Skip to content

Commit c6a5202

Browse files
committed
fix: remove CAP_NET_BIND_SERVICE from python binary and default to port 5050 #9657
1 parent 86a8b16 commit c6a5202

3 files changed

Lines changed: 14 additions & 17 deletions

File tree

Dockerfile

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,6 @@ RUN apk update && apk upgrade && \
165165
tzdata \
166166
libedit \
167167
libldap \
168-
libcap \
169168
su-exec && \
170169
rm -rf /var/cache/apk/*
171170

@@ -203,14 +202,13 @@ RUN /venv/bin/python3 -m pip install --no-cache-dir gunicorn==23.0.0 && \
203202
chown pgadmin:root /pgadmin4/config_distro.py && \
204203
chmod g=u /pgadmin4/config_distro.py && \
205204
chmod g=u /etc/passwd && \
206-
setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.[0-9][0-9] && \
207205
echo "pgadmin ALL = NOPASSWD: /usr/sbin/postfix start" > /etc/sudoers.d/postfix && \
208206
echo "pgadminr ALL = NOPASSWD: /usr/sbin/postfix start" >> /etc/sudoers.d/postfix
209207

210208
USER 5050
211209

212210
# Finish up
213211
VOLUME /var/lib/pgadmin
214-
EXPOSE 80 443
212+
EXPOSE 5050 443
215213

216214
ENTRYPOINT ["/entrypoint.sh"]

docs/en_US/container_deployment.rst

Lines changed: 12 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ of sudo to start Postfix, or if you wish to use an external mail server.
104104

105105
*Default: <null>*
106106

107-
If left un-set, the container will listen on port 80 for connections in plain
107+
If left un-set, the container will listen on port 5050 for connections in plain
108108
text. If set to any value, the container will listen on port 443 for TLS
109109
connections.
110110

@@ -122,7 +122,7 @@ for most users - in IPv4-only environments, this may need to be set to
122122

123123
**PGADMIN_LISTEN_PORT**
124124

125-
*Default: 80 or 443 (if TLS is enabled)*
125+
*Default: 5050 or 443 (if TLS is enabled)*
126126

127127
Allows the port that the server listens on to be set to a specific value rather
128128
than using the default.
@@ -227,14 +227,13 @@ instances.
227227
228228
sudo chown -R 5050:5050 <host_directory>
229229
230-
On some filesystems that do not support extended attributes, it may not be
231-
possible to run pgAdmin without specifying a value for *PGADMIN_LISTEN_PORT*
232-
that is greater than 1024. In such cases, specify an alternate port when
233-
launching the container by adding the environment variable, for example:
230+
The default listen port is 5050, which does not require any special
231+
privileges. If you need to use a different port, specify it when launching
232+
the container by adding the environment variable, for example:
234233

235234
.. code-block:: bash
236235
237-
-e 'PGADMIN_LISTEN_PORT=5050'
236+
-e 'PGADMIN_LISTEN_PORT=8080'
238237
239238
Don't forget to adjust any host-container port mapping accordingly.
240239

@@ -280,22 +279,22 @@ certificate.
280279
Examples
281280
********
282281

283-
Run a simple container over port 80:
282+
Run a simple container over port 5050:
284283

285284
.. code-block:: bash
286285
287286
docker pull dpage/pgadmin4
288-
docker run -p 80:80 \
287+
docker run -p 5050:5050 \
289288
-e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \
290289
-e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \
291290
-d dpage/pgadmin4
292291
293-
Run a simple container over port 80, setting some configuration options:
292+
Run a simple container over port 5050, setting some configuration options:
294293

295294
.. code-block:: bash
296295
297296
docker pull dpage/pgadmin4
298-
docker run -p 80:80 \
297+
docker run -p 5050:5050 \
299298
-e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \
300299
-e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \
301300
-e 'PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION=True' \
@@ -327,13 +326,13 @@ Sometimes it's desirable to have users connect to pgAdmin through a reverse
327326
proxy rather than directly to the container it's running in. The following
328327
examples show how this can be achieved. With traditional reverse proxy servers
329328
such as `Nginx <https://www.nginx.com/>`_, pgAdmin is running in a container on
330-
the same host, with port 5050 on the host mapped to port 80 on the container,
329+
the same host, with port 5050 on the host mapped to port 5050 on the container,
331330
for example:
332331

333332
.. code-block:: bash
334333
335334
docker pull dpage/pgadmin4
336-
docker run -p 5050:80 \
335+
docker run -p 5050:5050 \
337336
-e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \
338337
-e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \
339338
-d dpage/pgadmin4

pkg/docker/entrypoint.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -270,7 +270,7 @@ else
270270
if [ -n "${PGADMIN_ENABLE_TLS}" ]; then
271271
BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}"
272272
else
273-
BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-80}"
273+
BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-5050}"
274274
fi
275275
fi
276276

0 commit comments

Comments
 (0)