aspnetcore: Unable to start Kestrel. System.Net.Sockets.SocketException (13): Permission denied while running alpine as non root user
From @endejoli on Monday, 22 October 2018 19:03:34
Steps to reproduce the issue
1.Use the below Dockerfile to build image
FROM microsoft/dotnet:2.1-aspnetcore-runtime-alpine3.7
EXPOSE 5000
WORKDIR /app
COPY ./app/* /app/
RUN adduser -D buildadmin
RUN chown buildadmin:buildadmin /app /app/*
USER buildadmin
ENTRYPOINT ["dotnet", "Template.Sample.dll"]
- Building and running the image gives below error
18:10:59 INF] Starting web host
[18:10:59 INF] User profile is available. Using '/home/buildadmin/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
[18:10:59 INF] Creating key {c07b8334-0237-48ed-817e-9dcb73382d0e} with creation date 2018-10-22 18:10:59Z, activation date 2018-10-22 18:10:59Z, and expiration date 2019-01-20 18:10:59Z.
[18:10:59 WRN] No XML encryptor configured. Key {c07b8334-0237-48ed-817e-9dcb73382d0e} may be persisted to storage in unencrypted form.
[18:10:59 INF] Writing data to file '/home/buildadmin/.aspnet/DataProtection-Keys/key-c07b8334-0237-48ed-817e-9dcb73382d0e.xml'.
[18:10:59 FTL] Unable to start Kestrel.
System.Net.Sockets.SocketException (13): Permission denied
at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass22_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.AnyIPListenOptions.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
[18:10:59 FTL] Host terminated unexpectedly
System.Net.Sockets.SocketException (13): Permission denied
at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass22_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.AnyIPListenOptions.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
at Template.Sample.Program.Main(String[] args) in /repo/src/production/Template.Sample/Program.cs:line 20
Application is shutting down...
Expected behavior
It should start the webserver successuflly
Actual behavior
Additional information (e.g. issue happens only occasionally)
When i run dotnet as root user, everything works as expected
Output of docker version
docker info
Containers: 20
Running: 0
Paused: 0
Stopped: 20
Images: 37
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-1023-azure
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 6.807GiB
Name: actaz-prod-lbf3
ID: 2SKW:7Y6P:KJBW:RAON:HGZ4:TDLT:2M5J:NWAF:EMSL:ZYHW:TZAO:L736
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Copied from original issue: dotnet/dotnet-docker#765
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 3
- Comments: 27 (13 by maintainers)
For OpenShift images, we use these settings (taken from the s2i containers):
This configures ASP.NET Core container to bind to higher port (it does not have permission to bind to port 80 in OpenShift by default) and the
io.openshift.expose-servicesvalue configures the OpenShift routing module.Thanks @jozefizso . Adding
ENV ASPNETCORE_URLS=http://*:8080did the trick for kubernetes as well.Have same problem when deploying my ASP .NET Core 2.1 container to Heroku (runs as non-root inside)
I find that:
When NOT running as
rootA very unhelpful error
SocketException (13): Permission deniedis generated.When running as
rootA much more helpful exception is generated with details explaining why the bind failed. In my case, I put port 80 as the HTTP redirection port but 80 is already used. It correctly identified the error for me:
Failed to bind to address http://[::]:80: address already in use@wfurt you are right. I have the same exception on OpenShift pod when I try run my Docker Hub image with ASP.NET Core 2.1 app built with standard Microsoft ASP.NET Core docker image (also successfully hosted in other environments like Kubernetes). Do you have any idea how to resolve such problem? Of course when I used OpenShift s2i (building directly from sources with Redhat .NET Core image) other ASP.NET Core sample app run successfully.
This helped me, as well. I was using different user other than
rootand now we are seeing an actual working container withoutSocketExceptions.@wfurt Thanks you… @muratg we were using port 80 😦