The first time when I tried to run SonarQube with root user this fails. Searching in internet I find that the new Sonar should be execute by a non-root user. I created the user sonar with the folow command useradd -m -s /bin/bash sonar and I executed chmod -R 777 sonaqube-7.0. Then I loggin with sonar user: sudo su sonar. When I execute ./sonar.sh console all works fine. But when I change the port by default 9000 to port 80, this fails. Using the command netstat -plunt I check if the port 80 is in use, but the only ports that I use is 22 (sshd), 5432 (postgres) and 25 (exim4).I thinks that this happed because the user sonar has not permission to use the port 80. How cant I use the port 80 with SonarQube?
My current Operating system is debian 9
Your current inability use SonarQube via port 80 is actually due to a limitation provided by nearly all Linux distributions: privileged ports.
All ports below 1024 cannot be listened on by programs executed by non-root users — that is, only the user "root" may run programs that run on these ports. This is to provide assurance that when you connect to an application running on that port, the application is "the real thing" and not a fake put up by a hacker.
Because SonarQube does not allow you to execute it as root, proxying port 80 to a port that is above 1024 that SonarQube is executing on is the only way to get around this limitation.
Exists some ways to allow non-root user use the port 80 and 433, using iptables to redirect the port petitions, CAP_NET_BIND_SERVICE and authbind. The way more easy isauthbind.
Use authbind to grant one-time access, with finer user/group/port control:
The authbind (man page) tool exists precisely for this.
Install authbind using your favorite package manager.
Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:
sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 777 /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/443
Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):
authbind --deep /path/to/binary command line args
E.g.
authbind --deep java -jar SomeServer.jar
This option grants trust to the user/group and provides control over per-port access but, AFAIK, supports only IPv4.
These are the links that I used to document me:
allow non-root process to bind to port 80 and 443
Is there a way for non-root processes to bind to "privileged" ports on Linux?
how to run a server on port 80 as a normal user on linux
Related
EDIT: I didn't make clear that this works fine on port 80 but not port 8080.
I have a simple server to test OAuth2 written in Golang. It defaults to port 80. I compile it, then run like this:
$ sudo setcap 'cap_net_bind_service=+ep' ./c3
$ nohup ./c3
Works like a charm.
My goal is to show how it works differently depending on configuration, and I'd like the vendor's support team to be able to log onto either version, simply depending on whether they append :8080 to the site's URL.
I have a -port option, so I open another terminal, log into EC2, and run this:
$ sudo setcap 'cap_net_bind_service=+ep' ./c3
$ nohup ./c3 -port=8080
This doesn't connect to mysite.com:8080 and I can't figure out why. The program just hangs.
My security group rules allow all outbound traffic. Inbound is restricted to 80, 8080, 22, and 443.
Using ubuntu tusty, there is a service running on a remote machine, that I can access via port forwarding through an ssh tunnel from localhost:9999.
I have a docker container running. I need to access that remote service via the host's tunnel, from within the container.
I tried tunneling from the container to the host with -L 9000:host-ip:9999 , then accessing the service through 127.0.0.1:9000 from within the container fails to connect. To check wether the port mapping was on, I tried
nc -luv -p 9999 # at host
nc -luv -p 9000 # at container
following this, parag. 2 but there was no perceived communication, even when doing
nc -luv host-ip -p 9000
at the container
I also tried mapping the ports via docker run -p 9999:9000 , but this reports that the bind failed because the host port is already in use (from the host tunnel to the remote machine, presumably).
So my questions are
1 - How will I achieve the connection? Do I need to setup an ssh tunnel to the host, or can this be achieved with the docker port mapping alone?
2 - What's a quick way to test that the connection is up? Via bash, preferably.
Thanks.
Using your hosts network as network for your containers via --net=host or in docker-compose via network_mode: host is one option but this has the unwanted side effect that (a) you now expose the container ports in your host system and (b) that you cannot connect to those containers anymore that are not mapped to your host network.
In your case, a quick and cleaner solution would be to make your ssh tunnel "available" to your docker containers (e.g. by binding ssh to the docker0 bridge) instead of exposing your docker containers in your host environment (as suggested in the accepted answer).
Setting up the tunnel:
For this to work, retrieve the ip your docker0 bridge is using via:
ifconfig
you will see something like this:
docker0 Link encap:Ethernet HWaddr 03:41:4a:26:b7:31
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
Now you need to tell ssh to bind to this ip to listen for traffic directed towards port 9000 via
ssh -L 172.17.0.1:9000:host-ip:9999
Without setting the bind_address, :9000 would only be available to your host's loopback interface and not per se to your docker containers.
