unable to bind 80 and 443 inside container

[joshuacox]

If I put the latest 1.2.3 alpine on port 80 and 443 instead of 8080 and 8443 I get permission denied errors:

="Error creating server: listen tcp :80: bind: permission denied

and if I leave http on port 8080 443 dies

="Error creating server: listen tcp :443: bind: permission denied

you can see me wrestling with the issue here

[rawmind0]

Hi @joshuacox ....

where are you running your dockers?? are you running your docker daemon with selinux enabled??

At some circumstances seems that docker with selinux makes that setcap doesn't work correctly.
Traefik binary in its docker, is setcap in order traefik user could open a privileged ports...

setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik

I've just launched last version in my test system, from catalog listening at 80 and 443...It's working without any problem....

29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Traefik version v1.2.3 built on 2017-04-13_07:32:59PM"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Using TOML configuration file /opt/traefik/etc/traefik.toml"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc420362e40 Redirect:<nil> Auth:<nil> Compress:false}"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Starting server on :80"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Starting provider *provider.File {\"Watch\":true,\"Filename\":\"/opt/traefik/etc/rules.toml\",\"Constraints\":null}"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Starting server on :443"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Starting provider *main.WebProvider {\"Address\":\":8000\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Statistics\":null,\"Metrics\":null,\"Auth\":null}"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Server configuration reloaded on :80"
29/04/2017 16:53:08time="2017-04-29T14:53:08Z" level=info msg="Server configuration reloaded on :443"

[joshuacox]

My dockers are in a rancher/cattle environment rancher 1.5.7 rancherOS 1.0.1

EDIT: adding the setcap output as traefik user in alpine-traefik container:

bash-4.3$ setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik
unable to set CAP_SETFCAP effective capability: Operation not permitted

and for kicks as root on the host rancherOS

[root@lion ~]# setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik
-bash: setcap: command not found

I don't think selinux is setup on rancher by default

[joshuacox]

@rawmind0 is it possible that my binding in of /opt/traefik as a volume is causing issues?

[rawmind0]

Are you mounting /opt/traefik as a volume?? If so..don't do that..please, try deploying unmodified catalog package...or without additional volumes...

You couldn't run setcap inside the container, due to is running as unprivileged user. Setcap is already done in docker build. :)

[joshuacox]

ok, I changed it out to just /opt/traefik/acme, and now port 80 and 443 are working again. @rawmind0 could I get any comments or suggestions on making that acme.json persistent on #31