4번독수리의 둥지

Binding to privileged port got permission denied in AWS ECS Fargate Task of which image built by Buildpack 본문

카테고리 없음

Binding to privileged port got permission denied in AWS ECS Fargate Task of which image built by Buildpack

4번독수리 2023. 1. 27. 02:42
# net/http Server.ListenAndServe()
listen tcp :80: bind: permission denied


privileged ports

https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html

The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them.

https://stackoverflow.com/a/10182831/11862001

Privileged ports work in a very similar way: only root has access to privileged ports, so if you're talking to a privileged port you know you're talking to root.

 

 

1. set capability using setcap

https://man7.org/linux/man-pages/man8/setcap.8.html

setcap - set file capabilities
...
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified.
...

https://linux.die.net/man/7/capabilities

...
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
...
File capabilities : Since kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8).
...
CAP_NET_BIND_SERVICE : Bind a socket to Internet domain privileged ports (port numbers less than 1024).

 

setcap 'cap_net_bind_service=+ep' /path-to-exec

 

2. docker : run with cap-add

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

...
By default, Docker has a default list of capabilities that are kept. The following table lists the Linux capability options which are allowed by default and can be dropped.
...

NET_BIND_SERVICE는 기본 capabilities 목록에 포함되어 있음.

 

3. AWS ECS

NET_BIND_SERVICE는 기본 capabilities 목록에 포함되어 있음.

https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html

 

https://repost.aws/questions/QU1bCV9wT4T5iBrrP1c2ISfg/container-cannot-bind-to-port-80-running-as-non-root-user-on-ecs-fargate

I don't think this is specific to Fargate, rather than the actual container runtime.
It works when you run locally through Docker because Docker sets net.ipv4.ip_unprivileged_port_start=0, basically allowing you to bind any port as unprivileged. (more details: https://github.com/moby/moby/pull/41030).
If you want to run with a non-root user you will need to use a non-privileged port and modify your configuration to expose on that port.

그냥 다른 포트를 쓰도록 바꾸라는 뜻..