varnish / docker-varnish

Official docker image
https://hub.docker.com/_/varnish
82 stars 34 forks source link

Permission denied on port 80 #55

Closed FlorentTorregrosa closed 1 year ago

FlorentTorregrosa commented 2 years ago

Hello,

This is a follow-up of #42 .

The command docker run -it --rm -u varnish varnish -a http=:8080,HTTP -n /tmp/varnish_workdir from comment https://github.com/varnish/docker-varnish/issues/42#issuecomment-952126051 is not working.

Still getting:

Error: Could not get socket :80: Permission denied
(-? gives usage)

In my Docker compose file, I tried to override the default command providing options, to not have to override the entrypoint entirely:

    command: "-p default_ttl=3600 -p default_grace=3600 -p default_keep=0 -a http=:8080,HTTP -n /tmp/varnish_workdir"

But it does not override -a http=:80,HTTP \ of the default entrypoint.

As a workaround I will add:

    user: root

in my Docker compose.

But I think a long term solution would be to change default port as initally requested in the referenced issue. Or to put HTTP and PROXY ports inside environment variables to easily be overridden.

Thanks for the reply.

gquintard commented 2 years ago

hum, indeed, looks like naming ports isn't enough. I need to investigate a bit on this, as I was convinced naming the port would override it.

Thanks for the report, I'll look into it

gquintard commented 2 years ago

Hi,

So, I'm still at a loss about why you can't use privileged ports and I can, but yeah, we need to do something about this.

I'm very reluctant changing the default ports as this will break a lot of setups. However, we can introduce VARNISH_HTTP_PORT and VARNISH_PROXY_PORT that will default to 80 and 8443 respectively.

Since the next release is getting close (September 15th), that will go into that one, to avoid any surprises.

Objections?

FlorentTorregrosa commented 2 years ago

Hi,

Yes, go for the environment variables, in a follow-up issue? to keep this one open until it is found why there is this privilege problem.

Even without permission problem, being able to control the ports with environment variables will be useful for other cases I think.

alexfd commented 2 years ago

@gquintard can you let us know how you are starting it? I'm doing this and I can confirm I'm getting the same permission error:

varnish:6.3 - works

root@ub18:/home/alex/varnish# ls
default.vcl  Dockerfile

root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:6.3
COPY default.vcl /etc/varnish/

root@ub18:/home/alex/varnish# docker run -it --rm 4af63ac861b8  whoami
root

root@ub18:/home/alex/varnish# docker run -d --rm 4af63ac861b8
root@ub18:/home/alex/varnish# docker ps
CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS               NAMES
41c778622f74        4af63ac861b8           "docker-varnish-entr…"   5 seconds ago       Up 4 seconds        80/tcp              distracted_lewin

varnish:7.1.1 - doesn't work

root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:7.1.1
COPY default.vcl /etc/varnish/

root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 whoami
varnish

root@ub18:/home/alex/varnish# docker run -d 9d5496b496f3
root@ub18:/home/alex/varnish# docker ps -a
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS                    PORTS               NAMES
a2086251dbc5        9d5496b496f3             "/usr/local/bin/dock…"   2 seconds ago       Exited (2) 1 second ago                       exciting_chatterjee

root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 bash
varnish@34fdc6a5d44c:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Error: Could not get socket :80: Permission denied
(-? gives usage)
gquintard commented 2 years ago

@alexfd, I'm just pulling to make sure I have the latest image, then run:

$docker pull varnish:7.1.1
$docker run --rm varnish:7.1.1
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (20) Started
Child launched OK
Info: Child (20) said Child starts

and explicitly using the entrypoint script works too:

$ docker run --rm -it varnish:7.1.1 bash
varnish@bbf9f531fef1:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (21) Started
Child launched OK
Info: Child (21) said Child starts
alexfd commented 2 years ago

so weird, copy pasted from above:

root@ub18:/home/alex# docker pull varnish:7.1.1
7.1.1: Pulling from library/varnish
Digest: sha256:cf26c90c2fa455baa6dd9747c953bb21be61cc2a343618932ac33bef0babb4e4
Status: Image is up to date for varnish:7.1.1
docker.io/library/varnish:7.1.1

root@ub18:/home/alex# docker run --rm varnish:7.1.1
Error: Could not get socket :80: Permission denied

I wonder if this is a docker version related thing.

gquintard commented 2 years ago

could be, what's your version? I'm on 20.10.12 (ubuntu:jelly) and 20.10.17 (arch). Config files are empty/absent

alexfd commented 2 years ago

yes, it is a version thing. I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works. Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too.

gquintard commented 2 years ago

Great news! Thanks for looking into it. I'll make the change to override the two default ports so that this can be worked around, but at least we know what's going on.

Cheers!

On Tue, Sep 6, 2022, 05:20 alexfd @.***> wrote:

yes, it is a version thing. I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works. Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too.

— Reply to this email directly, view it on GitHub https://github.com/varnish/docker-varnish/issues/55#issuecomment-1238072930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA42AKLKOLLY7HA44Y4DYTDV44ZI7ANCNFSM57ANTNZQ . You are receiving this because you were mentioned.Message ID: @.***>

galenhuntington commented 2 years ago

I don't understand the rationale for the change from #42 (9bbe2f3), but after struggling with this (and before finding this issue), I tried adding the last line here:

FROM varnish:7.1.1-alpine
COPY default.vcl /etc/varnish/
USER root

With this change, everything is working again for me (after upgrading from 7.0.0). I don't know if this is the "right" solution but I mention it here in case it helps anyone. I am running on AWS ECS.

gquintard commented 2 years ago

@galenhuntington, usually containers try to run as an unprivileged users to reduce security risk, but at the same time, since Varnish is a server, it makes sense for it to listen to port 80.

On old docker versions, you can't have an unprivileged user listening to ports under 1024. So for those cases, you can either change the port or run as root to fix the issue.

Hope that helps

galenhuntington commented 2 years ago

Sure, thanks for clarifying. As of now, ECS containers still require root, so upgrading the Docker image from 7.0.0 caused me unexpected breakage (unexpected based on Varnish release notes). Perhaps this pitfall could be documented here. For ECS, there's an open issue, yet unacknowledged by AWS: https://github.com/aws/containers-roadmap/issues/1721

gquintard commented 2 years ago

yes, I'll add a line in the dockerhub docs once we have the default port override (probably next week or the one after, right after the next Varnish version is out)

gquintard commented 1 year ago

doc PR in flight: https://github.com/docker-library/docs/pull/2229

gquintard commented 1 year ago

docs are online, closing

FlorentTorregrosa commented 1 year ago

Hi,

Sorry for my lack of response. Thanks to have moved this forward!

wodka commented 1 year ago

:/ also had this problem right now with Kubernetes 1.24 -> it is using ContainerD that is no longer allowing ports <1000 for unprivileged users! https://github.com/containerd/containerd/issues/2516

gquintard commented 1 year ago

@wodka , doesn't the port override solve your issue?

wodka commented 1 year ago

it does, sry for not stating that. Just wanted to drop it as a reference when searching for the failure here.

gquintard commented 1 year ago

Ah, all good then!