Skip to content

Docker-compose: do not access ports <443 #3261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 19, 2025
Merged

Docker-compose: do not access ports <443 #3261

merged 2 commits into from
May 19, 2025

Conversation

toger5
Copy link
Contributor

@toger5 toger5 commented May 12, 2025

This does not allow podman (also docker) to start the containers without altering linux default security measurements.

The playwright tests also run with those the alternative ports: 4443, 8080, 8081

@toger5 toger5 requested a review from a team as a code owner May 12, 2025 14:06
@toger5 toger5 requested a review from AndrewFerr May 12, 2025 14:06
@toger5 toger5 added the PR-Developer-Experience Release note category. A PR that does not change EC but improves working with the repository. label May 12, 2025
@fkwp
Copy link
Contributor

fkwp commented May 13, 2025

this PR is missing the required changes for dev-backend-docker-compose.yml to work properly as removing port 443 requires a bunch of config files to be adapted https://hostname becomes then https://hostname:port

@fkwp fkwp added the X-Blocked Cannot be merged due to external dependencies label May 13, 2025
@fkwp
Copy link
Contributor

fkwp commented May 13, 2025

As a workaround for podman

You can modify the net.ipv4.ip_unprivileged_port_start sysctl to change the lowest port. For example sysctl net.ipv4.ip_unprivileged_port_start=443 allows rootless Podman containers to bind to ports >= 443.

@toger5 toger5 force-pushed the toger5/ports-playwritght-tests branch from 369dcc8 to 2295040 Compare May 14, 2025 13:46
@toger5
Copy link
Contributor Author

toger5 commented May 14, 2025
edited
Loading

I updated the PR to still include the :Z flag for the file copy and allow to set the min port to 443. (instead of 80)

@fkwp fkwp changed the title Do not try accessing ports <1024 Do not try accessing ports <443 May 15, 2025
@fkwp
Copy link
Contributor

fkwp commented May 15, 2025

The .well-known URI can only be reached via HTTPS on the default 443 port. Due to this limitation the highest possible port is bound to 443

@fkwp fkwp removed the X-Blocked Cannot be merged due to external dependencies label May 15, 2025
@fkwp fkwp changed the title Do not try accessing ports <443 Docker-compose: do not accessing ports <443 May 15, 2025
@toger5
Copy link
Contributor Author

toger5 commented May 15, 2025

I actually did run into issues using the dev env in firefox (not playwright) not sure if that is an issue. I think some routing is done through port 80.
So eventually we need to update the nginx conf or also allow port 80?

@toger5 toger5 changed the title Docker-compose: do not accessing ports <443 Docker-compose: do not access ports <443 May 19, 2025
@toger5
Copy link
Contributor Author

toger5 commented May 19, 2025

Lets merge this as is. In case there is another issue with the local lk server we can fix this in another PR.

@toger5 toger5 merged commit 0110465 into livekit May 19, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fkwp fkwp fkwp approved these changes

@AndrewFerr AndrewFerr Awaiting requested review from AndrewFerr AndrewFerr is a code owner automatically assigned from element-hq/element-call-reviewers

Assignees
No one assigned
Labels
PR-Developer-Experience Release note category. A PR that does not change EC but improves working with the repository.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@toger5 @fkwp