From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 6/BqG72ziWDpHQEAgWs5BA (envelope-from ) for ; Wed, 28 Apr 2021 21:13:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 6KIdFr2ziWDSOQAA1q6Kng (envelope-from ) for ; Wed, 28 Apr 2021 19:13:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CF72413FF1 for ; Wed, 28 Apr 2021 21:13:00 +0200 (CEST) Received: from localhost ([::1]:50962 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lbpcJ-0003CL-VS for larch@yhetil.org; Wed, 28 Apr 2021 15:12:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47786) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lbpbv-0003CC-CT for help-guix@gnu.org; Wed, 28 Apr 2021 15:12:35 -0400 Received: from sender4-op-o10.zoho.com ([136.143.188.10]:17036) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lbpbt-0000LA-Ev for help-guix@gnu.org; Wed, 28 Apr 2021 15:12:35 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1619637148; cv=none; d=zohomail.com; s=zohoarc; b=A41jaORDgTB9P8VZtdMxFWg1O9DZeCzvhKOmPBG1tncb/++YqsA6TcQb/8m6aFk3nQ9Yco4xUdVkpoEXqrdUoNp4ISwYX6A+XfAvUiQ/pzUhiUVp3XKAH0Ul3Vx1cnydWd44AO9rofp8QonJxEq6JVuPO59lJx7H4jhXdA7ppd4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1619637148; h=Content-Type:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=MybtDwieHWp6nf2X60Lcfei0Wen4+2pJLtwRCvdHBK0=; b=auhFf9sLUNekDBLNqJrayGTepNB9iBpd6de9KzRKbc19iuXJ/XJdq0hJIBYOtsQAlxgtSnoMQfdAd+6BiSHTxcdMw6mtveOKD4i0Dy7TjkP+1prlKyfeUIpH9iSrx9lu1j6yd2hZQNCGsMN8NvLo5p9htkJR9dEWc1VfRfG/6+8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rdklein.fr; spf=pass smtp.mailfrom=edou@rdklein.fr; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1619637148; s=zoho; d=rdklein.fr; i=edou@rdklein.fr; h=References:From:To:Subject:In-reply-to:Message-ID:Date:MIME-Version:Content-Type; bh=MybtDwieHWp6nf2X60Lcfei0Wen4+2pJLtwRCvdHBK0=; b=R/x9Wi53Wa+FxF/4O/Nee6MwPFlGRbTOQy5lmWjgOVMsUxY8hWVb7+qLh4Dq3sB3 f5VCp12XM+az8/9h8wPrY8ZO/frs3lJS4RrQ8ZKeYAFQD06E+AB5qVK9l1K6Fy+aURe WyzhVjX/bTsWrdv+hwSV5/sB/pxtpx3OYTNNjkfU= Received: from Rasoir (lfbn-idf3-1-808-29.w90-3.abo.wanadoo.fr [90.3.133.29]) by mx.zohomail.com with SMTPS id 1619637146192207.96760632696748; Wed, 28 Apr 2021 12:12:26 -0700 (PDT) References: <878s5b7jvv.fsf@rdklein.fr> User-agent: mu4e 1.4.15; emacs 27.1 From: Edouard Klein To: help-guix@gnu.org Subject: Re: Can't bind to port 80 from inside a Guix container In-reply-to: <878s5b7jvv.fsf@rdklein.fr> Message-ID: <87r1iu8bqs.fsf@rdklein.fr> Date: Wed, 28 Apr 2021 21:12:11 +0200 MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.10; envelope-from=edou@rdklein.fr; helo=sender4-op-o10.zoho.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619637181; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=MybtDwieHWp6nf2X60Lcfei0Wen4+2pJLtwRCvdHBK0=; b=bt2QUHVIET7IJV9NRSpNCzs4jVZZ/29MKRfpiBxbEnquzsRntAZradMnyuLoCyroIC2OYe aN2X5WVgklajpUNSl0xdgoA7Mtg1DoUW8NUUZ0pubXLfF0aBFoboL/V4QWvcbMd6/Sa2Gx HnyQR8EX2oWsvZ9yaemGU7OHJ6fiP3jtoJ1ewAqWkEIixqQK5An+CVG2dyuiwByU/Ne7Hq a5NcKWSfZ05mJws7GMNY2+F+2evUPZVVLAt0z9hIwcecghQI55uro6wiLyRbShv7iUA2Fq HFQl3QQ/1yQ5Wd3+72QDz9s2BXWDAaPEleAS9+g0/wSFzjDOJ9lz/YZ1SUPWdA== ARC-Seal: i=2; s=key1; d=yhetil.org; t=1619637181; a=rsa-sha256; cv=pass; b=CRT0p/cVdwbPvFLPe28HCsVFKMJSkNAu3qc2mTbq1nmDlZy4gADls+tYYzfkdlFVTNoVZo NhpV5Qpgdv+K+rYlnxjeEWQqWnjVnEzurfxXK/itBKi4Dinc21vO2e1tyIBrlnZwni8oBl CU5m/BjLPHFb9ULAD86Q8HZpR/xwhP+/k5Ha/YvAaT7TIsr7LI8wyvXavCBkR3BxgJdJYf UVPuf4sTQgl+zM11fE7XPL7x1W+RcHULo4Jh8d5GzmpefiiQETMz88ZwoUd1l7RVwy21q+ XehSr5DSrsBiHRTIeE6fRY6KSFwtTqufBUtlAsSSEh1LBD1U4FyLJhiQb4ZLMg== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=rdklein.fr header.s=zoho header.b="R/x9Wi53"; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.45 Authentication-Results: aspmx1.migadu.com; dkim=none ("invalid DKIM record") header.d=rdklein.fr header.s=zoho header.b="R/x9Wi53"; arc=pass ("zohomail.com:s=zohoarc:i=1"); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: CF72413FF1 X-Spam-Score: -3.45 X-Migadu-Scanner: scn0.migadu.com X-TUID: MTe7QdNDpEq8 Dear all, I solved my problem by simply unpriviledging all ports on the system: # echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf # sysctl --system Now anybody can bind to any port. I wish we were on Plan 9 where filesystem permissions applies to the network too, but we have to use a half-a-century old API instead. I hate port numbers with a passion. Anyway. That works, I'm happy. I hope it can be useful to somebody else. Cheers, Edouard. edk@beaver-labs.com writes: > Dear fellow Guixers, > > I'm trying to run nginx with `guix system container --network toto.scm`, > and I get the following error: > > nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied) > > despite the container script being launched with sudo. > > I got a root shell inside the container, checked that the corresponding > process also belongs to root from outside the container, and still don't > have the right to bind to port 80, with any software (this is not an > nginx error). > > netcat lets me launch `nc -l 80` but I can't reach it, I don't think it > is actually binding. > > Is this a known problem or limitation of guix containers ? > > What do you suggest to try to troubleshoot this issue ? > > Cheers, > > Edouard.