Docker AIO - listening on :80: listen tcp :80: bind: permission denied

Thor · November 22, 2022, 4:32pm

I tried to run the docker aio based on the github documentation using a reverse proxy.
This is the startup command:

sudo docker run 
--sig-proxy=false 
--name nextcloud-aio-mastercontainer 
--restart always 
--publish 8080:8080 
-e APACHE_PORT=11000 
-e APACHE_IP_BINDING=127.0.0.1 
-e NEXTCLOUD_DATADIR="/volume1/docker/nextcloud_aio/data" 
-e NEXTCLOUD_MOUNT="/volume1/external_test" 
-e NEXTCLOUD_MEMORY_LIMIT=2G 
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config 
--volume /var/run/docker.sock:/var/run/docker.sock:ro 
nextcloud/all-in-one:latest

The container starts but repeats following log output:

2022-11-22T16:27:04.741626867Z,stderr,Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied

2022-11-22T16:27:04.741475266Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.7411804,\"logger\":\"tls.cache.maintenance\",\"msg\":\"stopped background certificate maintenance\",\"cache\":\"0xc0004cd7a0\"}
"
2022-11-22T16:27:04.740653388Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7404296,\"logger\":\"tls\",\"msg\":\"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place\",\"docs\":\"https://caddyserver.com/docs/automatic-https#on-demand-tls\"}
"
2022-11-22T16:27:04.739981077Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.7397861,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc0004cd7a0\"}
"
2022-11-22T16:27:04.739817250Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7394106,\"logger\":\"http\",\"msg\":\"automatic HTTP->HTTPS redirects are disabled\",\"server_name\":\"srv1\"}
"
2022-11-22T16:27:04.739622536Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7393675,\"logger\":\"http\",\"msg\":\"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server\",\"server_name\":\"srv0\",\"http_port\":80}
"
2022-11-22T16:27:04.738674287Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.738365,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}
"
2022-11-22T16:27:04.736849689Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.736496,\"msg\":\"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/Caddyfile\",\"line\":2}
"
2022-11-22T16:27:04.733843215Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.733408,\"msg\":\"using provided configuration\",\"config_file\":\"/Caddyfile\",\"config_adapter\":\"\"}
"
2022-11-22T16:27:03.687131515Z,stderr,[Tue Nov 22 16:27:03.684942 2022] [core:notice] [pid 95] AH00094: Command line: 'apache2 -D FOREGROUND'

2022-11-22T16:27:03.686857350Z,stderr,[Tue Nov 22 16:27:03.684903 2022] [mpm_prefork:notice] [pid 95] AH00163: Apache/2.4.54 (Debian) PHP/8.0.25 OpenSSL/1.1.1n configured -- resuming normal operations

2022-11-22T16:27:03.684359684Z,stderr,[Tue Nov 22 16:27:03.680329 2022] [ssl:warn] [pid 95] AH01909: 172.18.0.2:8080:0 server certificate does NOT include an ID which matches the server name

2022-11-22T16:27:03.682930297Z,stderr,[Tue Nov 22 16:27:03.680298 2022] [ssl:warn] [pid 95] AH01906: 172.18.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

2022-11-22T16:27:03.625133716Z,stderr,"AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message
"
2022-11-22T16:27:03.583698917Z,stderr,[Tue Nov 22 16:27:03.581138 2022] [ssl:warn] [pid 95] AH01909: 172.18.0.2:8080:0 server certificate does NOT include an ID which matches the server name

2022-11-22T16:27:03.582896991Z,stderr,[Tue Nov 22 16:27:03.580699 2022] [ssl:warn] [pid 95] AH01906: 172.18.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

2022-11-22T16:27:03.577096301Z,stderr,"AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message
"
2022-11-22T16:27:03.522878079Z,stderr,Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied

2022-11-22T16:27:03.520056519Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5198145,\"logger\":\"tls.cache.maintenance\",\"msg\":\"stopped background certificate maintenance\",\"cache\":\"0xc000182ee0\"}
"
2022-11-22T16:27:03.518951596Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5186913,\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv1\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}
"
2022-11-22T16:27:03.517883223Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.517677,\"msg\":\"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.\"}
"
2022-11-22T16:27:03.517651773Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5165832,\"logger\":\"tls\",\"msg\":\"finished cleaning storage units\"}
"
2022-11-22T16:27:03.516729505Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5157094,\"logger\":\"tls\",\"msg\":\"cleaning storage unit\",\"description\":\"FileStorage:/mnt/docker-aio-config/caddy/\"}
"
2022-11-22T16:27:03.515963610Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5157094,\"logger\":\"http\",\"msg\":\"enabling HTTP/3 listener\",\"addr\":\":8443\"}
"
2022-11-22T16:27:03.515016032Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5147154,\"logger\":\"tls\",\"msg\":\"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place\",\"docs\":\"https://caddyserver.com/docs/automatic-https#on-demand-tls\"}
"
2022-11-22T16:27:03.514105215Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5136123,\"logger\":\"http\",\"msg\":\"automatic HTTP->HTTPS redirects are disabled\",\"server_name\":\"srv1\"}
"
2022-11-22T16:27:03.513099747Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5128827,\"logger\":\"http\",\"msg\":\"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server\",\"server_name\":\"srv0\",\"http_port\":80}
"
2022-11-22T16:27:03.512280194Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5120091,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc000182ee0\"}
"
2022-11-22T16:27:03.511004252Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5106463,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}
"
2022-11-22T16:27:03.508721577Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.508379,\"msg\":\"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/Caddyfile\",\"line\":2}
"
2022-11-22T16:27:03.505160411Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5046253,\"msg\":\"using provided configuration\",\"config_file\":\"/Caddyfile\",\"config_adapter\":\"\"}

szaimen · November 22, 2022, 4:45pm

Hi, this reminds me of Apache cannot start because listen tcp :443: bind: permission denied · Discussion #1267 · nextcloud/all-in-one · GitHub

Thor · November 22, 2022, 4:53pm

Hm couldn’t find that when I was looking for a solution.

I’m running Docker on a Synology NAS so there might be the chance, docker is not up to date.
Still strange as the AIO documentation explicitly lists Synologys rev proxy setup.

KarlF12 · November 22, 2022, 5:56pm

Doesn’t Synology already use that port for its own interface?

Thor · November 22, 2022, 6:23pm

Yes but who wants to use port 80? Everything runs in a container in a bridge network the container uses 8080 and I added the env car to tell apache to use 11000 as in the how to stated.

szaimen · November 22, 2022, 7:10pm

Basically you will need Kernel 4.11 or higher as AIO will not work otherwise.

Thor · November 24, 2022, 12:25pm

My DS218+ with DSM 7.1 has Kernel 4.4.180 so yeah that seems the issue.

szaimen · November 24, 2022, 12:26pm

Wow, do they really ship so outdated kernels?

Thor · November 24, 2022, 12:43pm

At least they did in the past. Could only find a reposted statement where they are “not worried of EOL because they handle it internally” whatever this means.

amphioxis · December 19, 2022, 9:21am

nextcloud-aio-mastercontainer  | Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied

Have the same error message here while running on Kernel 4.19.0

Any suggestions?