How to bind rootless containers to port 80

Port 80 is a privilaged port. On Linux, if an application needs to accept connections on port 80 special permission is required.

For example:

$ docker run -p 127.0.0.1:80:80 httpd:latest

Results in the following error:

error while calling RootlessKit PortManager.AddPort(): cannot expose privileged port 80

The workaround is to set the CAP_NET_BIND_SERVICE capability on the rootlesskit binary, you can use the following command:

sudo setcap cap_net_bind_service=ep $(which rootlesskit)

Please take a moment to understand what you are doing. On your dev machine you should always be running your containers bound to localhost for example:

 docker run -p 127.0.0.1:80:80 httpd:latest

Do not forget to add the "127.0.0.1" to begging of the host port range! In your Docker compose file it should like this:

services:
  web:
    image: httpd:latest
    ports:
      - "127.0.0.1:8080:80"