Azure Container Instance haproxy port bind issue

Question

Azure Container Instance haproxy port bind issue

Bernard Steyn 20

Hey all,

I am having some issues running haproxy as a container instance when trying to bind to port 80/443 in the haproxy.cfg:

frontend fe-web
    bind *:80
    bind *:443 ssl crt certlocation

The container instance goes into a failed state, with error:

[ALERT]    (58) : Binding [/usr/local/etc/haproxy/haproxy.cfg:37] for frontend fe-web: cannot bind socket (Permission denied) for [0.0.0.0:80]
[ALERT]    (58) : Binding [/usr/local/etc/haproxy/haproxy.cfg:38] for frontend fe-web: cannot bind socket (Permission denied) for [0.0.0.0:443]

When I changed the bind ports to 8080 / 8443 , the container starts up fine without the permission denied error.

I have tried starting the container instance with --privileged , with --run-as--user 0 (or --run-as-user root) as well as --run-as-group 0 (or root). Still no luck.

Even changing the haproxy user in haproxy.cfg to root does not resolve the issue, example:

user haproxy
group haproxy

->

user root
group root

Does anyone have a solution for this? Is there a reason I am able to bind to ports 8080/8443, but not 80/443 in Azure?

Please let me know if any additional information is needed.

Thank you in advance!

Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T09:28:09.6066667+00:00

Use Port Mapping: One common approach to fix the issue of binding to lower ports is to bind HAProxy to higher ports within the container (e.g., 8080 and 8443) and then use port mapping to map these higher container ports to the desired host ports (80 and 443) when you start the container.

For example, when starting the container, you could use:

docker run -p 80:8080 -p 443:8443 <image_name>

This maps port 8080 inside the container to port 80 on the host, and port 8443 inside the container to port 443 on the host.
Bernard Steyn 20 Reputation points

2023-08-10T09:36:57.06+00:00

Hi Deepanshu , thank you for the response! This works fine with normal docker run, the issue is with azure container instances. You can only listen on specific ports when creating container instances, for example:

az container create --resource-group RG --name haproxy --image xxxx.azurecr.io/test/haproxy:latest --cpu 1 --memory 1 --ip-address Private --ports 80 443

haproxy.cfg has to bind to ports 80/443 , but with azure container instances, I get permissions denied.

My full command (x's to hide sensitive paths):

az container create --resource-group RG --name haproxy --image xxxxx.azurecr.io/test/haproxy:latest --run-as-user root --run-as-group 0 --cpu 1 --memory 1 --ip-address Private --ports 80 443 --assign-identity /subscriptions/xxxxxxxxxxxxx/resourcegroups/RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxIdentity --acr-identity xxxxidentity --location southafricanorth --vnet xxxxVN --subnet xxxxSubnet --subnet xxxxSubnet --azure-file-volume-account-name xxxxxxx --azure-file-volume-share-name xxxxx/HAPROXY/conf --azure-file-volume-mount-path /usr/local/etc/haproxy --azure-file-volume-account-key xxxx --restart-policy Never --privileged
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T09:44:04.43+00:00

Ok so to answer this ACI ( Azure container instance) service does reserve the following ports for service functionality: 22, 443, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 19100, 20000-30000, 49152-65534. Avoid using these ports in your container group definition.

document for reference: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq

I hope this answer your question, please accept if it does, Thanks!
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T10:50:01.0866667+00:00

@Bernard Steyn , can you please confirm , if it has helped you

Thanks
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T10:51:07.6266667+00:00

Hi Bernard , can you please confirm , if it has helped you , Thanks
Bernard Steyn 20 Reputation points

2023-08-10T11:33:24.88+00:00

Hi Deepanshu - yes, thank you. So these ports are not available for use within the container instances.
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T12:41:39.4633333+00:00

Yes right Bernard , can you please accept my answer , Thanks
Bernard Steyn 20 Reputation points

2023-08-10T13:43:11.73+00:00

Hi Deepanshu, please put the comment about the ports as "Your Answer" instead of a comment and I will be able to accept it :)
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-11T04:44:18.9033333+00:00

Hi Bernard , I have done that please check now and accept , Thanks

Accepted answer

0 additional answers

Your answer

Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T09:28:09.6066667+00:00

Use Port Mapping: One common approach to fix the issue of binding to lower ports is to bind HAProxy to higher ports within the container (e.g., 8080 and 8443) and then use port mapping to map these higher container ports to the desired host ports (80 and 443) when you start the container.

For example, when starting the container, you could use:

docker run -p 80:8080 -p 443:8443 <image_name>

This maps port 8080 inside the container to port 80 on the host, and port 8443 inside the container to port 443 on the host.
Bernard Steyn 20 Reputation points

2023-08-10T09:36:57.06+00:00

Hi Deepanshu , thank you for the response! This works fine with normal docker run, the issue is with azure container instances. You can only listen on specific ports when creating container instances, for example:

az container create --resource-group RG --name haproxy --image xxxx.azurecr.io/test/haproxy:latest --cpu 1 --memory 1 --ip-address Private --ports 80 443

haproxy.cfg has to bind to ports 80/443 , but with azure container instances, I get permissions denied.

My full command (x's to hide sensitive paths):

az container create --resource-group RG --name haproxy --image xxxxx.azurecr.io/test/haproxy:latest --run-as-user root --run-as-group 0 --cpu 1 --memory 1 --ip-address Private --ports 80 443 --assign-identity /subscriptions/xxxxxxxxxxxxx/resourcegroups/RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxIdentity --acr-identity xxxxidentity --location southafricanorth --vnet xxxxVN --subnet xxxxSubnet --subnet xxxxSubnet --azure-file-volume-account-name xxxxxxx --azure-file-volume-share-name xxxxx/HAPROXY/conf --azure-file-volume-mount-path /usr/local/etc/haproxy --azure-file-volume-account-key xxxx --restart-policy Never --privileged
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T09:44:04.43+00:00

Ok so to answer this ACI ( Azure container instance) service does reserve the following ports for service functionality: 22, 443, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 19100, 20000-30000, 49152-65534. Avoid using these ports in your container group definition.

document for reference: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq

I hope this answer your question, please accept if it does, Thanks!
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T10:50:01.0866667+00:00

@Bernard Steyn , can you please confirm , if it has helped you

Thanks
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T10:51:07.6266667+00:00

Hi Bernard , can you please confirm , if it has helped you , Thanks
Bernard Steyn 20 Reputation points

2023-08-10T11:33:24.88+00:00

Hi Deepanshu - yes, thank you. So these ports are not available for use within the container instances.
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-10T12:41:39.4633333+00:00

Yes right Bernard , can you please accept my answer , Thanks
Bernard Steyn 20 Reputation points

2023-08-10T13:43:11.73+00:00

Hi Deepanshu, please put the comment about the ports as "Your Answer" instead of a comment and I will be able to accept it :)
Deepanshukatara-6769 16,565 Reputation points Moderator

2023-08-11T04:44:18.9033333+00:00

Hi Bernard , I have done that please check now and accept , Thanks

Answer 1

Deepanshukatara-6769 16,565 Moderator

Ok so to answer this ACI ( Azure container instance) service does reserve the following ports for service functionality: 22, 443, 1025-1027, 3389-3399, 9999, 19000, 19080, 19390, 19100, 20000-30000, 49152-65534. Avoid using these ports in your container group definition.

document for reference: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq

I hope this answer your question, please accept if it does, Thanks!

Share via

Azure Container Instance haproxy port bind issue

0 additional answers

Your answer