Side note: You could also bind your tunnel to 0.0.0.0, which will make ssh listen to all interfaces.
Setting up your application:
In your containerized application use the same docker0 ip to connect to the server: 172.17.0.1:9000. Now traffic being routed through your docker0 bridge will also reach your ssh tunnel :)
For example, if you have a "DOT.NET Core" application that needs to connect to a remote db located at :9000, your "ConnectionString" would contain "server=172.17.0.1,9000;.
Forwarding multiple connections:
When dealing with multiple outgoing connections (e.g. a docker container needs to connect to multiple remote DB's via tunnel), several valid techniques exist but an easy and straightforward way is to simply create multiple tunnels listening to traffic arriving at different docker0 bridge ports.
Within your ssh tunnel command (ssh -L [bind_address:]port:host:hostport] [user#]hostname), the port part of the bind_address does not have to match the hostport of the host and, therefore, can be freely chosen by you. So within your docker containers just channel the traffic to different ports of your docker0 bridge and then create several ssh tunnel commands (one for each port you are listening to) that intercept data at these ports and then forward it to the different hosts and hostports of your choice.
on MacOS (tested in v19.03.2),
1) create a tunnel on host
ssh -i key.pem username#jump_server -L 3336:mysql_host:3306 -N
2) from container, you can use host.docker.internal or docker.for.mac.localhost or docker.for.mac.host.internal to reference host.
example,
mysql -h host.docker.internal -P 3336 -u admin -p
note from docker-for-mac official doc
I WANT TO CONNECT FROM A CONTAINER TO A SERVICE ON THE HOST
The host has a changing IP address (or none if you have no network access).
From 18.03 onwards our recommendation is to connect to the special DNS
name host.docker.internal, which resolves to the internal IP address
used by the host. This is for development purpose and will not work in
a production environment outside of Docker Desktop for Mac.
The gateway is also reachable as gateway.docker.internal.
I think you can do it by adding --net=host to your docker run. But see also this question: Forward host port to docker container
I'd like to share my solution to this. My case was as follows: I had a PostgreSQL SSH tunnel on my host and I needed one of my containers from the stack to connect to a database through it.
I spent hours trying to find a solution (Ubuntu + Docker 19.03) and I failed. Instead of doing voodoo magic with iptables, doing modifications to the settings of the Docker engine itself I came up with a solution and was shocked I didn't thought of this earlier. The most important thing was I didn't want to use the host mode: security first.
Instead of trying to allow a container to talk to the host, I simply added another service to the stack, which would create the tunnel, so other containers could talk to easily without any hacks.
After configuring a host inside my ~/.ssh/config:
Host project-postgres-tunnel
HostName remote.server.host
User sshuser
Port 2200
ForwardAgent yes
TCPKeepAlive yes
ConnectTimeout 5
ServerAliveCountMax 10
ServerAliveInterval 15
And adding a service to the stack:
postgres:
image: cagataygurturk/docker-ssh-tunnel:0.0.1
volumes:
- $HOME/.ssh:/root/ssh:ro
environment:
TUNNEL_HOST: project-postgres-tunnel
REMOTE_HOST: localhost
LOCAL_PORT: 5432
REMOTE_PORT: 5432
# uncomment if you wish to access the tunnel on the host
#ports:
# - 5432:5432
The PHP container started talking through the tunnel without any problems:
postgresql://user:password#postgres/db?serverVersion=11&charset=utf8
Just remember to put your public key inside that host if you haven't already:
ssh-copy-id project-postgres-tunnel
I'm pretty sure this will work regardless of the OS used (MacOS / Linux).
I agree with #hlobit that #B12Toaster answer should be the accepted answer.
In case anyone hits this problem but with a slightly different setup with the SSH tunnel, here are my findings. In my case, instead of creating a tunnel from Docker host machine to remote machine using ssh -L, I was creating remote forward SSH tunnel from remote machine to Docker host machine using ssh -L.
In this setup, by default sshd does NOT allow gateway ports, i.e. in file /etc/ssh/sshd_config on Docker host, the GatewayPorts no should be uncommented and set to GatewayPorts yes or GatewayPorts clientspecified. I configured GatewayPorts clientspecified and configured the remote forward SSH tunnel by ssh -L 172.17.0.1:dockerHostPort:localhost:sshClientPort user#dockerHost. Remember to restart sshd after changing /etc/ssh/sshd_config (sudo systemctl restart sshd).
Your Docker container should be able to connect to Docker host on 172.17.0.1:dockerHostPort and this in turn gets tunnelled back to SSH client's localhost:sshClientPort.
