You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Matthieu Bienvenüe <ma...@exultet.net> on 2013/04/08 12:02:02 UTC

Unable to bind socket: 80 : Permission denied

Hello !

I'm currently have a problem wih setting ATS up. I'm using an OpenVZ 
container (Proxmox 2.3) that runs debian 6.0. I'm installing ATS using 
sid apt repository (ATS version 3.2.4-1).
After the install, I'm changing the listenning port to 80 and here comes 
problems :

[Apr  8 08:51:37.519] Manager {0xb70756d0} NOTE: 
[ClusterCom::ClusterCom] Node running on OS: 'Linux' Release: 
'2.6.32-19-pve'
[Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR: [bindProxyPort] Unable 
to bind socket: 80 : Permission denied
[Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR:  (last system error 
13: Permission denied)
[E. Mgmt] log ==> [TrafficManager] using root directory '/usr'
[Apr  8 08:51:37.526] {0xb70386d0} STATUS: opened 
/var/log/trafficserver/manager.log
[Apr  8 08:51:37.526] {0xb70386d0} NOTE: updated diags config
[Apr  8 08:51:37.526] Manager {0xb70386d0} NOTE: [appendDefaultDomain] 
Unable to determine default domain name. Nodes will be know by their 
unqualified host name
[Apr  8 08:51:37.527] Manager {0xb70386d0} NOTE: 
[ClusterCom::ClusterCom] Node running on OS: 'Linux' Release: 
'2.6.32-19-pve'
[Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR: [bindProxyPort] Unable 
to bind socket: 80 : Permission denied
[Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR:  (last system error 
13: Permission denied)


I don't know why I've such problems. I've tested with wheezy repository 
with the same result. That's strange because this works fine with a 
Debian 6.0 running on an Virtual Box VM.

Any Idea ?

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

I've tried with Apache and it works fine listening on port 80.
More I'm able to run ATS on port 80 inside a Virtual Box VM running 
Debian with the same ATS package !
The problem is ATS inside an OpenVZ container.



Le 09/04/2013 17:23, Reindl Harald a écrit :
> you could try config any other service on port 80
> like postfix or xinetd and if this fails too you
> can stop to search the problem in ATS at all
>
> i can say for sure that my main-loadbalancer is ATS on port 80
>
> Am 09.04.2013 16:29, schrieb Matthieu Bienvenüe:
>> I've just tryed to install ATS from source and after the compilation, ATS agrees to start using port 8080 but
>> refuse when setup to 80 :(
>>
>> Le 09/04/2013 08:21, Matthieu Bienvenüe a écrit :
>>> I'm using a Debian package. I don't have compiled myself. But the same package works fine under a Debian run in
>>> Virtual Box VM.
>>>
>>> Le 08/04/2013 23:59, Uri Shachar a écrit :
>>>> On Mon, 8 Apr 2013 16:36:17 +0200 Matthieu Bienvenüe <ma...@exultet.net> wrote:
>>>>> I test your solution :
>>>>> - remove traffic server
>>>>> - install libpcap-dev
>>>>> - instrall traffic server
>>>>>
>>>>> and I've the same problem.
>>>>>
>>>>>
>>>>> Le 08/04/2013 16:24, Leif Hedstrom a écrit :
>>>>>> Did the build link with Posix Capabilities (libpcap)? On most system,
>>>>>> you have to explicitly tell it to install the "dev" package for this
>>>>>> for us to be able to pick it up.
>>>>>>
>>>>>> -- Leif
>>>>      When you compiled your ATS - what configuration settings did you use?
>>>> Did the build host have libcap-dev installed __before__ the compilation?

Re: Unable to bind socket: 80 : Permission denied

Posted by Reindl Harald <h....@thelounge.net>.

