh." \
       description="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh."
 
-COPY --from=go-discover /go/bin/discover /usr/local/bin/
-COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/
 COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
+COPY --from=go-discover /go/bin/discover /usr/local/bin/
+COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/
+COPY --from=setcap /usr/local/bin/$BIN_NAME /usr/local/bin/
 
 USER 100
 
@@ -90,7 +105,7 @@ ENTRYPOINT ["/usr/local/bin/dumb-init", "/usr/local/bin/consul-dataplane"]
 # -----------------------------------
 FROM registry.access.redhat.com/ubi9-minimal:9.2 as release-ubi
 
-ARG BIN_NAME
+ARG BIN_NAME=consul-dataplane
 ENV BIN_NAME=$BIN_NAME
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION
@@ -114,10 +129,10 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \
     adduser --uid 100 --system -g $PRODUCT_NAME $PRODUCT_NAME && \
     usermod -a -G root $PRODUCT_NAME
 
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
-COPY --from=go-discover /go/bin/discover /usr/local/bin/
-COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/envoy
 COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/
+COPY --from=go-discover /go/bin/discover /usr/local/bin/
+COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/
+COPY --from=setcap /usr/local/bin/$BIN_NAME /usr/local/bin/
 COPY LICENSE /licenses/copyright.txt
 
 USER 100