References:
https://www.ssh.com/ssh/tunneling/example
https://docs.docker.com/network/network-tutorial-host/
https://docs.docker.com/network/host/
My 2 cents for Ubuntu 18.04 - a very simple answer, no need for extra tunnels, extra containers, extra docker options or exposing host.
Simply, when creating a reverse tunnel make sure ssh binds to all interfaces as, by default, it binds ports of the reverse tunnel to localhost only. For example, in putty make sure that option Connection->SSH->Tunnels Remote ports do the same (SSH-2 only) is ticked.
This is more or less equivalent to specifying the binding address 0.0.0.0 for the remote part of the tunnel (more details here):
-R [bind_address:]port:host:hostport
However, this did not work for me unless I allowed the GatewayPorts option in my sshd server configuration. Many thanks to Stefan Seidel for his great answer.
In short: (1) you bind the reverse tunnel to 0.0.0.0, (2) you let the sshd server to accept such tunnels.
Once this is done I can access my remote server from my docker containers via the docker gateway 172.17.0.1 and port bound to the host.
On my side, running Docker in Windows Subsystem for Linux (WSL v1), I couldn't use docker0 connection approach. host.docker.internal also doesn't resolve (latest docker version).
However, I found out I could directly use the host-ip insider my docker container.
Get your Host IP (Windows cmd: ipconfig), e.g. 192.168.0.5
Bash into your Container and test if you can ping your host ip:
- docker exec -it d6b4be5b20f7 /bin/bash
- apt-get update && apt-get install iputils-ping
- ping 192.168.0.5
PING 192.168.0.5 (192.168.0.5) 56(84) bytes of data.
64 bytes from 192.168.0.5 : icmp_seq=1 ttl=37 time=2.17 ms
64 bytes from 192.168.0.5 : icmp_seq=2 ttl=37 time=1.44 ms
64 bytes from 192.168.0.5 : icmp_seq=3 ttl=37 time=1.68 ms
Apparently, in Windows, you can directly connect from within containers to the host using the official host ip.
In case anyone needs it (like I did), solution for Windows and WSL is same as #prayagupd mentioned for Mac OS
Create an SSH tunnel to your remote service with whatever tool you prefer to whatever port you prefer, for example 3300.
Then, from Docker container you can connect to, for example, MySQL DB on tunnel port 3300 using following command:
mysql -u user -p -h host.docker.internal -P 3300
An easy example to reproduce the situation and ssh to host
Run a container. Use --network="host
docker container run --network="host" --interactive --tty --rm ubuntu bash
Now you can access your host using localhost
Now your host machine is a Linux machine that has a public-private key file to ssh into it. So copy the contents of your private key file and reproduce the key file inside your host. (However, this is just a demonstration. This is not a good way to copy key files)
Now ssh into your host. Use localhost to access it.
ssh -i key_file.pem ec2-user#localhost
I'd like to connect remotely to the Ubuntu bash on my Windows 10.
I've got an answer on port 22 but when it asks for username and password, it says access denied...
I've already created a user "root" and i've done a "sudo passwd root"
Windows firewall is deactivated (service stopped).
Thanks !
Stop ssh server and ssh broker services on Windows to avoid SSH port conflict
Makes below changes in /etc/ssh/sshd_config:
UsePrivilegeSeparation no
PasswordAuthentication yes
Then restart ssh server by sudo service ssh restart. If you see could not load host key error then create host key as below and restart ssh service:
sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -b 4096 -t rsa
First, You need to Stop/Disable Windows 10 SSH Server Broker Services or Change OpenSSH Port.
After that, modify the /etc/ssh/sshd_config:
UsePrivilegeSeparation no
PubkeyAuthentication no
PasswordAuthentication yes
I started having issues after installing VirtualBox with my Bash on Ubuntu on Windows SSH connection. I stopped the VM, uninstalled, and still couldn't authenticate. The user 'Nobody' is correct, the best solution would either to disable the SSH Broker for Windows 10, or just change the port for SSH on the Linux subsystem, which I did, and works perfectly.
You must also in most cases add a inbound firewall rule to allow traffic on port 22.. the default setup only allows for inbound traffic using the windows implementation of ssh, therefore not allowing any traffic for the openssh-server. Just follow the instructions above and then add a rule for port 22 inbound in Windows Firewall and you should be set.
Since windows implementation doesn't provide chroot you need to modify the /etc/ssh/sshd_config
UsePrivilegeSeparation no
Also you will need to create a user using useradd command or so.