you could try config any other service on port 80
like postfix or xinetd and if this fails too you
can stop to search the problem in ATS at all

i can say for sure that my main-loadbalancer is ATS on port 80

Am 09.04.2013 16:29, schrieb Matthieu Bienvenüe:
> I've just tryed to install ATS from source and after the compilation, ATS agrees to start using port 8080 but
> refuse when setup to 80 :(
> 
> Le 09/04/2013 08:21, Matthieu Bienvenüe a écrit :
>> I'm using a Debian package. I don't have compiled myself. But the same package works fine under a Debian run in
>> Virtual Box VM.
>>
>> Le 08/04/2013 23:59, Uri Shachar a écrit :
>>> On Mon, 8 Apr 2013 16:36:17 +0200 Matthieu Bienvenüe <ma...@exultet.net> wrote:
>>> > I test your solution :
>>> > - remove traffic server
>>> > - install libpcap-dev
>>> > - instrall traffic server
>>> >
>>> > and I've the same problem.
>>> >
>>> >
>>> > Le 08/04/2013 16:24, Leif Hedstrom a écrit :
>>> > >
>>> > > Did the build link with Posix Capabilities (libpcap)? On most system,
>>> > > you have to explicitly tell it to install the "dev" package for this
>>> > > for us to be able to pick it up.
>>> > >
>>> > > -- Leif
>>>
>>>     When you compiled your ATS - what configuration settings did you use?
>>> Did the build host have libcap-dev installed __before__ the compilation?

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

I've just tryed to install ATS from source and after the compilation, 
ATS agrees to start using port 8080 but refuse when setup to 80 :(

Regards

Le 09/04/2013 08:21, Matthieu Bienvenüe a écrit :
> I'm using a Debian package. I don't have compiled myself. But the same 
> package works fine under a Debian run in Virtual Box VM.
>
>
> Le 08/04/2013 23:59, Uri Shachar a écrit :
>> On Mon, 8 Apr 2013 16:36:17 +0200 Matthieu Bienvenüe 
>> <ma...@exultet.net> wrote:
>> > I test your solution :
>> > - remove traffic server
>> > - install libpcap-dev
>> > - instrall traffic server
>> >
>> > and I've the same problem.
>> >
>> >
>> > Le 08/04/2013 16:24, Leif Hedstrom a écrit :
>> > >
>> > > Did the build link with Posix Capabilities (libpcap)? On most 
>> system,
>> > > you have to explicitly tell it to install the "dev" package for this
>> > > for us to be able to pick it up.
>> > >
>> > > -- Leif
>>
>>     When you compiled your ATS - what configuration settings did you use?
>> Did the build host have libcap-dev installed __before__ the compilation?
>>
>>          --Uri
>>
>>
>
>

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

I'm using a Debian package. I don't have compiled myself. But the same 
package works fine under a Debian run in Virtual Box VM.


Le 08/04/2013 23:59, Uri Shachar a écrit :
> On Mon, 8 Apr 2013 16:36:17 +0200 Matthieu Bienvenüe 
> <ma...@exultet.net> wrote:
> > I test your solution :
> > - remove traffic server
> > - install libpcap-dev
> > - instrall traffic server
> >
> > and I've the same problem.
> >
> >
> > Le 08/04/2013 16:24, Leif Hedstrom a écrit :
> > >
> > > Did the build link with Posix Capabilities (libpcap)? On most system,
> > > you have to explicitly tell it to install the "dev" package for this
> > > for us to be able to pick it up.
> > >
> > > -- Leif
>
>     When you compiled your ATS - what configuration settings did you use?
> Did the build host have libcap-dev installed __before__ the compilation?
>
>          --Uri
>
>

RE: Unable to bind socket: 80 : Permission denied

Posted by Uri Shachar <us...@hotmail.com>.

On Mon, 8 Apr 2013 16:36:17 +0200 Matthieu Bienvenüe <ma...@exultet.net> wrote:
> I test your solution :
> - remove traffic server
> - install libpcap-dev
> - instrall traffic server
> 
> and I've the same problem.
> 
> 
> Le 08/04/2013 16:24, Leif Hedstrom a écrit :
> >
> > Did the build link with Posix Capabilities (libpcap)? On most system, 
> > you have to explicitly tell it to install the "dev" package for this 
> > for us to be able to pick it up.
> >
> > -- Leif

    When you compiled your ATS - what configuration settings did you use?
Did the build host have libcap-dev installed __before__ the compilation?

         --Uri

Re: Unable to bind socket: 80 : Permission denied

Posted by "Alan M. Carroll" <am...@network-geographics.com>.

Thursday, April 11, 2013, 3:59:27 AM, you wrote:

http://trafficserver.apache.org/docs/trunk/sdk/troubleshooting-tips/unable-to-debug-tags.en.html

There is an updated version here which will show up on mainline someday.

http://trafficserver.staging.apache.org/docs/trunk/sdk/troubleshooting-tips/unable-to-debug-tags.en.html

Re: Unable to bind socket: 80 : Permission denied

Posted by James Peach <jp...@apache.org>.

