Running an apache container on a port > 1024

7/5/2019

I've built a docker image based on httpd:2.4. In my k8s deployment I've defined the following securityContext:

securityContext:
  privileged: false
  runAsNonRoot: true
  runAsUser: 431
  allowPrivilegeEscalation: false

In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80 in httpd.conf to Listen {Some port > 1024}.

When I want to run the docker image I've build normally (i.e. on default port 80) I have the following port settings:

  • deployment
    • spec.template.spec.containers[0].ports[0].containerPort: 80
  • service
    • spec.ports[0].targetPort: 80
    • spec.ports[0].port: 8080
  • ingress
    • spec.rules[0].http.paths[0].backend.servicePort: 8080

Given these settings the service becomes accessible at the host url provided in the ingress manifest. Again, this is without the changes to httpd.conf. When I make those changes (using Listen 8000), and add in the securityContext section to the deployment, I change the various manifests accordingly:

  • deployment
    • spec.template.spec.containers[0].ports[0].containerPort: 8000
  • service
    • spec.ports[0].targetPort: 8000
    • spec.ports[0].port: 8080
  • ingress
    • spec.rules[0].http.paths[0].backend.servicePort: 8080

Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. Have I set the ports correctly? Is there something else I need to do?

-- Mike S
apache
httpd.conf
kubernetes

2 Answers

7/5/2019

Check if pod is Running

kubectl get pods
kubectl logs pod_name

Check if the URL is accessible within the pod

kubectl exec -it <pod_name> -- bash
$ curl http://localhost:8000

If the above didn't work, check your httpd.conf.

Check with the service name

kubectl exec -it <ingress pod_name> -- bash
$ curl http://svc:8080

You can check ingress logs too.

-- Prakash Krishna
Source: StackOverflow

7/8/2019

In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80

You got it, that's the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes' abstracts like Deployment's Pod spec or Service/Ingress resource object definitions. So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers.

One key information for the 'containerPort' field in Pod spec, that you are trying to manually adjust, and which is not so apparent. It's there primarily for informational purposes, and does not cause opening port on container level. According Kubernetes API reference:

Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.

I hope this will help you to move on

-- Nepomucen
Source: StackOverflow