Systemd system service (User=) and socket activation makes it possible for rootless Podman to use privileged port (TCP 80)

[eriksjolund]

Rootless podman is usually not allowed to listen on port 80 because the kernel setting ip_unprivileged_port_start is usually set to 1024.

$ cat /proc/sys/net/ipv4/ip_unprivileged_port_start
1024

Lowering the number to 80 makes it possible for all users on the computer to listen on port 80.
Rootless podman can then run such a command:

podman run --publish 80:80 IMAGE

Giving this privilege to all users on the computer might not be what you want because often you already know which systemd service should be listening on port 80.

Other solutions to the problem are mentioned in rootless.md ("proxy server, kernel firewall rule, or redirection tool" ) but there is another solution that has not received much attention. If the software in the container supports socket activation, it is possible
to use a systemd system service with User= and rootless Podman.

I added a few examples in the repo https://github.com/eriksjolund/podman-nginx-socket-activation
See Example 3, Example 4, Example 5, Example 6.

How well this solution works is currently unknown. What are the pros and cons? Will it work for other software than nginx? More testing is needed.

References

There is a discussion about adding support for running rootless Podman in a systemd system service with User=

• support User= in systemd for running rootless services #20573