Concider not to bind Apache to port 80

[frlan]

This is just a kind of a discussion starter:
Is it really needed to bind the container internal Apache to port 80?

Usually you do a port mapping as well as/or a reverse proxy anyway in front of this container I'd say. Both might be used to forward 9000 or 8080 to anything like 80/443 that's needed to really make usage of the container. For local development a localhost:8080 would be totally fine IMHO, too.

Port 80 as a privileged ports needs capabilities for the Apache to bind.

[frlan]

Background: On my provider while playing around I had issues with starting the container on their infrastructure:

2024-12-13T14:00:53.049783600+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
2024-12-13T14:00:52.047921529+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
2024-12-13T14:00:53.049783600+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
2024-12-13T14:00:53.049783600+00:00 stderr F no listening sockets available, shutting down
2024-12-13T14:00:52.047921529+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
2024-12-13T14:00:52.047921529+00:00 stderr F no listening sockets available, shutting down
2024-12-13T14:00:52.047921529+00:00 stderr F AH00015: Unable to open logs
2024-12-13T14:00:53.049783600+00:00 stderr F AH00015: Unable to open logs
2024-12-13T14:01:06.256085296+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
2024-12-13T14:01:06.256265430+00:00 stderr F (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
2024-12-13T14:01:06.256265430+00:00 stderr F no listening sockets available, shutting down
2024-12-13T14:01:06.256265430+00:00 stderr F AH00015: Unable to open logs 

[martin-helmich]

On my provider ...

Hello, that's us! 🙋 We'll be starting containers with NET_BIND_SERVICE capabilities in the future, so this should eventually work out as-is.

However, there are other providers which either prescribe a fixed port (Google App Engine requires you to listen on 8080, for example), or set a PORT environment variable and expect workloads to listen on that port. There might also be more restricted environments, in which setting the NET_BIND_SERVICE capability is not supported (let alone running containers with UID=0).

For all of these reasons, it might make sense to make the listen port configurable, for example by supporting a PORT environment variable.

[michaelmcandrew]

Hey there,

In general I would like to stick to the defaults and upstream settings wherever possible to ensure a 'neutral' starting point that can be used as the basis for various set ups.

For that reason, I am reluctant to specify a port that is different to the upstream default or tie it to arbitrary port even if Google or Kubernetes says that is best practice.

One thing to bear in mind when discussing all of this is that there is nothing stopping you from adding extra steps on the end of this Dockerfile in your own build steps. So you could do something like:

FROM civicrm/civicrm

RUN # make some changes here

That all said, for now, I have added the following lines to the CiviCRM docker file: https://github.com/civicrm/civicrm-docker/blob/main/build/civicrm/Dockerfile#L41-L46 which means that you can set the apache port via an environment variable APACHE_PORT.

I've labeled it as experimental for now since we might want to change the implementation in the future, but hopefully it meets your needs for now.