Closed FlorentTorregrosa closed 1 year ago
hum, indeed, looks like naming ports isn't enough. I need to investigate a bit on this, as I was convinced naming the port would override it.
Thanks for the report, I'll look into it
Hi,
So, I'm still at a loss about why you can't use privileged ports and I can, but yeah, we need to do something about this.
I'm very reluctant changing the default ports as this will break a lot of setups. However, we can introduce VARNISH_HTTP_PORT
and VARNISH_PROXY_PORT
that will default to 80
and 8443
respectively.
Since the next release is getting close (September 15th), that will go into that one, to avoid any surprises.
Objections?
Hi,
Yes, go for the environment variables, in a follow-up issue? to keep this one open until it is found why there is this privilege problem.
Even without permission problem, being able to control the ports with environment variables will be useful for other cases I think.
@gquintard can you let us know how you are starting it? I'm doing this and I can confirm I'm getting the same permission error:
varnish:6.3 - works
root@ub18:/home/alex/varnish# ls
default.vcl Dockerfile
root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:6.3
COPY default.vcl /etc/varnish/
root@ub18:/home/alex/varnish# docker run -it --rm 4af63ac861b8 whoami
root
root@ub18:/home/alex/varnish# docker run -d --rm 4af63ac861b8
root@ub18:/home/alex/varnish# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
41c778622f74 4af63ac861b8 "docker-varnish-entr…" 5 seconds ago Up 4 seconds 80/tcp distracted_lewin
varnish:7.1.1 - doesn't work
root@ub18:/home/alex/varnish# cat Dockerfile
FROM varnish:7.1.1
COPY default.vcl /etc/varnish/
root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 whoami
varnish
root@ub18:/home/alex/varnish# docker run -d 9d5496b496f3
root@ub18:/home/alex/varnish# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a2086251dbc5 9d5496b496f3 "/usr/local/bin/dock…" 2 seconds ago Exited (2) 1 second ago exciting_chatterjee
root@ub18:/home/alex/varnish# docker run -it --rm 9d5496b496f3 bash
varnish@34fdc6a5d44c:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Error: Could not get socket :80: Permission denied
(-? gives usage)
@alexfd, I'm just pulling to make sure I have the latest image, then run:
$docker pull varnish:7.1.1
$docker run --rm varnish:7.1.1
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (20) Started
Child launched OK
Info: Child (20) said Child starts
and explicitly using the entrypoint
script works too:
$ docker run --rm -it varnish:7.1.1 bash
varnish@bbf9f531fef1:/etc/varnish$ /usr/local/bin/docker-varnish-entrypoint
Debug: Version: varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a
Debug: Platform: Linux,5.18.10-arch1-1,x86_64,-jnone,-smalloc,-sdefault,-hcritbit
Debug: Child (21) Started
Child launched OK
Info: Child (21) said Child starts
so weird, copy pasted from above:
root@ub18:/home/alex# docker pull varnish:7.1.1
7.1.1: Pulling from library/varnish
Digest: sha256:cf26c90c2fa455baa6dd9747c953bb21be61cc2a343618932ac33bef0babb4e4
Status: Image is up to date for varnish:7.1.1
docker.io/library/varnish:7.1.1
root@ub18:/home/alex# docker run --rm varnish:7.1.1
Error: Could not get socket :80: Permission denied
I wonder if this is a docker version related thing.
could be, what's your version? I'm on 20.10.12
(ubuntu:jelly
) and 20.10.17
(arch
). Config files are empty/absent
yes, it is a version thing. I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works. Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too.
Great news! Thanks for looking into it. I'll make the change to override the two default ports so that this can be worked around, but at least we know what's going on.
Cheers!
On Tue, Sep 6, 2022, 05:20 alexfd @.***> wrote:
yes, it is a version thing. I'm on 19.03.6 and it doesn't work. Updated to 20.10.17 and it works. Problem is this doesn't want to run on AWS EKS, admittedly one version behind the latest, so I'll try updating that too.
— Reply to this email directly, view it on GitHub https://github.com/varnish/docker-varnish/issues/55#issuecomment-1238072930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA42AKLKOLLY7HA44Y4DYTDV44ZI7ANCNFSM57ANTNZQ . You are receiving this because you were mentioned.Message ID: @.***>
I don't understand the rationale for the change from #42 (9bbe2f3), but after struggling with this (and before finding this issue), I tried adding the last line here:
FROM varnish:7.1.1-alpine
COPY default.vcl /etc/varnish/
USER root
With this change, everything is working again for me (after upgrading from 7.0.0). I don't know if this is the "right" solution but I mention it here in case it helps anyone. I am running on AWS ECS.
@galenhuntington, usually containers try to run as an unprivileged users to reduce security risk, but at the same time, since Varnish is a server, it makes sense for it to listen to port 80.
On old docker
versions, you can't have an unprivileged user listening to ports under 1024. So for those cases, you can either change the port or run as root to fix the issue.
Hope that helps
Sure, thanks for clarifying. As of now, ECS containers still require root, so upgrading the Docker image from 7.0.0 caused me unexpected breakage (unexpected based on Varnish release notes). Perhaps this pitfall could be documented here. For ECS, there's an open issue, yet unacknowledged by AWS: https://github.com/aws/containers-roadmap/issues/1721
yes, I'll add a line in the dockerhub docs once we have the default port override (probably next week or the one after, right after the next Varnish version is out)
doc PR in flight: https://github.com/docker-library/docs/pull/2229
docs are online, closing
Hi,
Sorry for my lack of response. Thanks to have moved this forward!
:/ also had this problem right now with Kubernetes 1.24 -> it is using ContainerD that is no longer allowing ports <1000 for unprivileged users! https://github.com/containerd/containerd/issues/2516
@wodka , doesn't the port override solve your issue?
it does, sry for not stating that. Just wanted to drop it as a reference when searching for the failure here.
Ah, all good then!
Hello,
This is a follow-up of #42 .
The command
docker run -it --rm -u varnish varnish -a http=:8080,HTTP -n /tmp/varnish_workdir
from comment https://github.com/varnish/docker-varnish/issues/42#issuecomment-952126051 is not working.Still getting:
In my Docker compose file, I tried to override the default command providing options, to not have to override the entrypoint entirely:
But it does not override
-a http=:80,HTTP \
of the default entrypoint.As a workaround I will add:
in my Docker compose.
But I think a long term solution would be to change default port as initally requested in the referenced issue. Or to put HTTP and PROXY ports inside environment variables to easily be overridden.
Thanks for the reply.