Docker: support running without NET_BIND_SERVICE #4494
Description
Environment
- ejabberd version: 25.10
- Erlang version: unknown
- OS: Alpine Linux
- Installed from: container (
ghcr.io/processone/ejabberd:latest)
Configuration
docker-compose.yml:
version: 3.9
networks:
chat-network:
external: true
services:
ejabberd:
image: ghcr.io/processone/ejabberd:latest
container_name: ejabberd
environment:
- CTL_ON_START=stats registeredusers
networks: [ chat-network ]
volumes:
- ./ejabberd.yml:/opt/ejabberd/conf/ejabberd.yml:ro
- ./database:/opt/ejabberd/database
- ./logs:/opt/ejabberd/logs
- ./upload:/opt/ejabberd/upload
- ./erlang.cookie:/opt/ejabberd/.erlang.cookie
- ./modules:/opt/ejabberd/.ejabberd-modules
# == RELEVANT CONFIGS ==
security_opt:
no-new-privileges: true
cap_drop:
- ALL
# cap_add:
# - NET_BIND_SERVICEFor ejabberd.yml, all listen modules are configured to listen on 5222, 5223, 5269, 5270, 5280, 5380, and 5480. Nothing is listening on ports below 1024.
Errors
From podman logs -f ejabberd:
erlexec: Error 1 executing '/opt/ejabberd-25.10/erts-15.2.7.2/bin/beam.smp'.
Bug description
I'm selfhosting ejabberd using podman, and would like to harden the setup by removing all unnecessary capabilities. One of those ways is by using these flags that result in the compose file as shown above:
security_opt:
no-new-privileges: true
cap_drop:
- ALLHowever, this errors out as shown above, and the container process was unable to start. I was able to trace it down to a lack of the NET_BIND_SERVICE capability, and after adding those lines to the setup, it works:
security_opt:
no-new-privileges: true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICEThe NET_BIND_SERVICE allows running on privileged ports (ports <1024). However, as explained above, all my ports are in the 5200+ ranges, which means this capability is unneeded.
Therefore, I'd like to be able to run the docker/binary without this capability in place, which helps dropping unnecessary privileges. Thanks in advance.