Permission denied on port 80 & 443

[mekanics]

I'm trying to start traefik on rancher with the latest template (v1.0.3-rancher1) and the following setting:

• http port: 80
• https port: 443
• enable https: only

With this config the server is not able to start and I'm getting the following error:

11/22/2016 4:15:48 PMtime="2016-11-22T15:15:48Z" level=fatal msg="Error creating server: listen tcp :80: bind: permission denied" 
11/22/2016 4:16:18 PM'traefik' failed to start (exit status 0) -- no output

I was able to start traefik with http only on port 8080.

I believe it has something to do with setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik, which should work in my opinion...

any ideas? 🍺

[rawmind0]

Hi @mekanics ...

what a strange.... setcap is applied successfully as you could see at Dockerfile....

I've started the package right now with the parameters you tell me and it's working well....

22/11/2016 17:06:57 New Monit id: 7d77349163474c6fa67e369ceb5be56e
22/11/2016 17:06:57 Stored in '/opt/traefik/.monit.id'
22/11/2016 17:06:57Starting Monit 5.19.0 daemon with http interface at [*]:2812
22/11/2016 17:06:57'traefik_traefik_1' Monit 5.19.0 started
22/11/2016 17:06:57'confd' process is not running
22/11/2016 17:06:57'confd' trying to restart
22/11/2016 17:06:57'confd' start: /opt/tools/confd/bin/service-conf.sh
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Restarting traefik... ]
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Stoping traefik... ]
22/11/2016 17:06:58cat: can't open '/opt/traefik/traefik.pid': No such file or directory
22/11/2016 17:06:58kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Generating traefik configuration... ]
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Redirecting traefik log... ]
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Redirecting traefik log... ]
22/11/2016 17:06:58Tue Nov 22 16:06:58 UTC 2016 - [ Starting traefik... ]
22/11/2016 17:06:58nohup: appending output to nohup.out
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Traefik version v1.0.3 built on 2016-09-22_01:15:33PM" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Using TOML configuration file /opt/traefik/etc/traefik.toml" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc82034bca0 Redirect:<nil>}" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0xc8203708d0}" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Starting provider *provider.File {\"Watch\":true,\"Filename\":\"/opt/traefik/etc/rules.toml\",\"Constraints\":null}" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Starting provider *main.WebProvider {\"Address\":\":8000\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false}" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Starting server on :80" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Starting server on :443" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Server configuration reloaded on :443" 
22/11/2016 17:06:58time="2016-11-22T16:06:58Z" level=info msg="Server configuration reloaded on :80" 
22/11/2016 17:06:58Reinitializing monit daemon
22/11/2016 17:06:58Awakened by the SIGHUP signal
22/11/2016 17:06:58Reinitializing Monit - Control file '/opt/monit/etc/monitrc'
22/11/2016 17:06:59'traefik_traefik_1' Monit reloaded

May be you have another service exposing the port 80?? Could you try for example 81?? Port 443 fails too??

As you can see, trying to reproduce your issue...It seems to work well...

Best regards....

[mekanics]

hi @rawmind0

thx for your help.

hmmm...
just tried with port 81 and 444... same issue

and no, port 80 is not used by an other service

this is getting really weird

11/30/2016 3:36:15 PMWed Nov 30 14:36:15 UTC 2016 - [ Generating traefik configuration... ]
11/30/2016 3:36:15 PMWed Nov 30 14:36:15 UTC 2016 - [ Redirecting traefik log... ]
11/30/2016 3:36:15 PMWed Nov 30 14:36:15 UTC 2016 - [ Redirecting traefik log... ]
11/30/2016 3:36:15 PMWed Nov 30 14:36:15 UTC 2016 - [ Starting traefik... ]
11/30/2016 3:36:15 PMnohup: appending output to nohup.out
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=info msg="Traefik version v1.1.1 built on 2016-11-29_03:39:12PM" 
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=info msg="Using TOML configuration file /opt/traefik/etc/traefik.toml" 
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=info msg="Preparing server http &{Network: Address::81 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}" 
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4201b1980 Redirect:<nil> Auth:<nil> Compress:false}" 
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=info msg="Starting server on :81" 
11/30/2016 3:36:15 PMtime="2016-11-30T14:36:15Z" level=fatal msg="Error creating server: listen tcp :81: bind: permission denied" 
11/30/2016 3:36:45 PM'traefik' failed to start (exit status 0) -- no output
11/30/2016 3:37:24 PMStopping monit with pid [8]
11/30/2016 3:37:24 PMMonit daemon with pid [8] stopped
11/30/2016 3:37:24 PM'traefik_traefik_1' Monit 5.20.0 stopped

[rawmind0]

Hi @mekanics...

