vaultwarden icon indicating copy to clipboard operation
vaultwarden copied to clipboard

Published 20 hours ago verified publisher icon dani-garcia

Allow listening on privileged ports (below 1024) as non-root

Open jjlin opened this issue 2 years ago • 2 comments

This is done by running setcap cap_net_bind_service=+ep on the executable in the build phase (doing it in the runtime phase creates an extra copy of the executable that bloats the image). This only works when using the BuildKit-based builder, since the COPY instruction doesn't copy capabilities on the legacy builder.

jjlin avatar Jan 25 '23 08:01 jjlin

Note that executables running as non-root actually can already bind to "privileged" ports even without setting cap_net_bind_service in Docker 20.10.0 and later (see moby/moby#41030).

Nevertheless, setting cap_net_bind_service should still be useful for people running earlier versions of Docker, or using another container runtime that doesn't have this change.

jjlin avatar Jan 25 '23 08:01 jjlin

~~https://hub.docker.com/r/jjlin/vaultwarden/tags shows the results of this PR~~

jjlin avatar Jan 25 '23 09:01 jjlin