I have a docker file userPermissionDenied.df
, here is its content:
FROM busybox:1.29
USER 1000:1000
ENTRYPOINT ["nc"]
CMD ["-l", "-p", "80", "0.0.0.0"]
I run the following commands:
> docker image build -t fooimg -f userPermissionDenied.df .
> docker container run fooimg
Now I expect the following output:
> nc: bind: Permission denied
But I am not getting any output at all:
the container just hangs. Why?
I am learning Docker through the Docker in Action by Jeff Nickoloff
and that is where I got the use case from.
Given that you are running the nc
command as a non-root user (due to the USER 1000:1000
directive in your Dockerfile
), you might expect to see a "permission denied" error of some sort when nc
tries to bind port 80.
In earlier versions of Docker that is exactly what would have happened, but a few years ago Docker was modified so that containers run with net.ipv4.ip_unprivileged_port_start=0
, which means there are no longer any "privileged ports": any UID can bind any port.
You can see this setting by running sysctl
inside a container:
$ docker run -it --rm -u 1000:1000 alpine sysctl -a |grep net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0
the container just hangs. Why?
The container isn't "hanging"; it is successfully running nc -l -p 80
, which is waiting for a connection to the container on port 80. If you were to use curl
or some other tool to connect to port 80 in that container, it would display any data send over the connection and then the container would exit when the connection is closed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.