Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow non-root users in OCI to listen to low port numbers #1704

Closed
gwenya opened this issue Feb 28, 2025 · 6 comments
Closed

Allow non-root users in OCI to listen to low port numbers #1704

gwenya opened this issue Feb 28, 2025 · 6 comments
Labels
Easy Good for new contributors
Milestone
incus-6.11

Comments

@gwenya
Copy link
Contributor

gwenya commented Feb 28, 2025

In docker it is possible since some time ago for non-root users to listen to service ports, which is generally considered to be safe and makes sense for application containers (see moby/moby#41030).

Would it make sense for Incus to also set net.ipv4.ip_unprivileged_port_start to 0 in OCI containers by default?
@stgraber
Copy link
Member

Yeah, I think that'd be fine for OCI containers.

Should be rather easy to set through lxc.sysctl in the config.

@stgraber stgraber added the Easy Good for new contributors label Feb 28, 2025
@stgraber stgraber added this to the incus-6.11 milestone Feb 28, 2025
@stgraber
Copy link
Member

@gwenya do you want to do it yourself?

Should be a rather trivial change to driver_lxc.go once you find the OCI logic in there (look for lxc.init.cwd to get you to the right spot).

@stgraber stgraber changed the title listen to service ports as non-root user in OCI containers Allow non-root users in OCI to listen to low port numbers Feb 28, 2025
@gwenya
Copy link
Contributor Author

gwenya commented Feb 28, 2025

I'll try, yeah

@gwenya
Copy link
Contributor Author

gwenya commented Feb 28, 2025

I'm also adding ping capabilities via net.ipv4.ping_group_range same as docker does if that's okay @stgraber

@stgraber
Copy link
Member

Yeah, that's fine.

@gwenya gwenya mentioned this issue Feb 28, 2025
Closed
@gwenya
Copy link
Contributor Author

gwenya commented Mar 3, 2025

Fixed by #1706

@gwenya gwenya closed this as completed Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Easy Good for new contributors
Milestone
incus-6.11
Development

Successfully merging a pull request may close this issue.

allow unprivileged users in application containers to bind to all ports gwenya/incus
2 participants
@stgraber @gwenya