Unable to start Kestrel. System.Net.Sockets.SocketException (13): Permission denied while running alpine as non root user

[muratg]

From @endejoli on Monday, 22 October 2018 19:03:34

Steps to reproduce the issue

1.Use the below Dockerfile to build image

FROM microsoft/dotnet:2.1-aspnetcore-runtime-alpine3.7
EXPOSE 5000
WORKDIR /app
COPY ./app/* /app/
RUN adduser -D buildadmin
RUN chown buildadmin:buildadmin /app /app/* 
USER buildadmin
ENTRYPOINT ["dotnet", "Template.Sample.dll"]

2. Building and running the image gives below error

18:10:59 INF] Starting web host
[18:10:59 INF] User profile is available. Using '/home/buildadmin/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
[18:10:59 INF] Creating key {c07b8334-0237-48ed-817e-9dcb73382d0e} with creation date 2018-10-22 18:10:59Z, activation date 2018-10-22 18:10:59Z, and expiration date 2019-01-20 18:10:59Z.
[18:10:59 WRN] No XML encryptor configured. Key {c07b8334-0237-48ed-817e-9dcb73382d0e} may be persisted to storage in unencrypted form.
[18:10:59 INF] Writing data to file '/home/buildadmin/.aspnet/DataProtection-Keys/key-c07b8334-0237-48ed-817e-9dcb73382d0e.xml'.
[18:10:59 FTL] Unable to start Kestrel.
System.Net.Sockets.SocketException (13): Permission denied
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass22_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.AnyIPListenOptions.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
[18:10:59 FTL] Host terminated unexpectedly
System.Net.Sockets.SocketException (13): Permission denied
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass22_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.AnyIPListenOptions.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
   at Template.Sample.Program.Main(String[] args) in /repo/src/production/Template.Sample/Program.cs:line 20
Application is shutting down...

Expected behavior

It should start the webserver successuflly

Actual behavior

Additional information (e.g. issue happens only occasionally)

When i run dotnet as root user, everything works as expected

Output of docker version

docker info
Containers: 20
 Running: 0
 Paused: 0
 Stopped: 20
Images: 37
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-1023-azure
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 6.807GiB
Name: actaz-prod-lbf3
ID: 2SKW:7Y6P:KJBW:RAON:HGZ4:TDLT:2M5J:NWAF:EMSL:ZYHW:TZAO:L736
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Copied from original issue: dotnet/dotnet-docker#765

[muratg]

From @MichaelSimons on Wednesday, 24 October 2018 12:51:57

@muratg, @natemcmaster - could one of you take a look at this? Thanks.

[muratg]

@endejoli Just curious, did you try libuv transport as well? Does the issue repro with that too?

@Tratcher @halter73 @JunTaoLuo Any thoughts? Do we do anything specific that may require root in Sockets transport?

cc @karelz Does System.IO.Sockets do anything differently on Alpine?

[karelz]

I don't think we have any Alpine-specific code in Sockets (cc @geoffkizer @wfurt to confirm)

[wfurt]

What port are you binding to? You have to be root (or NET_ADMIN capability) in order to run on port < 1024

[muratg]

Good point @wfurt!

@endejoli please let us know.

[wfurt]

BTW That is not Alpine specific. Also if this is container and host OS has SELinux in enforcing mode there may be rules about who can run what.

[MarcinKruszynski]

@wfurt you are right. I have the same exception on OpenShift pod when I try run my Docker Hub image with ASP.NET Core 2.1 app built with standard Microsoft ASP.NET Core docker image (also successfully hosted in other environments like Kubernetes). Do you have any idea how to resolve such problem? Of course when I used OpenShift s2i (building directly from sources with Redhat .NET Core image) other ASP.NET Core sample app run successfully.

[muratg]

@MarcinKruszynski Can't you just use a higher internal port?

[MarcinKruszynski]

Yes, I have read about using high ports, but it seems I use 8080 as internal port.

[wfurt]

You can try strace -f -s 200 -e trace=network cmd to see what call is actually failing.
You can also try --privileged for docker or more granular -cap-add=NET_ADMIN .

[endejoli]

@wfurt Thanks you.. @muratg we were using port 80 :(

[muratg]

@MarcinKruszynski did you get a chance to verify as well?

[selfsx]

Have same problem when deploying my ASP .NET Core 2.1 container to Heroku (runs as non-root inside)