[Bug]: Cannot start Netdata when binding to a privileged port (80) about netdata HOT 6 CLOSED

@ilyam8 Two reasons. If I type the address in the browser manually, I don't need to specify the port. And, with a centralized configuration, I can just label the server "web" and get the right nftables rules without having to worry about individually configuring ports for multiple web services, each of which often use their own default ports.

from netdata.

Hello @MAH69IK, I understand your use case, but this is not something that we should enforce by default (grant CAP_NET_BIND_SERVICE). The fact that it was working before it was an issue/omission from our end which 99% introduced #17159. So I would suggest the following.

1. For your case you can add the CAP_NET_BIND_SERVICE in your netdata service file.
2. From our end we can have an admonition about this use case in our docs.

And just for the record, sorry for any inconvenience. Because we didn't communicate this limitation in the release notes. Most kindly saying :)

from netdata.

@MAH69IK we discussed your request and decided not to add CAP_NET_BIND_SERVICE to the list by default.

To do it yourself:

• edit netdata unit file

sudo systemctl edit netdata

• add the following:

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

• reload systemd daemon and restart netdata service

sudo systemctl daemon-reload
sudo systemctl restart netdata

from netdata.

shouldn't the existing NET_RAW and NET_ADMIN allow to use port 80

@MAH69IK these caps are different according to docs

       CAP_NET_BIND_SERVICE
              Bind a socket to Internet domain privileged ports (port
              numbers less than 1024).

       CAP_NET_RAW
              •  Use RAW and PACKET sockets;
              •  bind to any address for transparent proxying.

       CAP_NET_ADMIN
              Perform various network-related operations:
              •  interface configuration;
              •  administration of IP firewall, masquerading, and
                 accounting;
              •  modify routing tables;
              •  bind to any address for transparent proxying;
              •  set type-of-service (TOS);
              •  clear driver statistics;
              •  set promiscuous mode;
              •  enabling multicasting;
              •  use [setsockopt(2)](https://man7.org/linux/man-pages/man2/setsockopt.2.html) to set the following socket options:
                 SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside
                 the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

from netdata.

Okay. Thanks for the quick feedback!

from netdata.

@MAH69IK hey, out of curiosity - why do you bind Netdata to 80?

from netdata.