Allow rootless containers to bind privileged ports and ping

[vflaux]

What I'd like:
Add config options to allow containers to bind privileged ports (<1024) and open icmp echo sockets without being root. (This the defaults with dockerd)
It can be enabled within containerd config (/etc/containerd/config.toml).
For kubernetes:

[plugins."io.containerd.grpc.v1.cri"]
enable_unprivileged_ports = true
enable_unprivileged_icmp = true

Any alternatives you've considered:

This can be worked around with kubernetes (>1.22) with a SecurityContext on pods:

securityContext:
  sysctls:
    - name: net.ipv4.ip_unprivileged_port_start
      value: "0"
    - name: net.ipv4.ping_group_range
      value: "0 2147483647"

It can also be configured within a bootstrap container but I'm not sure how to restart containerd from there.

[zmrow]

Thanks for the issue @vflaux ! There are a few related requests in #1703 and #2404.

Does the SecurityContext workaround mentioned unblock this for you? Would the containerd settings mentioned be beneficial if so?

[vflaux]

Hi,

The workaround works and we could also use a different port, but that means changing the manifests.

More context:
We are transitioning from dockerd to containerd with AL2 AMI and found some of our client apps that bind to the port 80. So we patched the containerd config with a bootstrap script which fix the issue.
We are also evaluating Bottelrocket AMI and noticed that we had the same problem.

We have to switch to containerd in the future and we can do this without breaking changes to our clients with AL2. But we cannot with Bottlerocket unless we can change the sysctl net.ipv4.ip_unprivileged_port_start of containers (via containerd or another component).

[zmrow]

Thanks for the extra context! Another option here is to set these sysctls with settings.kernel.sysctl.

Based on your example above, it would look something like:

[settings.kernel.sysctl]
"net.ipv4.ip_unprivileged_port_start" = "0"
"net.ipv4.ping_group_range" = "0 2147483647"

[vflaux]

settings.kernel.sysctl apply sysctls on the host but they are not propagated to the namespace of containers.

From the admin container:

$ sudo shelltie
# sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0

From a pod:

$ sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 1024

[zmrow]

Good point.

There is an issue in the containerd repo to enable these by default. It seem that the only caveat is that it can't be done with really old kernels (at least 3.10), which we don't use anyway.

Perhaps we can look into enabling these by default.

[zmrow]

The comments on the related containerd issue suggests that enabling these "could break existing deployments", but the comment hasn't been expanded on.