Desktop 4.3.2: listen tcp: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

[working-name]

• [x] I have tried with the latest version of Docker Desktop
• [ ] I have tried disabling enabled experimental features no idea what that is, I have no options
• [x] I have uploaded Diagnostics
• Diagnostics ID: 8B3E3F14-24DB-4F49-9B20-A2716B456A72/20211231023910

Actual behavior

Docker can't "share" ports with the convoluted windows networking layer apparently. Again. #10008 is back

$ docker run -it -p 80:80 httpd:latest
docker: Error response from daemon: driver failed programming external connectivity on endpoint cranky_knuth (ccdd2612c2d74d61001d8d26f52b71c53ba42fbf23a939177ea1b6dc32ce4463): Bind for 0.0.0.0:80 failed: port is already allocated.
ERRO[0000] error waiting for container: context canceled

netstat -aon | findstr ":80.*LISTENING"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4332
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       9676
  TCP    [::]:80                [::]:0                 LISTENING       4332
  TCP    [::1]:80               [::]:0                 LISTENING       2672

C:\Windows\system32>tasklist | findstr "4332"
com.docker.backend.exe        4332 Console                    2     37,832 K

C:\Windows\system32>tasklist | findstr "9676"
svchost.exe                   9676 Services                   0     10,904 K

C:\Windows\system32>tasklist | findstr "4332"
com.docker.backend.exe        4332 Console                    2     37,832 K

C:\Windows\system32>tasklist | findstr "2672"
csrss.exe                    12672 Console                    2      7,108 K
wslhost.exe                   2672 Console                    2      6,248 K

I don't understand how you can have more than 1 process listening on the same IP:PORT combo. Anyway, here's the workaround that I found works - and I tried a bunch of suggestions in the previous tickets about this with hyper-v disabling and winnat and so on.

1. Open services, stop "IP Helper"
2. Start your container(s)
3. Start "IP Helper" back up.

PS C:\Windows\system32> echo "Listening on 443:"; Get-Process -Id (Get-NetTCPConnection -LocalPort 443).OwningProcess; echo "Listening on 80:"; Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess
Listening on 443:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    368      22     2804      10816       0.05  12120   0 svchost
Listening on 80:
    368      22     2804      10816       0.05  12120   0 svchost

PS C:\Windows\system32> echo "Listening on 443:"; Get-Process -Id (Get-NetTCPConnection -LocalPort 443).OwningProcess; echo "Listening on 80:"; Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess
Listening on 443:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    447      34    31624      38372       1.34   4332   2 com.docker.backend
    383      23     3372      11088       0.08  13284   0 svchost
Listening on 80:
    447      34    31624      38372       1.34   4332   2 com.docker.backend
    383      23     3372      11088       0.08  13284   0 svchost

Expected behavior

Let my containers listen on 80 and 443. If windows needs special notice, give it to it. What do I know? I'm just a user.

Information

• Windows Version: 11 PRO 21H2 22000.318
• Docker Desktop Version: 4.3.2 72729
• WSL2 or Hyper-V backend? WSL2
• Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No, bare metal.

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

& "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check
[365:02:25:23.972][I] ipc.NewClient: e954a515-com.docker.diagnose -> \\.\pipe\dockerBackendV2 com.docker.service.exe
[goroutine 1 [running, locked to thread]:
[win/backend/pkg/service.NewClientForPath(...)
[       win/backend/pkg/service/service.go:26
[win/backend/pkg/service.NewClient(...)
[       win/backend/pkg/service/service.go:20
[common/pkg/diagkit/gather/diagnose.init()
[       common/pkg/diagkit/gather/diagnose/ipc_windows.go:23 +0x13b
Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0001: is the application running?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0017: can a VM be started?
[PASS] DD0024: is WSL installed?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0005: is the user in the docker-users group?
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[PASS] DD0012: is the VM networking working?
[PASS] DD0032: do Docker networks overlap with host IPs?
[SKIP] DD0030: is the image access management authorized?
[WARN] DD0033: does the host have Internet access? unable to fetch http://docker.com/
## NOTE: I am blocking segment, you didn't notify me, didn't ask for my permission. You're on my computer. Deal with it.
segment 2021/12/31 02:26:08 ERROR: sending request - Post "https://api.segment.io/v1/batch": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
segment 2021/12/31 02:26:08 ERROR: 1 messages dropped because they failed to be sent and the client was closed

Please note the following 1 warning:

1 : The check: does the host have Internet access?
    Produced the following warning: unable to fetch http://docker.com/

If the host does not have Internet access then containers will also not have Internet access.

The lack of Internet access could be caused by
- physical disconnection: check your ethernet cable or Wifi network
- the local network firewall policy: check with your IT department if access to docker.com is expected to work
- a VPN (or lack of one): try again with or without the VPN running

No fatal errors detected.

Steps to reproduce the behavior

1. Start windows, wsl2, and docker desktop.
2. Start your favorite container and have it listen on 80 or 443. You'll get an error.
3. Try everything you find online, fail, submit a bug report. 😆

[working-name]

https://working.name/docker.wsl2.port.issues.mp4

[docker-robott]

Issues go stale after 90 days of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

[working-name]

/lifecycle frozen