[ECS] [request]: allow containers running as non-root to bind to privileged ports

[Mahoney]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request The ECS container runtime does not allow a process running as a non-root user to bind to privileged ports (<1024).

So an image designed to serve HTTP traffic either needs to listen on a port other than 80, or to run as root.

The best practices document suggests that I should be running as non-root (p.83) and that it's reasonable to expose port 80 (diagram on p.23). In general I feel one of the advantages of containerisation is the ability to run things on default ports and refer to them by name rather than memorising non-standard ports.

Which service(s) is this request for? ECS

Are you currently working around this issue? I'm running some of my containers as root (e.g. the default nginx image) and some as non-root but using a non-privileged, non-standard http port > 1024.

The Docker container runtime, which I suspect is how the majority of image developers test their images and run them locally, now allows privileged port binding for unprivileged users by default: https://github.com/moby/moby/pull/41030

[Mahoney]

Incidentally it would be nice for this to work on Fargate, and hence awsvpc networking, too.

[imaginarynik]

Hi What's the update on this?

[irobinsonDandH]

This is still an issue do we have a workaround yet?

[phisolani]

+1

[federicodallafontana]

Using Fargate with Dotnet and a user that is not root you can allow an application listing to 80 and 443 with the following statement: RUN useradd -u 1001 {non_root_user} RUN chown -R {non_root_user}:{non_root_user} /usr/lib64/dotnet RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/lib64/dotnet/dotnet

Replace {non_root_user} with the non-root user.

[harsh18262]

Using Fargate with Dotnet and a user that is not root you can allow an application listing to 80 and 443 with the following statement: RUN useradd -u 1001 {non_root_user} RUN chown -R {non_root_user}:{non_root_user} /usr/lib64/dotnet RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/lib64/dotnet/dotnet

Replace {non_root_user} with the non-root user.

this isn't working for nginx. anyone had luck bind nginx at port 80 with non-root user?