It's so strange the issue that you have... I run it from the catalog and it works ok... It's annoying..

How are you launching that?? What kind of hosts are you using?? Are you using AUFS, apparmor seccomp...?? I think AUFS doesn't support xattr (setcap) in all versions...

This is my log, launched from catalog, listening at port 80, in my rancher system....As you can see, it starts without any problem.....

30/11/2016 15:50:50Wed Nov 30 14:50:50 UTC 2016 - [ Generating traefik configuration... ]
30/11/2016 15:50:50Wed Nov 30 14:50:50 UTC 2016 - [ Redirecting traefik log... ]
30/11/2016 15:50:50Wed Nov 30 14:50:50 UTC 2016 - [ Redirecting traefik log... ]
30/11/2016 15:50:50Wed Nov 30 14:50:50 UTC 2016 - [ Starting traefik... ]
30/11/2016 15:50:50nohup: appending output to nohup.out
30/11/2016 15:50:50Reinitializing monit daemon
30/11/2016 15:50:50Awakened by the SIGHUP signal
30/11/2016 15:50:50Reinitializing Monit - Control file '/opt/monit/etc/monitrc'
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Traefik version v1.1.1 built on 2016-11-29_03:39:12PM" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Using TOML configuration file /opt/traefik/etc/traefik.toml" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Starting provider *provider.File {\"Watch\":true,\"Filename\":\"/opt/traefik/etc/rules.toml\",\"Constraints\":null}" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Starting provider *main.WebProvider {\"Address\":\":8000\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Auth\":null}" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Starting server on :80" 
30/11/2016 15:50:50time="2016-11-30T14:50:50Z" level=info msg="Server configuration reloaded on :80" 
30/11/2016 15:50:50'0traefik-traefik-1' Monit reloaded

In order to help you a little, i need to be able to reproduce the issue....

Best regards....

[mekanics]

indeed... 😕

so this is my setup:
everything is on AWS EC2

• Instance t2.micro (ubuntu trusty):
  • rancher v1.1.4
• Instance t2.small (ubuntu trusty) as host
  • Stacks:
    • convoy-efs (from the catalog)
    • traefik
      

let me know if you need more informations

[Munsio]

i have the same issue:

debian 8
docker 1.12.1
rancher 1.2.0

time="2017-01-11T17:06:25Z" level=info msg="Traefik version v1.1.2 built on 2016-12-15_10:27:40AM" 
11.1.2017 18:06:25time="2017-01-11T17:06:25Z" level=info msg="Using TOML configuration file /opt/traefik/etc/traefik.toml"
11.1.2017 18:06:25time="2017-01-11T17:06:25Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}" 
11.1.2017 18:06:25time="2017-01-11T17:06:25Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4201b58c0 Redirect:<nil> Auth:<nil> Compress:false}" 
11.1.2017 18:06:25time="2017-01-11T17:06:25Z" level=info msg="Starting server on :80" 
11.1.2017 18:06:25time="2017-01-11T17:06:25Z" level=fatal msg="Error creating server: listen tcp :80: bind: permission denied"
11.1.2017 18:06:55'traefik' failed to start (exit status 0) -- no output

Running traeffik with 8080 and 8443 works as expected.
I tried it with an nginx container on 80 and 443 and it work.

EDIT: tried running setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik on shell but got "Operation not permitted"

Do you mean with AUFS the file mounts docker create?

[rawmind0]

Hi @Munsio...

this issue is so strange. i've tried to reproduce it but i didn't get it. I'll try different things in order to know why it's happening. Most of the people doesn't suffer it, then i guess that it would be an issue with one piece or a specific version or parameter of it, docker, aufs, kernel,....I'd like to but i don't know by the moment, just speculation.

