From 3916458f2a3d65f54f6501441d049f6945e6abe3 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 28 Jun 2022 11:50:47 +0100 Subject: [PATCH 1/3] document adding CAP_NET_BIND_SERVICE to coder.service --- docs/install.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/install.md b/docs/install.md index e7a9b0a66871d..d43c712d53576 100644 --- a/docs/install.md +++ b/docs/install.md @@ -41,6 +41,17 @@ sudo systemctl enable --now coder journalctl -u coder.service -b ``` +> Note: If you wish to run Coder on a privileged port (lower than 1024), +> then you will need to edit `/usr/lib/systemd/system/coder.service` and +> make the following change: +> +> ```diff +> -AmbientCapabilities=CAP_IPC_LOCK +> +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE +> ``` +> +> This will allow Coder to bind to ports lower than 1024. + ## docker-compose Before proceeding, please ensure that you have both Docker and the [latest version of From 0be2da4762fd99756a5e0bb6658e23ec86c6883b Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 28 Jun 2022 12:34:45 +0100 Subject: [PATCH 2/3] Update docs/install.md Co-authored-by: Mathias Fredriksson --- docs/install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install.md b/docs/install.md index d43c712d53576..7ecf662c9fbff 100644 --- a/docs/install.md +++ b/docs/install.md @@ -41,7 +41,7 @@ sudo systemctl enable --now coder journalctl -u coder.service -b ``` -> Note: If you wish to run Coder on a privileged port (lower than 1024), +> **Note:** If you wish to run Coder on a privileged port (lower than 1024), > then you will need to edit `/usr/lib/systemd/system/coder.service` and > make the following change: > From 97bebee521b96c3d72915a59751580723a08860a Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 28 Jun 2022 13:33:35 +0100 Subject: [PATCH 3/3] make CAP_NET_BIND_SERVICE the default --- coder.service | 2 +- docs/install.md | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/coder.service b/coder.service index 928df1ff1c28e..8c8f6a36428fb 100644 --- a/coder.service +++ b/coder.service @@ -16,7 +16,7 @@ ProtectSystem=full PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps -AmbientCapabilities=CAP_IPC_LOCK +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CacheDirectory=coder CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE KillSignal=SIGINT diff --git a/docs/install.md b/docs/install.md index 7ecf662c9fbff..e7a9b0a66871d 100644 --- a/docs/install.md +++ b/docs/install.md @@ -41,17 +41,6 @@ sudo systemctl enable --now coder journalctl -u coder.service -b ``` -> **Note:** If you wish to run Coder on a privileged port (lower than 1024), -> then you will need to edit `/usr/lib/systemd/system/coder.service` and -> make the following change: -> -> ```diff -> -AmbientCapabilities=CAP_IPC_LOCK -> +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE -> ``` -> -> This will allow Coder to bind to ports lower than 1024. - ## docker-compose Before proceeding, please ensure that you have both Docker and the [latest version of