On Apr 11, 2013, at 1:59 AM, Matthieu Bienvenüe <ma...@exultet.net> wrote:

> How could I enable this tag ?

In records.config:

CONFIG proxy.config.diags.debug.tags STRING lm
CONFIG proxy.config.diags.debug.enabled INT 1

> 
> Le 09/04/2013 20:20, Alan M. Carroll a écrit :
>> Expected, using libcap is more secure but not more powerful. Essentially it enables the traffic_manager and traffic_server processes to completely drop root access and still work. Without it they retain the ability to restore super user status because otherwise they cannot perform restricted operations (such as bind to a reserved port).
>> 
>> The only thing I can suggest at this point is to enable "lm" debug tags - those might provide some further insight. When a reserved port is bound without libcap (which is normally done in the traffic_manager process) it has to reset the euid to 0 and possibly that is failing because of VZ.
>> 
> 
>

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

How could I enable this tag ?

Le 09/04/2013 20:20, Alan M. Carroll a écrit :
> Expected, using libcap is more secure but not more powerful. Essentially it enables the traffic_manager and traffic_server processes to completely drop root access and still work. Without it they retain the ability to restore super user status because otherwise they cannot perform restricted operations (such as bind to a reserved port).
>
> The only thing I can suggest at this point is to enable "lm" debug tags - those might provide some further insight. When a reserved port is bound without libcap (which is normally done in the traffic_manager process) it has to reset the euid to 0 and possibly that is failing because of VZ.
>

Re: Unable to bind socket: 80 : Permission denied

Posted by "Alan M. Carroll" <am...@network-geographics.com>.

Expected, using libcap is more secure but not more powerful. Essentially it enables the traffic_manager and traffic_server processes to completely drop root access and still work. Without it they retain the ability to restore super user status because otherwise they cannot perform restricted operations (such as bind to a reserved port).

The only thing I can suggest at this point is to enable "lm" debug tags - those might provide some further insight. When a reserved port is bound without libcap (which is normally done in the traffic_manager process) it has to reset the euid to 0 and possibly that is failing because of VZ.

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

I test your solution :
- remove traffic server
- install libpcap-dev
- instrall traffic server

and I've the same problem.


Le 08/04/2013 16:24, Leif Hedstrom a écrit :
> On 4/8/13 5:27 AM, Matthieu Bienvenüe wrote:
>> Yep, I'm running traffic_cop with root user and it fails.
>> (Linux SE is not used, could block using ports lower than 1024 too)
>> I notice that ATS starts fine when listening port is set to 8080... 
>> but not with 80.
>
> Did the build link with Posix Capabilities (libpcap)? On most system, 
> you have to explicitly tell it to install the "dev" package for this 
> for us to be able to pick it up.
>
> -- Leif
>

Re: Unable to bind socket: 80 : Permission denied

Posted by Leif Hedstrom <zw...@apache.org>.

On 4/8/13 5:27 AM, Matthieu Bienvenüe wrote:
> Yep, I'm running traffic_cop with root user and it fails.
> (Linux SE is not used, could block using ports lower than 1024 too)
> I notice that ATS starts fine when listening port is set to 8080... but 
> not with 80.

Did the build link with Posix Capabilities (libpcap)? On most system, you 
have to explicitly tell it to install the "dev" package for this for us to 
be able to pick it up.

-- Leif

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

Yep, I'm running traffic_cop with root user and it fails.
(Linux SE is not used, could block using ports lower than 1024 too)
I notice that ATS starts fine when listening port is set to 8080... but 
not with 80.

Le 08/04/2013 13:20, Uri Shachar a écrit :
> On Mon, 8 Apr 2013 12:02:02 +0200 Matthieu Bienvenüe <ma...@exultet.net> wrote:
>
>> After the install, I'm changing the listenning port to 80 and here comes
>> problems :
> ...
>> [Apr 8 08:51:37.519] Manager {0xb70756d0} ERROR: (last system error
>> 13: Permission denied)
> Does the user running ATS have permissions to use privileged ports ?
> (by default regular users cannot bind to ports under 1024)
>
>            --Uri

RE: Unable to bind socket: 80 : Permission denied

Posted by Uri Shachar <us...@hotmail.com>.

