Docker 4.15.0 does not prompt for root when using privileged ports in docker-compose

[mscrivo]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID:

Expected behavior

After upgrading to 4.15.0, I noticed that my traefik container which we use for development to handle traffic for local developer domains on port 443 stopped working. Upon inspecting the docker containers, port mappings, logs, everything looked fine. But checking open ports on the system showed that 443 was not in the list. Docker 4.15 does not let you know that root is required for the daemon when using privileged ports, it just happily starts without opening the port. I expect it to at least prompt to user that they are doing something that requires root. For example, if I run: docker run -p 127.0.0.1:443:443 -it --rm hello-world it does prompt me for root, but docker-compose does not.

Actual behavior

Information

• macOS Version: 13.0
• Intel chip or Apple chip: Apple M1
• Docker Desktop Version: 4.15.0

Steps to reproduce the behavior

sample docker-compose.yml that has the issue

---
version: "3.8"
services:
  traefik:
    container_name: traefik
    build:
      context: ./dev_config
      dockerfile: traefik/Dockerfile
    restart: always
    ports:
      - "80:80"
      - "443:443"
    extra_hosts:
      - host.docker.internal:host-gateway

The custom dockerfile is just to mount the appropriate certs, otherwise it's a standard traefik image.

[aiordache]

Hi @mscrivo.
There are a few changes related to privileged operations in Docker Desktop v4.15. The privileged process is not being run by default anymore and it is started only if needed for privileged port binding.
Binding a privileged port on an unspecified address ('0.0.0.0') can be done as unprivileged user in recent versions of MacOS. It is why you don't get prompted on compose up.

---
services:
  web:
    image: nginx
    ports:
      - "80:80"

You should be able to reach your service at 127.0.0.1:80, 192.168.X.X:80 etc.

MacOS does not allow at the moment to bind ports on specific addresses as an unprivileged user. In this case, Docker Desktop needs to start the privileged process to do the port binding through it. This is why you get the prompt on docker run.
You can change you compose file to specify the localhost ip:

---
services:
  web:
    image: nginx
    ports:
      - "127.0.0.1:80:80"

If the privileged process is not already running, you should get the authorization prompt to start it on compose up
To remove the privileged process, you can run:

/Applications/Docker.app/Contents/MacOS/install remove-vmnetd

Can you confirm the ports are not open when you do not specify an address in your compose file? I am trying to reproduce your issue.

[mscrivo]

hi @aiordache I can confirm that ports are not open when I do not specify an address in my docker-compose.yml. Once I put the address in and run it, it does prompt me for elevated privileges and all works. Thank you!

[docker-robott]

There hasn't been any activity on this issue for a long time.
If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment.
If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked