-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Cannot start Netdata when binding to a privileged port (80) #17284
Comments
Hello @MAH69IK, I understand your use case, but this is not something that we should enforce by default (grant CAP_NET_BIND_SERVICE). The fact that it was working before it was an issue/omission from our end which 99% introduced #17159. So I would suggest the following.
And just for the record, sorry for any inconvenience. Because we didn't communicate this limitation in the release notes. Most kindly saying :) |
@MAH69IK these caps are different according to docs
|
@MAH69IK we discussed your request and decided not to add CAP_NET_BIND_SERVICE to the list by default. To do it yourself:
|
Okay. Thanks for the quick feedback! |
@MAH69IK hey, out of curiosity - why do you bind Netdata to 80? |
@ilyam8 Two reasons. If I type the address in the browser manually, I don't need to specify the port. And, with a centralized configuration, I can just label the server "web" and get the right nftables rules without having to worry about individually configuring ports for multiple web services, each of which often use their own default ports. |
Bug description
I am using Netdata on port 80. To allow it to do this - I set the
cap_net_bind_service+ep
capability. This worked for a long time. But now, after upgrading to 1.45.0 I am getting an error:This happens because since version 1.45.0 the allowed capabilities have been added to the /lib/systemd/system/netdata.service file and among them there is no NET_BIND_SERVICE (by the way this is strange, shouldn't the existing NET_RAW and NET_ADMIN allow to use port 80? But allowing them did not produce the desired result).
Is it possible to add CAP_NET_BIND_SERVICE to the list?
Expected behavior
Bind to privileged port.
Steps to reproduce
Installation method
manual setup of official DEB/RPM packages
System info
Netdata build info
Additional info
No response
The text was updated successfully, but these errors were encountered: