Add default sysctls to allow ping sockets and privileged ports with no capabilities by justincormack · Pull Request #41030 · moby/moby
…o capabilities Currently default capability CAP_NET_RAW allows users to open ICMP echo sockets, and CAP_NET_BIND_SERVICE allows binding to ports under 1024. Both of these are safe operations, and Linux now provides ways that these can be set, per container, to be allowed without any capabilties for non root users. Enable these by default. Users can revert to the previous behaviour by overriding the sysctl values explicitly. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
joe4dev added a commit to localstack/lambda-runtime-init that referenced this pull request
Mar 8, 2023
As @dfangl pointed out: Binding port 53 might require root permissions for binding port < 1024 depending on the Docker version moby/moby#41030
dfangl pushed a commit to localstack/lambda-runtime-init that referenced this pull request
Mar 8, 2023
As @dfangl pointed out: Binding port 53 might require root permissions for binding port < 1024 depending on the Docker version moby/moby#41030
BlackDex added a commit to BlackDex/alloy that referenced this pull request
May 1, 2024
In this PR grafana/agent#6817 the setcap was added for the alloy/agent binary for some reason unknown to me. Since the docker engine allows binding to unpriviliged ports already for a long time via moby/moby#41030, which was implemented in the Docker engine v20.10.x and also other container runtimes. This should solve the following issues. Fixes grafana#117 Fixes grafana#303
BlackDex added a commit to BlackDex/alloy that referenced this pull request
May 1, 2024
In this PR grafana/agent#6817 the setcap was added for the alloy/agent binary for some reason unknown to me. Since the docker engine allows binding to unpriviliged ports already for a long time via moby/moby#41030, which was implemented in the Docker engine v20.10.x and also other container runtimes. This should solve the following issues. Fixes grafana#117 Fixes grafana#303
captncraig pushed a commit to grafana/alloy that referenced this pull request
May 1, 2024
In this PR grafana/agent#6817 the setcap was added for the alloy/agent binary for some reason unknown to me. Since the docker engine allows binding to unpriviliged ports already for a long time via moby/moby#41030, which was implemented in the Docker engine v20.10.x and also other container runtimes. This should solve the following issues. Fixes #177 Fixes #303
polyrain pushed a commit to polyrain/alloy that referenced this pull request
May 2, 2024
In this PR grafana/agent#6817 the setcap was added for the alloy/agent binary for some reason unknown to me. Since the docker engine allows binding to unpriviliged ports already for a long time via moby/moby#41030, which was implemented in the Docker engine v20.10.x and also other container runtimes. This should solve the following issues. Fixes grafana#177 Fixes grafana#303
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters