4번독수리의 둥지
Binding to privileged port got permission denied in AWS ECS Fargate Task of which image built by Buildpack 본문
카테고리 없음
Binding to privileged port got permission denied in AWS ECS Fargate Task of which image built by Buildpack
4번독수리 2023. 1. 27. 02:42# net/http Server.ListenAndServe()
listen tcp :80: bind: permission denied
privileged ports
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them.
https://stackoverflow.com/a/10182831/11862001
Privileged ports work in a very similar way: only root has access to privileged ports, so if you're talking to a privileged port you know you're talking to root.
1. set capability using setcap
https://man7.org/linux/man-pages/man8/setcap.8.html
setcap - set file capabilities
...
In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified.
...
https://linux.die.net/man/7/capabilities
...
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
...
File capabilities : Since kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8).
...
CAP_NET_BIND_SERVICE : Bind a socket to Internet domain privileged ports (port numbers less than 1024).
setcap 'cap_net_bind_service=+ep' /path-to-exec
2. docker : run with cap-add
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
...
By default, Docker has a default list of capabilities that are kept. The following table lists the Linux capability options which are allowed by default and can be dropped.
...
NET_BIND_SERVICE는 기본 capabilities 목록에 포함되어 있음.
3. AWS ECS
NET_BIND_SERVICE는 기본 capabilities 목록에 포함되어 있음.
https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html
I don't think this is specific to Fargate, rather than the actual container runtime.
It works when you run locally through Docker because Docker sets net.ipv4.ip_unprivileged_port_start=0, basically allowing you to bind any port as unprivileged. (more details: https://github.com/moby/moby/pull/41030).
If you want to run with a non-root user you will need to use a non-privileged port and modify your configuration to expose on that port.
그냥 다른 포트를 쓰도록 바꾸라는 뜻..