Binding privileged port with ip fails on Docker Desktop 4.23.0 (120376)

[porkotron]

Description

Binding privileged port with ip fails on Docker Desktop 4.23.0 (120376):

docker run  -p 10.0.x.x:83:83 --name test-app alpine
docker: Error response from daemon: Ports are not available: exposing port TCP 10.0.x.x:83 -> 0.0.0.0:0: listen tcp 10.0.x.x:83: bind: permission denied.

Binding privileged port to localhost ip still works:

docker run  -p 127.0.0.1:83:83 --name test-app alpine

"Allow privileged port mapping" is toggled on.
Downgrading to 4.22.0 fixes this.

Reproduce

1. Replace 10.0.x.x with some configured ip on host (not 127.0.0.1).

docker run  -p 10.0.x.x:83:83 --name test-app alpine

Expected behavior

Container starts without errors

docker version

Client:
 Cloud integration: v1.0.35+desktop.4
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.23.0 (120376)
 Engine:
  Version:          24.0.6
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       1a79695
  Built:            Mon Sep  4 12:32:16 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.4
    Path:     /Users/petri/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0-desktop.1
    Path:     /Users/petri/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/petri/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/petri/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.7
    Path:     /Users/petri/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/petri/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/petri/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  0.24.1
    Path:     /Users/petri/.docker/cli-plugins/docker-scout

Server:
 Containers: 29
  Running: 1
  Paused: 0
  Stopped: 28
 Images: 1111
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.3.13-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.63GiB
 Name: docker-desktop
 ID: d69d16e6-414d-4473-a4b3-f9d8a96ed576
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

4D5BF9C4-D9B8-47CD-83D4-6035C1EE54C1/20230913123752

Additional Info

No response

### Tasks

[devinrm]

I ran into the same issue. A really easy way to reproduce this is just: docker run -p [wifi IP]:80:80 nginx. Confirmed that downgrading to 4.22.1 fixes the issue.

[Ntezi]

I had to downgrade to 4.22.1 as well! Thank you for saving my time @devinrm

[pre]

I originally thought this was a Minikube issue and I created a report there: kubernetes/minikube#17246

Docker Desktop 4.22.1 was the last version working, 4.23.0 fails when binding a privileged port 80 and 443 to a localhost ip alias.

[pentatonicfunk]

any workaround other than downgrade ? im using homebrew to install, or if anyone has guide to downgrade docker via brew maybe ?

[pentatonicfunk]

downgrade docker via brew maybe ?

## ref: https://docs.brew.sh/FAQ#can-i-edit-formulae-myself

export HOMEBREW_NO_INSTALL_FROM_API=1
brew tap homebrew/cask

brew edit docker 
## OR
vi /opt/homebrew/Library/Taps/homebrew/homebrew-cask/Casks/d/docker.rb
## Ref: https://github.com/Homebrew/homebrew-cask/commit/0cd3285a641aecf88ee7887567a0d2d8c40dfa74

brew reinstall --cask docker

## in theory to revert ( i haven't tried yet )
brew update-reset

[bsousaa]

The issue is confirmed internally. At this stage, as a workaround, you can use either 0.0.0.0 (to expose the port on all interfaces) or the localhost (127.0.0.1).

[rectalogic]

We bind to a localhost alias i.e. we do ifconfig lo0 alias 172.17.0.1 255.255.255.0 and then bind 172.17.0.1:22:22 which now fails: Ports are not available: exposing port TCP 172.17.0.1:22 -> 0.0.0.0:0: listen tcp 172.17.0.1:22: bind: permission denied