As you can see at Dockefile, setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik is already done at build time. You couldn't do it inside the docker due to it's running with as unprivileged user. But you shouldn't need it as it's working in the major part of the environment.

I'll continue looking for the root cause of this issue.

Best regards,...

[mstendorf]

Have you made any progress on this one?

I have the same issue as already covered in this issue.

[mtso]

Not sure if this is a solution for traefik, but listen tcp :80: bind: permission denied happened to me specifically with Go, and this thread came up as one of the first results in my google search.

Instance settings, where port 80 is the only inbound port exposed in the security group:

EC2 Instance type: t2.micro
Region: us-west-1
AMI ID: ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20170619 (ami-89f3dee9)
Virtualization: hvm
Security Group Inbound Rule: HTTP TCP 80 0.0.0.0/0
Ubuntu 14.04.5 LTS
go1.8 linux/amd64

I ran the following command from ssh, but the server exited with an error:

$ [start command]
Listening on 80                            <- output from my program
listen tcp :80: bind: permission denied    <- error message on exit

I found that I needed to run the program's [start command] using sudo according to this SO answer: https://stackoverflow.com/a/27133866/2684355
Can't believe I missed this detail.

The result that worked for me (no error):

$ sudo [start command]
Listening on 80

[mariusstaicu]

Happened to me also.
Running rancher 1.6.10 with rancher-traefik 1.3.6 on two identical hosts:
ubuntu 16.04 docker 17.03.0-ce.

Traefik ran correctly for many months until on one of the hosts it happened:

10/9/2017 4:04:54 PMtime="2017-10-09T13:04:54Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:<nil> Auth:<nil> Compress:false}"
10/9/2017 4:04:54 PMtime="2017-10-09T13:04:54Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc420078780 Redirect:<nil> Auth:<nil> Compress:false}"
10/9/2017 4:04:54 PMtime="2017-10-09T13:04:54Z" level=info msg="Starting server on :80"
10/9/2017 4:04:54 PMtime="2017-10-09T13:04:54Z" level=error msg="Error creating server: listen tcp :80: bind: permission denied"

[rawmind0]

Hi guys,

@mtso , you don't need to run traefik command with sudo. Traefik binary has setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik to be able to run in privileged ports. Working in so many places.

@mariusstaicu , what has changed in one of your hosts?? Update/Upgrade?? Config change??

The problem could be related to selinux or with another host configuration. In coreos is solved disabling selinux in docker execution, #18

Best regards....

[rawmind0]

Please, reopen if it's needed.

[snapfast]

My Connection blocks most ports on the network. I have 80 and 443 as open ports. I want to access my EC2 application on the port 80 and 443 not on 8888.

Please help.

I get this Error when I set port to 443.

