Getting this in log while deploying image in openshift:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.13. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Dockerfile:
FROM httpd:2.4
RUN echo "hello app" > /usr/local/apache2/htdocs/hello.html
also getting the error if i use EXPOSE 80
Ports up to 1024 are so called privileged ports this means that in order to bind to them, the user has to have root capabilities.
In your case, you are trying have your service listen on port 80, which is in that privileged port range.
By default openshift is not running any containers inside the Pods as root.
You will either have to adjust the user as which it runs or have it listen on a different port.
Related
I'm trying to run a docker image on my windows 10 pro workstation, and I'm getting this error:
docker: Error response from daemon: Ports are not available: listen tcp 0.0.0.0:80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
I'm running this command:
docker run -d -p 80:80 docker/getting-started
And getting this response back:
Unable to find image 'docker/getting-started:latest' locally
latest: Pulling from docker/getting-started
188c0c94c7c5: Pull complete
617561f33ec6: Pull complete
7d856acdaa9c: Pull complete
a0d3c6e28e6d: Pull complete
af69a9b963c8: Pull complete
0739f3815ad8: Pull complete
7c7b75d0baf8: Pull complete
Digest: sha256:b821569034e3b5fae03b40e64a866017067f3bf17effe185b782bdbf02179528
Status: Downloaded newer image for docker/getting-started:latest
7907f6de2b55cc2d66b5ed3a642ac1a97e5bb5ecda5fcf76ff60d7236e8fd32d
docker: Error response from daemon: Ports are not available: listen tcp 0.0.0.0:80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
How can I run a Docker container and get past this problem?
The commands that helped me were:
net stop winnat
net start winnat
Taken from here.
Check if somthing is listening on port 80 by running PowerShell command:
Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess
If the response is something like this:
NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName
------ ----- ----- ------ -- -- -----------
0 0.20 4.87 0.00 4 0 System
Then the it is taken.
terminate the process or simply change the port
docker run -d -p 81:81 docker/getting-started 5a0b1202f48ef63c06d75c2f26be2a05f29aa84fe2fbdc5b66f989aa86df98f
docker: Error response from daemon: Ports are not available: listen tcp 0.0.0.0:80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
I was also using Docker's Getting Started tutorial, ran
docker run -d -p 80:80 docker/getting-started, and got the same error.
I thought that Internet Information Services (IIS) might be using port 80 already. I verified this hunch by going to
Start > IIS > computer name > Sites > Default Web Site > highlight Default Web Site
In the right pane, I saw
Browse *.80 (http)
Yep, port 80 was already in use!
Note: To verify if any process is using port 80, run the command
Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess
and look for something like
NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName
------ ----- ----- ------ -- -- -----------
0 0.20 2.96 0.00 4 0 System
per #Tim Dunphy's answer.
Solution #1
Stop the Default Web site.
Either go to IIS per above > right pane > Manage Website > Stop or
Use the net stop http command, and stop services using the port.
Solution #2
You may not want to stop IIS or any other service running on port 80, so just change the local port! For example,
docker run -d -p 81:80 docker/getting-started
will likely do the trick, as long as you don't have services using port 81.
When I encountered this error there was nothing actively listening on the port.However, the following command showed the port had been reserved by something else
netsh interface ipv4 show excludedportrange protocol=tcp
See This article for more details. A reboot fixed the issue for me.
Most times, Windows IIS (Internet Information Service) or some other program may be using port 80, which is the default http port used by Laravel, Apache and other PHP development environments.
To resolve this issue, Open a new PowerShell window as administrator and simply run this command:
net stop http
A prompt listing all services using the http port is shown and you are given the option of stopping them. enter 'Y' and press Enter. All the services are stopped and port 80 is now free for whatever you want to use it for.
Very useful for testing multiple application environments locally on Windows without having to worry about port configuration.
in my case,the task manager show that a system process is occupy port 80.
when i dive deeper, i found a svchost.exe related to port 80, and it is based on world wide web service
so,just open service list and stop the world wide web service,then everything will be ok,the name of service maybe different, but should include keywords :world wide web
just do it
netsh http add iplisten ipaddress=::
(This has to be run in a command prompt with elevated rights!)
I want to deploy the apache server on openshift. My server is running well on my local, but when I deploy it on openshift , I encounter the following issue
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
The possible reason might be that apache runs as a root user, and openshift doesn't allows so!
Can someone help me with this?
Port 80 is a reserved port and the default OpenShift Security Context Constraints do not allow containers to run on this port.
You should use a container image that runs on a port like 8080 or 8443.
Try the following configuration, refer Enable Container Images that Require Root
for more details.
If you run your httpd pod as default serviceaccount, you can grant anyuid scc for running as root user. You should restart your pod for taking effect your changes.
# oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
# oc delete pod <your pod name>
UPDATE: Basically the 80 port will not duplicated with host 80 port unless running with hostnetwork scc.
Because container is isolated with host network using namespaces feature of kernel.
My testing evidence is as follows.
--- haproxy is already running with 80 port on the host.
