kalaksi / docker-tftpd Goto Github PK

I think the issue with non-root on your readme is because it's always been like that. Here are some things to try:
Not sure there is a universal answer as it will depend on use cases and user permissions.

If your TFTP server program is inside docker (which btw uses namespaces) then you may need a combination of the following.
And also the same or similar settings within the container and give permissions to docker itself. Though docker itself runs as root it is deliberately restricted.

Normally Linux prevents non-root users from runing programs that bind to ports/sockets less than 1024. This is to prevent a non root user on a multi user system from stealing a port, is this could be malicious, e.g. by redirecting login or webpage to a fake terminal or application.
This was before the days of encryption and authentication. These days it's a little more reladed but you need to get under the hood.

To allow an app to bind to a lower port you need to either.

• use network namespaces more here
• redirect ports using iptables though that is not a lot of use if the remote assumes a fixed port and has no means to change it.
• use a privilaged wrapper, e.g. authbind
• use systemd
• use setcap to tell the OS that you want to do this anyway.
• remove the <1024 port restriction using sysctl

Network namespaces would only be useful in a virtual network, e.g. for a VM
systemd is too complicated to write up here and probably not what you need.
as for the others....

iptables

# something like
sudo iptables -t nat -A PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 6969
/path/to/tftpd.binary -p 6969 [command line args]

wrapper

sudo touch /etc/authbind/byport/69
sudo chmod 777 /etc/authbind/byport/69
authbind --deep /path/to/tftpd.binary [command line args]

setcap

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/tftpd.binary
/path/to/tftpd.binary [command line args]

sysctl (not to be confused with systemctl)

# check the default in docker:
docker container exec <container_id> sysctl net.ipv4.ip_unprivileged_port_start
# check the host
grep ip_unprivileged_port_start /etc/sysctl.conf
cat /proc/sys/net/ipv4/ip_unprivileged_port_start

If it still does not play ball in your use case, then take a look at docker itself.
remember to run docker container with the --privileged command

docker (compose)

mytftpapp:
         cap_add:
            - "NET_BIND_SERVICE"
... # and/or perhaps
        sysctls:
           - net.ipv4.ip_unprivileged_port_start=60
...

Hi,

Just a little note that the Dockerfile fails because it uses the Alpine syslinux package which does not exist in armhf. I was able to build the package by downloading the syslinux package for x86_64 https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/syslinux-6.04_pre1-r6.apk and extracting the files from usr/share/syslinux and then making this change:

diff --git a/Dockerfile b/Dockerfile
index ad3d598..edeaf8c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,9 +7,10 @@ ENV TFTPD_EXTRA_ARGS=""

 RUN apk add --no-cache tftp-hpa

+COPY syslinux /usr/share/syslinux
+
 # Help setting up the basic pxelinux environment
-RUN apk add --no-cache --virtual syslinux_with_deps syslinux && \
-    mkdir -p -m 0755 /tftpboot && \
+RUN mkdir -p -m 0755 /tftpboot && \
     cp -r /usr/share/syslinux /tftpboot && \
     find /tftpboot -type f -exec chmod 444 {} \;  && \
     find /tftpboot -mindepth 1 -type d -exec chmod 555 {} \;  && \
@@ -20,7 +21,7 @@ RUN apk add --no-cache --virtual syslinux_with_deps syslinux && \
     # These will point to the symlinks above.
     ln -s ../boot /tftpboot/syslinux/efi64/boot && \
     ln -s ../pxelinux.cfg /tftpboot/syslinux/efi64/pxelinux.cfg && \
-    apk del syslinux_with_deps
+    rm -rf /usr/share/syslinux

 # Default configuration that can be overridden
 COPY pxelinux.cfg /tftpboot/pxelinux.cfg

I noticed the alpine version was a little behind. Would be great to get that tested and updated :D

Also just successfully deployed an ipxe process to my org, thanks for your container!