containers-roadmap
containers-roadmap copied to clipboard
aws
[ECS] [request]: allow containers running as non-root to bind to privileged ports
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request The ECS container runtime does not allow a process running as a non-root user to bind to privileged ports (<1024).
So an image designed to serve HTTP traffic either needs to listen on a port other than 80, or to run as root.
The best practices document suggests that I should be running as non-root (p.83) and that it's reasonable to expose port 80 (diagram on p.23). In general I feel one of the advantages of containerisation is the ability to run things on default ports and refer to them by name rather than memorising non-standard ports.
Which service(s) is this request for? ECS
Are you currently working around this issue? I'm running some of my containers as root (e.g. the default nginx image) and some as non-root but using a non-privileged, non-standard http port > 1024.
The Docker container runtime, which I suspect is how the majority of image developers test their images and run them locally, now allows privileged port binding for unprivileged users by default: https://github.com/moby/moby/pull/41030
Incidentally it would be nice for this to work on Fargate, and hence awsvpc networking, too.
