Privileged port usage - can't bind to port 80

[hugopeixoto]

I can't run this image as-is because it's trying to bind to port 80 without root or any net bind capabilities.

I'm not using the provided docker compose, and I'm using podman with the default network, so maybe I'm missing something.

When I run the pretalx/standalone:latest container, it starts supervisord, which starts pretalxtask and pretalxweb. pretalxweb fails after a while:

Jan 05 09:50:54 xxx podman[3172889]: 2024-01-05 09:50:54,663 WARN exited: pretalxweb (exit status 1; not expected)

There's no error, it just keeps retrying. The same happens if I run the container with the webworker command, skipping supervisord. In this case, there's an explicit message: [ERROR] Can't connect to ('0.0.0.0', 80).

I think this is because the image is set to run with the user pretalxuser (and supervisord does the same) and pretalx.bash explicitly binds to port 80, a privileged port.

To confirm this, I started the container with a volume that overrides /usr/local/bin/pretalx with a file that binds to 0.0.0.0:8080 instead and it worked.

Is the image broken or am I missing something in my config?

[ketsapiwiq]

I know podman uses a rootless mode that can bring up this kind of issues, but as for containers, hardcoding the bind to a port, even a privileged one, is pretty standard practice. The container runtime should take the appropriate steps to isolate the network namespace and find an IP for the container to open port 80, at least I think so? Sorry I don't have any other guesses! Good luck!

[yaraskm]

I haven't looked at the default runtime config that Podman is using, but we're running into the same issue trying to get the above image running on a secured Kubernetes cluster. I believe that this issue is the root cause: https://github.com/kubernetes/kubernetes/issues/56374

I'm going to work on a PR that would allow setting the port to something other than 80 via an environment variable and I think that should resolve the issue.