Binding privileged port with ip fails on Docker Desktop 4.23.0 (120376)

[porkotron]

Description

Binding privileged port with ip fails on Docker Desktop 4.23.0 (120376):

docker run  -p 10.0.x.x:83:83 --name test-app alpine
docker: Error response from daemon: Ports are not available: exposing port TCP 10.0.x.x:83 -> 0.0.0.0:0: listen tcp 10.0.x.x:83: bind: permission denied.

Binding privileged port to localhost ip still works:

docker run  -p 127.0.0.1:83:83 --name test-app alpine

"Allow privileged port mapping" is toggled on.
Downgrading to 4.22.0 fixes this.

Reproduce

1. Replace 10.0.x.x with some configured ip on host (not 127.0.0.1).

docker run  -p 10.0.x.x:83:83 --name test-app alpine

Expected behavior

Container starts without errors

docker version

Client:
 Cloud integration: v1.0.35+desktop.4
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.23.0 (120376)
 Engine:
  Version:          24.0.6
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       1a79695
  Built:            Mon Sep  4 12:32:16 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.4
    Path:     /Users/petri/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0-desktop.1
    Path:     /Users/petri/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/petri/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/petri/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.7
    Path:     /Users/petri/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/petri/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/petri/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  0.24.1
    Path:     /Users/petri/.docker/cli-plugins/docker-scout

Server:
 Containers: 29
  Running: 1
  Paused: 0
  Stopped: 28
 Images: 1111
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.3.13-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.63GiB
 Name: docker-desktop
 ID: d69d16e6-414d-4473-a4b3-f9d8a96ed576
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

4D5BF9C4-D9B8-47CD-83D4-6035C1EE54C1/20230913123752

Additional Info

No response

Tasks

Beta Give feedback

No tasks being tracked yet.

[devinrm]

I ran into the same issue. A really easy way to reproduce this is just: docker run -p [wifi IP]:80:80 nginx. Confirmed that downgrading to 4.22.1 fixes the issue.

[Ntezi]

I had to downgrade to 4.22.1 as well! Thank you for saving my time @devinrm

[pre]

I originally thought this was a Minikube issue and I created a report there: kubernetes/minikube#17246

Docker Desktop 4.22.1 was the last version working, 4.23.0 fails when binding a privileged port 80 and 443 to a localhost ip alias.

[pentatonicfunk]

any workaround other than downgrade ? im using homebrew to install, or if anyone has guide to downgrade docker via brew maybe ?

[pentatonicfunk]

downgrade docker via brew maybe ?

## ref: https://docs.brew.sh/FAQ#can-i-edit-formulae-myself

export HOMEBREW_NO_INSTALL_FROM_API=1
brew tap homebrew/cask

brew edit docker 
## OR
vi /opt/homebrew/Library/Taps/homebrew/homebrew-cask/Casks/d/docker.rb
## Ref: https://github.com/Homebrew/homebrew-cask/commit/0cd3285a641aecf88ee7887567a0d2d8c40dfa74

brew reinstall --cask docker

## in theory to revert ( i haven't tried yet )
brew update-reset

[bsousaa]

The issue is confirmed internally. At this stage, as a workaround, you can use either 0.0.0.0 (to expose the port on all interfaces) or the localhost (127.0.0.1).

[rectalogic]

We bind to a localhost alias i.e. we do ifconfig lo0 alias 172.17.0.1 255.255.255.0 and then bind 172.17.0.1:22:22 which now fails: Ports are not available: exposing port TCP 172.17.0.1:22 -> 0.0.0.0:0: listen tcp 172.17.0.1:22: bind: permission denied

[lorenrh]

Hello,

This issue has been fixed in the latest 4.24.0 release. You can see the latest release notes here.

I'll close the issue for now, but let us know if the issue persists.

[pre]

Docker Desktop v4.24.0 fixed the issue in my case.

[alexlo03]

If you are having issues with UDP ports: #7008