Allow listening of port < 1024

[olljanat]

I prefer to publish NACP from standard HTTPS port 443 but as result of e8d5780 it does not work anymore.

Solution is to set extra capability for binary like example CoreDNS does https://github.com/coredns/coredns/blob/v1.13.1/Dockerfile#L15

[mxab]

Interesting thank you for your PR.

Could you elaborate your use case for that a bit more?

[olljanat]

Sure, we have dedicated nodes running Nomad server role + NACP combination.

Nomad servers are configured to listen HTTP only from localhost https://github.com/olljanat/nomad-simplified/blob/main/nomad.d/global.hcl#L5-L7 and NACP handles HTTPS in standard port so users connecting to Nomad does not need remember port number: https://github.com/olljanat/nomad-simplified/blob/main/nacp/nacp-config.hcl#L1-L12

It can be also combined with CoreDNS’s Nomad plugin (which I recently upstreamed) so that Nomad UI and API are available with single URL without need for external load balancer.

[mxab]

interesting

As I currently cannot tell what side effects this has compared to the current dockerfile.
Can you create a second Dockerfile instead and I can publish both versions by adding another docker build step here
https://github.com/mxab/nacp/blob/main/.goreleaser.yaml#L52
?

[olljanat]

As I currently cannot tell what side effects this has compared to the current dockerfile.

No side effects, kernel simply will allow listening port numbers < 1024 by NACP binary even when it is running as non-root. It is explained in https://stackoverflow.com/a/414258

Can you create a second Dockerfile instead and I can publish both versions by adding another docker build step here https://github.com/mxab/nacp/blob/main/.goreleaser.yaml#L52 ?

Can if you want but don’t see the point to be honest.

[mxab]

Ok, I'm currently trying to verify this locally

FROM golang:1.25 AS build

WORKDIR /app

ENV CGO_ENABLED=0
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/root/.cache/go-build go mod download
COPY pkg ./pkg
COPY cmd ./cmd
ENV GOCACHE=/root/.cache/go-build
RUN --mount=type=cache,target=/root/.cache/go-build go build -o nacp ./cmd/nacp

FROM ubuntu:25.10 AS secstuff

RUN useradd -u 10001 scratchuser

# from olljanat PR
RUN apt-get update \
    && apt-get install -y libcap2-bin

COPY --from=build /app/nacp /nacp

# from olljanat PR
RUN setcap cap_net_bind_service=+ep /nacp


FROM scratch
COPY --from=secstuff /nacp /nacp
COPY --from=secstuff /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/nacp"]

And running it

docker run --rm -it -v $(pwd)/config:/config --net=host secnacp -config=/config/conf.hcl

where conf.hcl is

bind = "0.0.0.0"
port = 80

I definitly see the permission dinied error when i run it without this line RUN setcap cap_net_bind_service=+ep /nacp

time=2025-11-25T21:45:53.567Z level=ERROR msg="Error running nacp" error="listen tcp 0.0.0.0:80: bind: permission denied"

and it starts if I include it.
But I get a ERR_CONNECTION_REFUSED on http://localhost:80 if I try to access it. Is there something missed?

[olljanat]

Try curl http://127.0.0.1

Name “localhost” defaults to IPv6.
With command netstat -anp | grep 80 you can see that NACP is listening port 80 only from IPv4 addresses.

[mxab]

sorry for the delay, seems not to work on my mac. should it?

[olljanat]

You mean that it breaks build or usage in Mac or that does not allow listen port < 1024 ?

My knowledge about Mac world is very limited but IIRC it is based on BSD which why Linux based solutions does not directly work in there.