On Mon, 8 Apr 2013 12:02:02 +0200 Matthieu Bienvenüe <ma...@exultet.net> wrote:

> After the install, I'm changing the listenning port to 80 and here comes
> problems :
...
> [Apr 8 08:51:37.519] Manager {0xb70756d0} ERROR: (last system error
> 13: Permission denied)

Does the user running ATS have permissions to use privileged ports ?
(by default regular users cannot bind to ports under 1024)

          --Uri

Re: Unable to bind socket: 80 : Permission denied

Posted by Matthieu Bienvenüe <ma...@exultet.net>.

Yeah you're right ! Why I don't think at that first !
Regards

Le 08/04/2013 12:32, Reindl Harald a écrit :
>
> Am 08.04.2013 12:02, schrieb Matthieu Bienvenüe:
>> I'm currently have a problem wih setting ATS up. I'm using an OpenVZ container (Proxmox 2.3) that runs debian 6.0.
>>
>> [Apr  8 08:51:37.519] Manager {0xb70756d0} NOTE: [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
>> '2.6.32-19-pve'
>> [Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR: [bindProxyPort] Unable to bind socket: 80 : Permission denied
>> [Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR:  (last system error 13: Permission denied)
>> [E. Mgmt] log ==> [TrafficManager] using root directory '/usr'
>> [Apr  8 08:51:37.526] {0xb70386d0} STATUS: opened /var/log/trafficserver/manager.log
>> [Apr  8 08:51:37.526] {0xb70386d0} NOTE: updated diags config
>> [Apr  8 08:51:37.526] Manager {0xb70386d0} NOTE: [appendDefaultDomain] Unable to determine default domain name.
>> Nodes will be know by their unqualified host name
>> [Apr  8 08:51:37.527] Manager {0xb70386d0} NOTE: [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
>> '2.6.32-19-pve'
>> [Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR: [bindProxyPort] Unable to bind socket: 80 : Permission denied
>> [Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR:  (last system error 13: Permission denied)
>>
>> I don't know why I've such problems. I've tested with wheezy repository with the same result. That's strange
>> because this works fine with a Debian 6.0 running on an Virtual Box VM
> i suspect that not much users running ATS in OpenVZ
>
> maybe the better list would be a OpenVZ specific because it is surely some restriction
> of the container if the same packages are working fine native and in vbox
>
>

Re: Unable to bind socket: 80 : Permission denied

Posted by Reindl Harald <h....@thelounge.net>.


Am 08.04.2013 12:02, schrieb Matthieu Bienvenüe:
> I'm currently have a problem wih setting ATS up. I'm using an OpenVZ container (Proxmox 2.3) that runs debian 6.0.
>
> [Apr  8 08:51:37.519] Manager {0xb70756d0} NOTE: [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
> '2.6.32-19-pve'
> [Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR: [bindProxyPort] Unable to bind socket: 80 : Permission denied
> [Apr  8 08:51:37.519] Manager {0xb70756d0} ERROR:  (last system error 13: Permission denied)
> [E. Mgmt] log ==> [TrafficManager] using root directory '/usr'
> [Apr  8 08:51:37.526] {0xb70386d0} STATUS: opened /var/log/trafficserver/manager.log
> [Apr  8 08:51:37.526] {0xb70386d0} NOTE: updated diags config
> [Apr  8 08:51:37.526] Manager {0xb70386d0} NOTE: [appendDefaultDomain] Unable to determine default domain name.
> Nodes will be know by their unqualified host name
> [Apr  8 08:51:37.527] Manager {0xb70386d0} NOTE: [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
> '2.6.32-19-pve'
> [Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR: [bindProxyPort] Unable to bind socket: 80 : Permission denied
> [Apr  8 08:51:37.527] Manager {0xb70386d0} ERROR:  (last system error 13: Permission denied)
> 
> I don't know why I've such problems. I've tested with wheezy repository with the same result. That's strange
> because this works fine with a Debian 6.0 running on an Virtual Box VM

i suspect that not much users running ATS in OpenVZ

maybe the better list would be a OpenVZ specific because it is surely some restriction
of the container if the same packages are working fine native and in vbox