Re: Can't bind to port 80 from inside a Guix container

unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed

From: Edouard Klein <edou@rdklein.fr>
To: help-guix@gnu.org
Subject: Re: Can't bind to port 80 from inside a Guix container
Date: Wed, 28 Apr 2021 21:12:11 +0200	[thread overview]
Message-ID: <87r1iu8bqs.fsf@rdklein.fr> (raw)
In-Reply-To: <878s5b7jvv.fsf@rdklein.fr>

Dear all,

I solved my problem by simply unpriviledging all ports on the system:
# echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
# sysctl --system


Now anybody can bind to any port.

I wish we were on Plan 9 where filesystem permissions applies to the
network too, but we have to use a half-a-century old API instead. I hate
port numbers with a passion.

Anyway. That works, I'm happy. I hope it can be useful to somebody else.

Cheers,

Edouard.
edk@beaver-labs.com writes:

> Dear fellow Guixers,
>
> I'm trying to run nginx with `guix system container --network toto.scm`,
> and I get the following error:
>
> nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
>
> despite the container script being launched with sudo.
>
> I got a root shell inside the container, checked that the corresponding
> process also belongs to root from outside the container, and still don't
> have the right to bind to port 80, with any software (this is not an
> nginx error).
>
> netcat lets me launch `nc -l 80` but I can't reach it, I don't think it
> is actually binding.
>
> Is this a known problem or limitation of guix containers ?
>
> What do you suggest to try to troubleshoot this issue ?
>
> Cheers,
>
> Edouard.

     prev parent reply	other threads:[~2021-04-28 19:13 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-21 15:11 Can't bind to port 80 from inside a Guix container edk
2021-04-28 19:12 ` Edouard Klein [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r1iu8bqs.fsf@rdklein.fr \
    --to=edou@rdklein.fr \
    --cc=help-guix@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).