We have to use port 80 for our server. But when I was trying to use it in Mac, it always said that the 80 is used, but I don't know which program uses it.
I searched it in Google, and someone said it's about apache, but I tried, which is not working. I found this: https://gist.github.com/kujohn/7209628 , but seems it's not working visiting our server by IP address.
I really don't know what's going on and how can I find out which program using port 80 and stop it.
Many thanks if anyone can help, I'm new using Mac. Thanks.
To find out what process is using port 80
go to Applications
open utilities.
open Activity Monitor.
click on the Memory tab,
look at the ports and the processes using them. Find port 80 and select it
go to the view on the menu bar and choose Quit process.
This will just kill the process, it will not stop a server instance that is already running from continuing to run.
(Correction: the Ports column shows the number of open ports (and files?), not the port number)
It is not clear if you are using a database management system or not and which one but one method that has worked for me using MAMP is as follows.
stop the server by using sudo apachectl stop command.
then change the port to port 80.
then restart your servers.
type the following in Terminal
sudo lsof -i -n -P | grep TCP
you will get a list - e.g. dropbox listens on 80
you can copy the output to a text editor, etc to search
On Mac ports below 1024 can only be bound by the root user.
Try launching your server as root user (with sudo), or try to use a port above 1024.
You can also try to add root permissions to your user in /etc/sudoers
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
your_user_here ALL = (ALL) ALL
I was having this issue, apache was disabled via launchctl, but was still tying up port 80 after launch, I could start up apache and it would work, but after unloading it, I couldn't start up anything on port 80. I was using the built in web server for Python as an easy test. It would work on port 81, but not on port 80.
sudo python -m SimpleHTTPServer 80 -- wouldn't work
sudo python -m SimpleHTTPServer 81 -- would work
Here are the symptoms:
$ launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
/System/Library/LaunchDaemons/org.apache.httpd.plist: Could not find specified service
$ sudo lsof -i ':80'
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Python 3353 root 3u IPv4 0xe455777a82799f05 0t0 TCP *:http (LISTEN)
The fix for me (after way too much searching) was simple:
sudo pfctl -F all
This flushed the packet filter, releasing port 80 (and others I assume 8080, 443, whatever ports apache might be tying up)
After that, and relaunching the python server, it came right up.
Might be Skype that is using port 80. If you have Skype installed and running try to change to a different port in the settings.
Port numbers in the range from 0 to 1023 are classified as 'well-known' and port number 80 is reserved for HTTP. Typically you have servers listening on port 80 to handle HTTP requests.
Source:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Ubuntu is running on Amazon EC2, version 10.10
installed java using
sudo apt-get install openjdk-6-jdk
(more about openjdk6 https://launchpad.net/ubuntu/maverick/+package/openjdk-6-jdk)
did the following to in install tomcat7
wget -c http://apache.petsads.us/tomcat/tomcat-7/v7.0.27/bin/apache-tomcat-7.0.27.tar.gz
sudo tar xvfz apache-tomcat-7.0.27.tar.gz -C /var
Then I see a folder called apache-tomcat-7.0.27 under /var
go to /var/apache-tomcat-7.0.27/bin and run:
sudo bash startup.sh
It looks like tomcat starts successfully:
ubuntu#ip-XX-XXX-XX-XXX:/var/apache-tomcat-7.0.27/bin$ sudo bash startup.sh
Using CATALINA_BASE: /var/apache-tomcat-7.0.27
Using CATALINA_HOME: /var/apache-tomcat-7.0.27
Using CATALINA_TMPDIR: /var/apache-tomcat-7.0.27/temp
Using JRE_HOME: /usr
Using CLASSPATH: /var/apache-tomcat-7.0.27/bin/bootstrap.jar:/var/apache-tomcat-7.0.27/bin/tomcat-juli.jar
I did a test by doing:
sudo fuser -v -n tcp 8080
then i got result(looks like tomcat is up and running):
0 USER PID ACCESS COMMAND
8080/tcp: root 1234 F.... java
But if i type in address of my server in browser, i can't see the default tomcat page...
Am I missing anything????? I am open to any advices.
I followed some of the steps (not all of them) in http://www.excelsior-usa.com/articles/tomcat-amazon-ec2-java-stack.html#tomcat
The solution of this problem is:
This instance is not owned by me.
I asked my friend to change the rule for 8080 in the firewall configuration via his aws management console.
Then it worked.
With out knowing exactly what your setup is, my first guess is you need to open port 8080 on the security group for that instance. Go to security groups and either open it to 0.0.0.0/0 or ur specific IP (this depends on your security requirements for the server)