0

I am running Docker on Debian 11. I deploy an Nginx container and it fails to bind to port 80 even though port 80 is not in use by any other process. I even tried running Docker as root.

Here's the command: docker run -d -p 80:80 nginx:alpine

Here's the container logs:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/08/03 11:06:15 [emerg] 1#1: socket() 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] socket() 0.0.0.0:80 failed (13: Permission denied)

I suspect that Apparmor is blocking the network access. When I uninstall Apparmor everything works well. However, with Apparmor installed, only privileged Docker containers are able to connect to the internet.

Please let me know if you need any other information to help me debug this problem.

Improve this question
3
  • In case it matters, you should specify if you're using Debian's docker.io package or upstream's docker-ce package. Commented Aug 4, 2022 at 5:59
  • permission denied means that it's not allowed to open port 80 -- IE, it's not running as root (good, it shouldn't) and wasn't given privileges to open low ports. Commented Aug 4, 2022 at 6:56
  • I'm using Docker's repo to install Docker. Commented Aug 4, 2022 at 15:24

1 Answer 1

Reset to default
1

The "problem" in this case isn't so much that your system won't do what you're asking of it, it's that you're asking it to do something it really shouldn't.

Ports below 1024 are classed as privileged -- only root, or someone with the specific privilege, is allowed to open sockets on those ports.

Docker isn't running as root, or at least shouldn't be, so it can't open sockets on port 80. This is correct behavior.

I recommend setting Docker up to listen on a high port and localhost only, then using apache or nginx as a proxy.

Improve this answer
2
  • The user that I'm running is part of the sudo group. I've tried other ports (greater than 1024), but none works. Switched to root and tried, same result. As I said in the post, only privileged containers were able to connect to the internet. Commented Aug 4, 2022 at 14:24
  • Being "part of the sudo group" only means that you can occasionally issue specific commands as root by prepending them with sudo. It does not automatically elevate your privileges on all situations, because that is explicitly not its job. Commented Jan 2, 2024 at 9:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.