Questions about network-bind interface

aoyama · June 29, 2023, 7:21am

I want to pack a snap with two parts, both are daemon and need listen to a specific port.

let say part A listen to port 443 as a reverse proxy ,forward all traffice to part B.

And part B listen to port 10080.

Here the questions:

I just want port 443 expose to public network. Is a network interface required ?
Do both part A and part B require network-bind to commuicate with each other ?

Thanks.

ogra · June 29, 2023, 8:18am

The network-bind interface gives your app access to the socket() syscall… so any app that wants to open a socket will need it.

aoyama · June 30, 2023, 5:56am

@ogra hello dear ogra , i have another question, how can let a snap service bind a privilege port like 443?

i do much google and can’t find a answer, please help !

ogra · June 30, 2023, 7:57am

There is nothing snap specific here … if you have the interface plug defined, you simply start your service that listens on that port, like you’d do it without being inside a snap.

aoyama · June 30, 2023, 8:37am

I tried run my command in the snap shell

$ snap run --shell mycommand.caddy

then i want to start caddy

$ caddy run --config $SNAP_USER_DATA/Caddyfile

but got a permission denied error

listen tcp :443: bind: permission denied

Sorry I thought it was a snap problem, anything i am wrong or suggestion? Thanks!

ogra · June 30, 2023, 8:45am

no, this would happen as well if you ran it outside of the snap as non-root user. to bind to such a low-numbered port you need to be root, ports below 1024 are in general reserved for admin use …

use sudo snap run --shell mycommand.caddy and it should work fine

aoyama · June 30, 2023, 8:54am

This brings up another problem.

when use sudo snap run --shell mycommand.caddy , $SNAP_USER_DATA transinto /root/snap/mycommand/x1

but my caddy config file is in /home/$USER/snap/mycommand/x1, so it can’t be seen by caddy.

aoyama · June 30, 2023, 9:06am

I looked at the documentation of snap and found out that the daemon is actually a systemd service.

systemd service has a feature called “AmbientCapabilities=CAP_NET_BIND_SERVICE”, it will allow service bind a ports below 1024 and keep running as a non-root user.

I dont know if snap has this feature.

ogra · June 30, 2023, 9:08am

Right, a system daemon would rather have its config live in a system wide place like $SNAP_DATA… which points to /var/snap/mycommand/current…

If you want to use your app as a user daemon you’d have to pick a higher port number, but this is again not a snap thing…

I don’t think we allow ambient capabilities as it would rip open a big security hole working around the hosts defaults picked by the admin

aoyama · June 30, 2023, 9:18am

ok, thank you for your help !