Permission denied for port 514

[jonarmani]

The latest image won't allow the container to listen to the default syslog port (TCP or UDP 514).

To replicate on CentOS 7: docker run logstash -e 'input {syslog{}} output {stdout{}}'

Even when logged in as root and using sudo docker run... this gets these errors where the listeners start up but immediately die:

Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
07:13:08.239 [main] INFO  logstash.setting.writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
07:13:08.256 [LogStash::Runner] INFO  logstash.agent - No persistent UUID file found. Generating new UUID {:uuid=>"3fd52e0a-90e4-4129-a71b-6094be14a7fd", :path=>"/var/lib/logstash/uuid"}
07:13:08.530 [Ruby-0-Thread-8: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:101] INFO  logstash.inputs.syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
07:13:08.533 [Ruby-0-Thread-9: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:105] INFO  logstash.inputs.syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
07:13:08.536 [[main]-pipeline-manager] INFO  logstash.pipeline - Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
07:13:08.545 [Ruby-0-Thread-9: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:105] WARN  logstash.inputs.syslog - syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:871:in `new'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:159:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:122:in `server'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:106:in `run'"]}
07:13:08.545 [Ruby-0-Thread-8: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:101] WARN  logstash.inputs.syslog - syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:141:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:122:in `server'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:102:in `run'"]}
07:13:08.593 [[main]-pipeline-manager] INFO  logstash.pipeline - Pipeline main started
07:13:08.647 [Api Webserver] INFO  logstash.agent - Successfully started Logstash API endpoint {:port=>9600}

Notice for TCP the issue is reported as: exception=>#<Errno::EACCES: Permission denied - bind(2) while for UDP the issue is: SocketError: bind: name or service not known Both of these are indicative of improper permissions for root for privileged ports (<1024).

I get the same result when attempting to pass the user root with: docker run --user=root logstash -e 'input {syslog{}} output {stdout{}}'

Tried on Docker version 1.13.0, build 49bf474 and the officially image-supported 1.12.3 (build 6b644ec).

[jonarmani]

I actually think this is being addressed by this pull request. I'm new to GitHub, should I close this issue or is that pull not going to get merged with the main image?

[yosifkit]

I don't think the current implementation would be merged (#14), since there even some file-systems that don't support the extended attributes necessary for the setcap.

The --user=root failed since the entrypoint script always drops to the logstash user when it is root and the CMD starts with logstash. The easy workaround is to just skip the entrypoint script since the only thing it gives you is the step down from root.

$ docker run -it --rm --entrypoint logstash logstash -e 'input {syslog{}} output {stdout{}}'
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
23:13:59.178 [main] INFO  logstash.setting.writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
23:13:59.188 [LogStash::Runner] INFO  logstash.agent - No persistent UUID file found. Generating new UUID {:uuid=>"12c95042-508a-455e-a70e-170ba92c7cec", :path=>"/var/lib/logstash/uuid"}
23:13:59.356 [Ruby-0-Thread-8: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:105] INFO  logstash.inputs.syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
23:13:59.358 [Ruby-0-Thread-7: /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-3.2.0/lib/logstash/inputs/syslog.rb:101] INFO  logstash.inputs.syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
23:13:59.359 [[main]-pipeline-manager] INFO  logstash.pipeline - Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
23:13:59.372 [[main]-pipeline-manager] INFO  logstash.pipeline - Pipeline main started
23:13:59.408 [Api Webserver] INFO  logstash.agent - Successfully started Logstash API endpoint {:port=>9600}

[coaxial]

A bit late to the party, but you can also map ports when running your container.

I needed to collect data via syslog which runs on port 514, but I can't have logstash listen to that port in the container because it doesn't run as root. So instead, I have it listen on port 51400 in my logstash config. When I run the container, I map the port 51400 from the container to port 514 on the host and no-one is the wiser.