Piped icon indicating copy to clipboard operation
Piped copied to clipboard
verified publisher icon TeamPiped

Container fails to start after recent switch to unprivileged nginx

Open nyarau opened this issue 1 year ago • 5 comments

Official Instance

Describe the bug

Since the commit 1b5a362b0843c670f808f600aa87433fc7f55d15 the frontend container fails to start.

To Reproduce

podman run --rm -e BACKEND_HOSTNAME=backend docker.io/1337kavin/piped-frontend:latest

Expected behavior

using the "epoll" event method
nginx/1.27.3
built by gcc 13.2.1 20240309 (Alpine 13.2.1_git20240309) 
OS: Linux 6.11.11-300.fc41.x86_64
getrlimit(RLIMIT_NOFILE): 524288:524288
start worker processes
start worker process 6
start worker process 7
start worker process 8
start worker process 9
start worker process 10
start worker process 11
start worker process 12
start worker process 13

Logs/Errors

[emerg] 4#4: bind() to 0.0.0.0:80 failed (13: Permission denied)

Browser, and OS with Version.

The same setup has been working fine for years with daily automatic image update: Fedora CoreOS 41.20241215.3.0 Podman version 5.3.1 Running as non-root user thus Podman runs in rootless mode.

Additional context

The upstream image works fine since it listens on 8080 by default:

podman run --rm -p 8080:8080 docker.io/nginxinc/nginx-unprivileged

By setting HTTP_PORT=8080 the container starts up successfully:

podman run --rm -p 8080:8080 -e BACKEND_HOSTNAME=backend -e HTTP_PORT=8080 docker.io/1337kavin/piped-frontend:latest

nyarau avatar Jan 16 '25 20:01 nyarau

I go the same problem

2025/01/19 22:38:07 [emerg] 8#8: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

On Synology, it was working before updating

services:
  piped-frontend:
    image: 1337kavin/piped-frontend:latest
    restart: unless-stopped
    depends_on:
      - piped
    environment:
      BACKEND_HOSTNAME: pipedapi.my.domain
    container_name: piped-frontend
  piped-proxy:
    image: 1337kavin/piped-proxy:latest
    restart: unless-stopped
    environment:
      - UDS=1
    volumes:
      - piped-proxy:/app/socket
    container_name: piped-proxy
  piped:
    image: 1337kavin/piped:latest
    restart: unless-stopped
    environment:
    volumes:
      - ./config/config.properties:/app/config.properties:ro
    depends_on:
      - postgres
    container_name: piped-backend
  nginx:
    image: nginx:mainline-alpine
    restart: unless-stopped
    environment:
    ports:
      - 8080:80
    volumes:
      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro
      - ./config/pipedproxy.conf:/etc/nginx/conf.d/pipedproxy.conf:ro
      - ./config/pipedfrontend.conf:/etc/nginx/conf.d/pipedfrontend.conf:ro
      - ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro
      - piped-proxy:/var/run/ytproxy
    container_name: nginx
    depends_on:
      - piped
      - piped-proxy
      - piped-frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.piped.rule=Host(`FRONTEND_HOSTNAME`,
        `BACKEND_HOSTNAME`, `PROXY_HOSTNAME`)
      - traefik.http.routers.piped.entrypoints=websecure
      - traefik.http.services.piped.loadbalancer.server.port=8080
  postgres:
    image: pgautoupgrade/pgautoupgrade:16-alpine
    restart: unless-stopped
    volumes:
      - ./data/db:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=piped
      - POSTGRES_USER=piped
      - POSTGRES_PASSWORD=changeme
    container_name: postgres
  watchtower:
    image: containrrr/watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      # - /etc/timezone:/etc/timezone:ro
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_INCLUDE_RESTARTING=true
      - TZ=America/Toronto
    container_name: watchtower
    command: piped-frontend piped-backend piped-proxy varnish nginx postgres watchtower
volumes:
  piped-proxy: null
networks: {}

Thank you for your help!

o42o avatar Jan 20 '25 03:01 o42o

This is likely due to these commits: https://github.com/TeamPiped/Piped/commit/e752a8528e6f52652388441197182dc8ff3d344b https://github.com/TeamPiped/Piped/commit/1b5a362b0843c670f808f600aa87433fc7f55d15

With Helm I had to use this

frontend:
  command: "/bin/ash"
  args:
    - -c
    - "sed -i s/80/8080/g /etc/nginx/conf.d/default.conf && sed -i s/pipedapi.kavin.rocks/$BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh nginx -g 'daemon off;'"

Since the HTTP_PORT variable would not get replaced by the entrypoint.sh

Gabisonfire avatar Jan 21 '25 13:01 Gabisonfire

I've managed to make it work. I'm sure it's not the right way, but it works.

Synology DSM 7.2.2-72806 Update 2 Container Manager 24.0.2-1525 Docker version 24.0.2

I've added user: 0:0 to the piped* and nginx services.

  piped-frontend:
    image: 1337kavin/piped-frontend:latest
    user: 0:0
...

o42o avatar Jan 26 '25 00:01 o42o

Thank you @o42o this also fixed the issue I had since the last update.

dreammirror000 avatar Jan 26 '25 11:01 dreammirror000

for me following config worked to still run the container in rootless mode:

    frontend:
      # adjust nginx port to allow running in rootless mode
      command: "/bin/ash"
      args:
        - -c
        - "sed -i s/80/8080/g /etc/nginx/conf.d/default.conf && sed -i s/pipedapi.kavin.rocks/$BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh nginx -g 'daemon off;'"
      service:
        main:
          ports:
            http:
              port: 8080

As ports < 1024 are all privileged ports and need to run as root (user 0) or the port needs to be adjusted.

98jan avatar Feb 02 '25 17:02 98jan