How To Bind a Rootless Container to a Privileged Port on Linux
One of the main innovations introduced by Podman was the ability to run rootless containers. Security wise, this was a big improvement, since a potentially compromised container running as root represents a security threat for the host system.
In order to obtain a similar behavior, recent versions of Docker support running the docker daemon in the user context. Running unprivileged containers, albeit more secure, has also its drawbacks, as the inability to bind to privileged host ports.
In this tutorial, we learn how to allow a rootless Docker/Podman container to bind to a privileged host port on Linux.
In this tutorial you will learn:
- How to redirect a privileged port to an unprivileged one by creating a firewall rule or by using redir
- How to allow an unprivileged container to bind to a privileged port by setting the CAP_NET_BIND_SERVICE capability
- How to modify the range of privileged ports