Rootless podman is unable to use host ports less than 1024
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- podman
Issue
- Rootless user is trying to map ports less than 1024 on the host and it fails to map
$ podman run -itd -p 809:80 ubi8
Error: rootlessport cannot expose privileged port 809, you can add 'net.ipv4.ip_unprivileged_port_start=809' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:809: bind: permission denied
Resolution
- By default, ports less than 1024 are reserved for root users for security reasons and rootless users are not allowed to use them.
- This default value can however be changed by making changes to file
/etc/sysctl.conf - Run the command
sysctl net.ipv4.ip_unprivileged_port_start=xxxas root user(or as any privileged user) and now the rootless user can use any port higher than the value specified in the above command. - One other way to do this is to manually add the entry to the file
/etc/sysctl.conf. Add the below lines to the file,
net.ipv4.ip_unprivileged_port_start=xxx
- Achieving this by setting capabilities for podman may seem like another possible solution but there are still limitations on it and podman may not behave as expected.
- Why setcap doesn't always work for podman?
Root Cause
- By default, kernel does not allow the rootless users to bind to ports less than 1024 for security purposes
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments