Permission denied on port 80

[FlorentTorregrosa]

Hello,

This is a follow-up of #42 .

The command docker run -it --rm -u varnish varnish -a http=:8080,HTTP -n /tmp/varnish_workdir from comment #42 (comment) is not working.

Still getting:

Error: Could not get socket :80: Permission denied
(-? gives usage)

In my Docker compose file, I tried to override the default command providing options, to not have to override the entrypoint entirely:

    command: "-p default_ttl=3600 -p default_grace=3600 -p default_keep=0 -a http=:8080,HTTP -n /tmp/varnish_workdir"

But it does not override -a http=:80,HTTP \ of the default entrypoint.

As a workaround I will add:

    user: root

in my Docker compose.

But I think a long term solution would be to change default port as initally requested in the referenced issue. Or to put HTTP and PROXY ports inside environment variables to easily be overridden.

Thanks for the reply.

[gquintard]

hum, indeed, looks like naming ports isn't enough. I need to investigate a bit on this, as I was convinced naming the port would override it.

Thanks for the report, I'll look into it

[gquintard]

Hi,

So, I'm still at a loss about why you can't use privileged ports and I can, but yeah, we need to do something about this.

I'm very reluctant changing the default ports as this will break a lot of setups. However, we can introduce VARNISH_HTTP_PORT and VARNISH_PROXY_PORT that will default to 80 and 8443 respectively.

Since the next release is getting close (September 15th), that will go into that one, to avoid any surprises.

Objections?

[FlorentTorregrosa]

Hi,

Yes, go for the environment variables, in a follow-up issue? to keep this one open until it is found why there is this privilege problem.

Even without permission problem, being able to control the ports with environment variables will be useful for other cases I think.

[alexfd]

@gquintard can you let us know how you are starting it?
I'm doing this and I can confirm I'm getting the same permission error:

varnish:6.3 - works

root@ub18:/home/alex/varnish# ls
default.vcl  Dockerfile

root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:6.3
COPY default.vcl /etc/varnish/

root@ub18:/home/alex/varnish# docker run -it --rm 4af63ac861b8  whoami
root

root@ub18:/home/alex/varnish# docker run -d --rm 4af63ac861b8
root@ub18:/home/alex/varnish# docker ps
CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS               NAMES
41c778622f74        4af63ac861b8           "docker-varnish-entr…"   5 seconds ago       Up 4 seconds        80/tcp              distracted_lewin

varnish:7.1.1 - doesn't work

root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:7.1.1
COPY default.vcl /etc/varnish/

root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 whoami
varnish

root@ub18:/home/alex/varnish# docker run -d 9d5496b496f3
root@ub18:/home/alex/varnish# docker ps -a
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS                    PORTS               NAMES
a2086251dbc5        9d5496b496f3             "/usr/local/bin/dock…"   2 seconds ago       Exited (2) 1 second ago                       exciting_chatterjee

root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 bash
varnish@34fdc6a5d44c:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Error: Could not get socket :80: Permission denied
(-? gives usage)

[gquintard]

@alexfd, I'm just pulling to make sure I have the latest image, then run:

$docker pull varnish:7.1.1
$docker run --rm varnish:7.1.1
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (20) Started
Child launched OK
Info: Child (20) said Child starts

and explicitly using the entrypoint script works too:

$ docker run --rm -it varnish:7.1.1 bash
varnish@bbf9f531fef1:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (21) Started
Child launched OK
Info: Child (21) said Child starts

[alexfd]

so weird, copy pasted from above:

root@ub18:/home/alex# docker pull varnish:7.1.1
7.1.1: Pulling from library/varnish
Digest: sha256:cf26c90c2fa455baa6dd9747c953bb21be61cc2a343618932ac33bef0babb4e4
Status: Image is up to date for varnish:7.1.1
docker.io/library/varnish:7.1.1

root@ub18:/home/alex# docker run --rm varnish:7.1.1
Error: Could not get socket :80: Permission denied

I wonder if this is a docker version related thing.

[gquintard]

could be, what's your version? I'm on 20.10.12 (ubuntu:jelly) and 20.10.17 (arch). Config files are empty/absent

[alexfd]

yes, it is a version thing.
I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works.
Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too.

[gquintard]

Great news! Thanks for looking into it. I'll make the change to override the two default ports so that this can be worked around, but at least we know what's going on. Cheers!

…

On Tue, Sep 6, 2022, 05:20 alexfd ***@***.***> wrote: yes, it is a version thing. I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works. Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too. — Reply to this email directly, view it on GitHub <#55 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA42AKLKOLLY7HA44Y4DYTDV44ZI7ANCNFSM57ANTNZQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[galenhuntington]

I don't understand the rationale for the change from #42 (9bbe2f3), but after struggling with this (and before finding this issue), I tried adding the last line here:

FROM varnish:7.1.1-alpine
COPY default.vcl /etc/varnish/
USER root

With this change, everything is working again for me (after upgrading from 7.0.0). I don't know if this is the "right" solution but I mention it here in case it helps anyone. I am running on AWS ECS.

[gquintard]

@galenhuntington, usually containers try to run as an unprivileged users to reduce security risk, but at the same time, since Varnish is a server, it makes sense for it to listen to port 80.

On old docker versions, you can't have an unprivileged user listening to ports under 1024. So for those cases, you can either change the port or run as root to fix the issue.

Hope that helps

[galenhuntington]

Sure, thanks for clarifying. As of now, ECS containers still require root, so upgrading the Docker image from 7.0.0 caused me unexpected breakage (unexpected based on Varnish release notes). Perhaps this pitfall could be documented here. For ECS, there's an open issue, yet unacknowledged by AWS: aws/containers-roadmap#1721

[gquintard]

yes, I'll add a line in the dockerhub docs once we have the default port override (probably next week or the one after, right after the next Varnish version is out)

[gquintard]

doc PR in flight: docker-library/docs#2229

[gquintard]

docs are online, closing

[FlorentTorregrosa]

Hi,

Sorry for my lack of response. Thanks to have moved this forward!

[wodka]

:/ also had this problem right now with Kubernetes 1.24 -> it is using ContainerD that is no longer allowing ports <1000 for unprivileged users! containerd/containerd#2516

[gquintard]

@wodka , doesn't the port override solve your issue?

[wodka]

it does, sry for not stating that. Just wanted to drop it as a reference when searching for the failure here.

[gquintard]

Ah, all good then!