Docker privileged / capabilities not working with non-root user

[Cherry]

We're attempting to use the NET_BIND_SERVICE capability to allow non-root users to bind to port 80, and others.

We're using a basic image from https://github.com/jwilder/whoami, which is a simple HTTP server in Go for demonstration purposes. The Dockerfile can be found here: https://github.com/jwilder/whoami/blob/master/Dockerfile.

The specific command we're using is the following:
docker run --rm -it --user 5010:5010 -e PORT=80 --cap-add NET_BIND_SERVICE jwilder/whoami

Running solely this command will replicate the issue as described below.

We've tested running this on CentOS 7, and Ubuntu 16, both resulting in a listen tcp :80: bind: permission denied error, when we'd expect this to work. Example docker version output:

Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        4c52b90
 Built:             Wed Jan  9 19:35:01 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:06:30 2019
  OS/Arch:          linux/amd64
  Experimental:     false

If we manually use setcap on the process, we're able to get this working as follows, but we believe this shouldn't be required:

# this `docker run` command works with or without `--cap-add NET_BIND_SERVICE` - it seems to have no effect at all
docker run --rm -i -e PORT=80 --cap-add NET_BIND_SERVICE jwilder/whoami
# inside container
adduser -D test
apk add --update --no-cache libcap
setcap cap_net_bind_service=+ep /app/http
su test
PORT=80 /app/http

Are we missing something with the capabilities, or is this an issue?

[thaJeztah]

@tianon - IIRC you looked into something similar at some point

[tianon]

Yep, that'd be #8460, which includes some discussion around this and "ambient capabilities" which is what I understand this cap-based solution requires.

My personal preference is for the sysctl referenced in that thread since we're in a network namespace anyhow so "privileged ports" really is pretty meaningless.

[Cherry]

The suggested sysctl flag in #8460 results in

docker run --rm -it --user 5010:5010 -e PORT=80 --cap-add NET_BIND_SERVICE --sysctl net.ipv4.ip_unprivileged_port_start=0 jwilder/whoami

docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"write sysctl key net.ipv4.ip_unprivileged_port_start: open /proc/sys/net/ipv4/ip_unprivileged_port_start: no such file or directory\"": unknown.

Kernel version: 4.4.0-141-generic.

[tianon]

Ah bummer, yep, it requires a newer kernel than 4.4.

[php-coder]

As #41030 has been merged and #8460 was resolved, this one can be closed also.

[thaJeztah]

Yes, looks like we should close this one. I don't think there's much more we can do for older kernels