jupyter notebook
[W 20:58:30.844 NotebookApp] Permission to listen on port 443 denied
[W 20:58:30.845 NotebookApp] Permission to listen on port 444 denied
[W 20:58:30.845 NotebookApp] Permission to listen on port 445 denied
[W 20:58:30.845 NotebookApp] Permission to listen on port 446 denied
[W 20:58:30.846 NotebookApp] Permission to listen on port 447 denied
[W 20:58:30.846 NotebookApp] Permission to listen on port 435 denied
[W 20:58:30.846 NotebookApp] Permission to listen on port 375 denied
[W 20:58:30.846 NotebookApp] Permission to listen on port 422 denied
[W 20:58:30.846 NotebookApp] Permission to listen on port 342 denied
[W 20:58:30.847 NotebookApp] Permission to listen on port 438 denied
[W 20:58:30.847 NotebookApp] Permission to listen on port 466 denied
[W 20:58:30.847 NotebookApp] Permission to listen on port 455 denied
[W 20:58:30.847 NotebookApp] Permission to listen on port 386 denied
[W 20:58:30.847 NotebookApp] Permission to listen on port 366 denied
[W 20:58:30.848 NotebookApp] Permission to listen on port 482 denied
[W 20:58:30.848 NotebookApp] Permission to listen on port 504 denied
[W 20:58:30.848 NotebookApp] Permission to listen on port 421 denied
[W 20:58:30.848 NotebookApp] Permission to listen on port 480 denied
[W 20:58:30.848 NotebookApp] Permission to listen on port 510 denied
[W 20:58:30.849 NotebookApp] Permission to listen on port 426 denied
[W 20:58:30.849 NotebookApp] Permission to listen on port 453 denied
[W 20:58:30.849 NotebookApp] Permission to listen on port 417 denied
[W 20:58:30.849 NotebookApp] Permission to listen on port 479 denied
[W 20:58:30.849 NotebookApp] Permission to listen on port 424 denied
[W 20:58:30.850 NotebookApp] Permission to listen on port 421 denied
[W 20:58:30.850 NotebookApp] Permission to listen on port 495 denied
[W 20:58:30.850 NotebookApp] Permission to listen on port 368 denied
[W 20:58:30.850 NotebookApp] Permission to listen on port 493 denied
[W 20:58:30.850 NotebookApp] Permission to listen on port 360 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 529 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 445 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 441 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 343 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 404 denied
[W 20:58:30.851 NotebookApp] Permission to listen on port 401 denied
[W 20:58:30.852 NotebookApp] Permission to listen on port 379 denied
[W 20:58:30.852 NotebookApp] Permission to listen on port 452 denied
[W 20:58:30.852 NotebookApp] Permission to listen on port 452 denied
[W 20:58:30.852 NotebookApp] Permission to listen on port 407 denied
[W 20:58:30.852 NotebookApp] Permission to listen on port 415 denied
[W 20:58:30.853 NotebookApp] Permission to listen on port 453 denied
[W 20:58:30.853 NotebookApp] Permission to listen on port 487 denied
[W 20:58:30.853 NotebookApp] Permission to listen on port 395 denied
[W 20:58:30.853 NotebookApp] Permission to listen on port 408 denied
[W 20:58:30.853 NotebookApp] Permission to listen on port 466 denied
[W 20:58:30.854 NotebookApp] Permission to listen on port 536 denied
[W 20:58:30.854 NotebookApp] Permission to listen on port 381 denied
[W 20:58:30.854 NotebookApp] Permission to listen on port 505 denied
[W 20:58:30.854 NotebookApp] Permission to listen on port 489 denied
[W 20:58:30.854 NotebookApp] Permission to listen on port 427 denied
[W 20:58:30.855 NotebookApp] Permission to listen on port 539 denied
[C 20:58:30.855 NotebookApp] ERROR: the notebook server could not be started because no available port could be found.

[laxmikantG]

@TheBali - Have you got the solution? I'm facing same problem too

[cpatte7372]

@TheBali - I'm also having the same problem.

Did you find a solution?

[rawmind0]

Hey guys,

Traefik is able to run on priviledge ports, under 1024, due to traefik binary has setcap 'cap_net_bind_service=+ep' ${SERVICE_HOME}/bin/traefik

Which os are you running?? Do you have enabled selinux or similar?? The problem could be related to selinux or with another host configuration. In coreos is solved disabling selinux in docker execution, #18

@TheBali, what are the logs you attached?? Don't seem logs from traefik...

[cpatte7372]

Hi @rawmind0 , thanks for getting in touch.

I'm running Windows 10.

I get the problem whenever I run traefik.exe (any version)

The full error is:
C:\Users\Carlton\Downloads\Traefik\traefik-on-service-fabric-master\Traefik\Scripts\1.5.4>"traefik_windows-386 (1).exe"
Error opening listener listen tcp :80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
Error preparing server: listen tcp :80: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

[rawmind0]

Hi @cpatte7372 ,

sorry, but i don't know how traefik is working on windows. This repo is a docker for running it at linux. I think you should check Traefik docs and if it's not working properly, open an issue on traefik repo

[cpatte7372]

@rawmind0 thanks anyway. Maybe someone who looks at this thread might be able to help

[cloudlady911]

I don't know if anyone ever posted this, possible answer, but I have been using traefik successfully ubuntu 16 but tried it today on an Ubuntu 14 instance and got this error.

[immortalt]

I'm also having the same problem.
I'm using Debian 9.

[tutacat]

Don't reopen this (this necro only for necroposters), these are privileged ports (0-1023 precisely) which require the process to run as superuser. Anything above (1024+) your OS will allow to be bound by users too.