wallyqs
commented
4 months ago Thanks for the PR, this also seems to be what caddy is doing in its official image so it should be supported when published by docker team:
Closed tamalsaha closed 4 months ago
wallyqs
commented
4 months ago Thanks for the PR, this also seems to be what caddy is doing in its official image so it should be supported when published by docker team:
wallyqs
commented
3 months ago related feedback from when including into the official release: https://github.com/docker-library/official-images/pull/16797#issuecomment-2123475513
ramonberrutti-f3
commented
3 months ago I believe that will be better to nats internally or by the entrypoint.sh request the capability if is needed.
Maybe you can also try:
- containerPort: 8443
hostPort: 443
rverenich
commented
3 months ago Hello! Secure installations stopped working (with non-root user and dropped capabilities by default). Maybe it is better to request capability change only if needed, not by default?
wallyqs
commented
3 months ago Thanks for the report, we are going to rollback this change: https://github.com/nats-io/nats-docker/pull/155
I am trying to run nats in k8s as nonroot user and hostport mode. nats-server is listening to port 443 for wss protocol. This change allows nats-server to bind to port 443 .
The reason this is required is because k8s does not support ambient capabilities yet.
ingress-nginx project also uses this in their Dockerfile to allow nonroot user https://github.com/kubernetes/ingress-nginx/blob/48fbdfe3ba0c0e258890c970e2561caecea532dd/rootfs/Dockerfile#L70
Signed-off-by: Tamal Saha tamal@appscode.com