# ss -ntlpo | grep -w :80
LISTEN 0 128 *:80 *:* users:(("haproxy",pid=22603,fd=6))
--- Create a project for testing
# oc new-project httpd-test
--- Create a httpd pod
# oc new-app --name httpd24 --docker-image=docker.io/httpd
--- Check the state of the pod
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-hhp6g 0/1 CrashLoopBackOff 8 19m
# oc logs httpd24-1-hhp6g
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.201. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
--- Configure "anyuid" for running the httpd pod with 80 port
# oc get pod httpd24-1-hhp6g -o yaml | grep -wi serviceaccountname
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
scc "anyuid" added to: ["system:serviceaccount:httpd-test:default"]
# oc delete pod httpd24-1-hhp6g
pod "httpd24-1-hhp6g" deleted
--- Check the state of httpd pod again
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-9djkv 1/1 Running 0 1m
# oc logs httpd24-1-9djkv
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
[Mon May 06 12:10:47.487909 2019] [mpm_event:notice] [pid 1:tid 139699524075584] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
[Mon May 06 12:10:47.488232 2019] [core:notice] [pid 1:tid 139699524075584] AH00094: Command line: 'httpd -D FOREGROUND'
I hope it help you.
I encourage you to use the existing images for the Apache Server that are based on rhel7
registry.redhat.io/rhscl/httpd-24-rhel7
These images support S2I, exposes port 8080 and can run with any UID (not root). You can use the following template: HTTPD template
EDIT: I have updated the link to the right template.
I have a MariaDB docker container running on Synology DS918+ and redirects traffic from container port 3306 to external port 3333
When I see how it binds to the port, it seems different than a working example I have for another service that doesn't run on docker
Working :
ash-4.3# netstat -nao | grep 5000
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp6 0 0 :::5000 :::* LISTEN
Not working:
ash-4.3# netstat -nao | grep 3333
tcp6 0 0 :::3333 :::* LISTEN off (0.00/0/0)
When I try to access port 3333 from my laptop to the remote machine running docker I'm able to do so, the issue is when trying to access the machine's private IP from within the machine itself, this one fails
Any help is appreciated here
To clarify, although your docker is only binding to the ipv6 interface(“:::”) not the ipv4(“0.0.0.0”), Docker forbids a loopback connection to its docker-proxy from the host. I believe this also fails in all networking modes.
If you’re connecting from container to another container, use the container name via the docker-dns and private LAN. For example, if your MariaDB container is named “maria”, I believe docker’s DNS on 127.0.0.11 offers a lookup for the name “maria” to a 172...* ipv4 to which other containers may connect if in the same 172.{subnet}../16 as your MariaDB host. Connect to “maria” in another container and the tcp magically gets to the right place.
If you’re trying to connect from the docker host to a container, this is a problem that I have resigned to proxying off my router in a hairpin NAT to the same upnp ports that I’ve exported via External Access on Synology, which feels like a poor solution but works today.
I have a NodeJS server running within a Docker container. I'm using Docker Toolbox for this, therefore I have a VirtualBox VM that I'm running my container in. My server needs to use a dgram websocket to bind to 0.0.0.0:3000 on the host and listen for data packets there, so I set up port forwarding from 3000->3000 in VirtualBox.
The problem is, when I try and run the applications on the host that are supposed to be publishing data to port 3000, they are not able to bind to the port.
The error I get is:
{ Error: bind EACCES 0.0.0.0:3000
at Object.exports._errnoException (util.js:1020:11)
at exports._exceptionWithHostPort (util.js:1043:20)
at _handle.lookup (dgram.js:219:18)
at _combinedTickCallback (internal/process/next_tick.js:83:11)
at process._tickCallback (internal/process/next_tick.js:104:9)
at Module.runMain (module.js:606:11)
at run (bootstrap_node.js:389:7)
at startup (bootstrap_node.js:149:9)
at bootstrap_node.js:504:3
code: 'EACCES',
errno: 'EACCES',
syscall: 'bind',
address: '0.0.0.0',
port: 3000 }
If I shut down the VM and run my server outside of the container everything works fine.
I have my server set up so that it does not have exclusive binding set and reuseAddr is set to true when the websocket is created. This is why when I run it outside of the container there are no binding problems.
My question is: does port forwarding in VirtualBox do some sort of exclusive binding on the forwarded port? If so, can this be disabled? How can I run my server in a container if this happens?
UPDATE:
I have discovered this only happens when I set VirtualBox to use UDP forwarding. TCP does not cause the issue. Is there any way to do UDP port forwarding and still be able to do port binding?
I'm using Windows 10 and Visual Studio 2016. I can't bind to port 80. I can bind to all other ports. The error printed is: "Bind of IP address 0.0.0.0 returned an error, port 80: No error"
Here is my code:
/* bind this socket to the server's Internet address */
if( bind(fd,(struct sockaddr *)server_addr,sizeof(struct sockaddr_in))<0 )
{
printf("Bind of IP address %s returned an error, port %d: %s\n",
inet_ntoa(server_addr->sin_addr), ntohs(server_addr->sin_port),
strerror(errno));
//close(fd);
return -1;
}
Use "netstat -o -q -a -n". Then use task manager and look at the Details tab. Click to sort the PID as low to high. Find the PID and notice the name of the program that has the port open. In my case System is listening on port 80 and since you can't kill System then you basically can't bind to port 80.
Well, you can use netstat to see if anyone else is listening, see this article:
https://technet.microsoft.com/en-us/library/bb490947.aspx
Find which process is already using port 80 and stop it.
You also need to be an admin or explicitly grant access to the user you're running as if you're binding port < 1024. See here
HttpListener Access Denied