Is it possible to start quarkus application on port 80 ?

1,134 views
Skip to first unread message

Evgeniy Sharapov

unread,
Apr 29, 2020, 10:15:52 AM4/29/20
to Quarkus Development mailing list
I have put 

 quarkus.http.port=80

in application.proprties, but i get the following error 

2020-04-28 16:42:35,668 ERROR [io.qua.application] (main) Failed to start application: java.lang.RuntimeException: Unable to start HTTP server
        at io.quarkus.vertx.http.runtime.VertxHttpRecorder.doServerStart(VertxHttpRecorder.java:363)
        at io.quarkus.vertx.http.runtime.VertxHttpRecorder.startServer(VertxHttpRecorder.java:173)
        at io.quarkus.deployment.steps.VertxHttpProcessor$finalizeRouter46.deploy_0(VertxHttpProcessor$finalizeRouter46.zig:354)
        at io.quarkus.deployment.steps.VertxHttpProcessor$finalizeRouter46.deploy(VertxHttpProcessor$finalizeRouter46.zig:373)
        at io.quarkus.runner.ApplicationImpl.doStart(ApplicationImpl.zig:239)
        at io.quarkus.runtime.Application.start(Application.java:90)
        at io.quarkus.runtime.Application.run(Application.java:228)
        at io.quarkus.runner.GeneratedMain.main(GeneratedMain.zig:41)
Caused by: java.util.concurrent.ExecutionException: java.net.SocketException: Permission denied
        at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
        at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
        at io.quarkus.vertx.http.runtime.VertxHttpRecorder.doServerStart(VertxHttpRecorder.java:334)
        ... 7 more
Caused by: java.net.SocketException: Permission denied
        at sun.nio.ch.Net.bind0(Native Method)
        at sun.nio.ch.Net.bind(Net.java:433)
        at sun.nio.ch.Net.bind(Net.java:425)
        at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:220)
        at io.netty.channel.socket.nio.NioServerSocketChannel.doBind(NioServerSocketChannel.java:134)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.bind(AbstractChannel.java:550)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.bind(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeBind(AbstractChannelHandlerContext.java:504)
        at io.netty.channel.AbstractChannelHandlerContext.bind(AbstractChannelHandlerContext.java:489)
        at io.netty.channel.DefaultChannelPipeline.bind(DefaultChannelPipeline.java:973)
        at io.netty.channel.AbstractChannel.bind(AbstractChannel.java:248)
        at io.netty.bootstrap.AbstractBootstrap$2.run(AbstractBootstrap.java:348)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasksFrom(SingleThreadEventExecutor.java:428)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:377)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:488)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.lang.Thread.run(Thread.java:748)

Georgios Andrianakis

unread,
Apr 29, 2020, 10:22:08 AM4/29/20
to evgeniy....@gmail.com, Quarkus Development mailing list
In Linux for that to work you need to start the application with a root level user

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/29fcdc60-68e6-4e2b-a5fa-6dfcd216e658%40googlegroups.com.

Guillaume Smet

unread,
Apr 29, 2020, 10:25:04 AM4/29/20
to Georgios Andrianakis, evgeniy....@gmail.com, Quarkus Development mailing list
And that's really not something you should do.

Better put a proxy in front of it.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-noRgp%2B9NvYYYUZ54HAR%2BhuwESmhPh8-YpqZxyP%3DmxV6A%40mail.gmail.com.

Evgeniy Sharapov

unread,
Apr 29, 2020, 10:48:31 AM4/29/20
to Quarkus Development mailing list
That is being a member of wheel or root groups ? 


On Wednesday, April 29, 2020 at 10:22:08 AM UTC-4, Georgios Andrianakis wrote:
In Linux for that to work you need to start the application with a root level user

To unsubscribe from this group and stop receiving emails from it, send an email to quark...@googlegroups.com.

Emmanuel Bernard

unread,
Apr 29, 2020, 11:50:10 AM4/29/20
to Guillaume Smet, Georgios Andrianakis, evgeniy....@gmail.com, Quarkus Development mailing list
It would be worth saying why?
My guess is that you think the Quarkus app potentially does more things and has more resource rights than the proxy, therefore it's better to accepted the extra hop so that if the proxy is compromised, it should have root access but inherently can do less? I'm not entirely sure I buy my guess :D

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo-H%2BP5j3GNDgzDZWW-u7spMNwv0B%3DDLrGGZAzubx6tmCA%40mail.gmail.com.

Georgios Andrianakis

unread,
Apr 29, 2020, 12:01:00 PM4/29/20
to Emmanuel Bernard, Guillaume Smet, evgeniy....@gmail.com, Quarkus Development mailing list
Another reason is that in a container environment like Openshift you can't run the application as root - for security reasons.

Emmanuel Bernard

unread,
Apr 29, 2020, 12:40:58 PM4/29/20
to Georgios Andrianakis, Guillaume Smet, Quarkus Development mailing list, evgeniy....@gmail.com
Right but in a container orchestrator, the proxy front of services does something useful like transparent balancing

Georgios Andrianakis

unread,
Apr 29, 2020, 12:43:12 PM4/29/20
to Emmanuel Bernard, Guillaume Smet, Quarkus Development mailing list, evgeniy....@gmail.com
Yeah,

In a non container environment I presume it's much better to have a single point that uses root access, instead of every point at which the application is deployed.

Guillaume Smet

unread,
Apr 29, 2020, 12:47:31 PM4/29/20
to Emmanuel Bernard, Georgios Andrianakis, evgeniy....@gmail.com, Quarkus Development mailing list
Most of the proxies use very low privileges processes to serve the requests so you start as root but the processes serving the requests are not root.

If you start Quarkus itself as root then your application will keep running with root privileges and serve your requests as root.

Emmanuel Bernard

unread,
Apr 29, 2020, 12:55:19 PM4/29/20
to Guillaume Smet, Georgios Andrianakis, Quarkus Development mailing list, evgeniy....@gmail.com
Ok, thanks, that makes sense. 

David Lloyd

unread,
Apr 29, 2020, 1:07:02 PM4/29/20
to Georgios Andrianakis, evgeniy....@gmail.com, Quarkus Development mailing list
The "classic" Java-on-Linux solution is to use `iptables`; see
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#REDIRECTTARGET
for info on how to do that.

There is also `setcap` but it doesn't (usually) work with Java because
of obscure linkage issues with the `java` executable.
> To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-noRgp%2B9NvYYYUZ54HAR%2BhuwESmhPh8-YpqZxyP%3DmxV6A%40mail.gmail.com.



--
- DML

Reply all
Reply to author
Forward
0 new messages