v1.28.0 requires the NET_BIND_SERVICE capability #1678

New Issue

MrUnknownDE · 2026-04-06T02:12:24+02:00

MrUnknownDE commented

2026-04-06 02:12:24 +02:00

Originally created by @spantaleev on 3/29/2023

I'm launching a Vaultwarden container like this:

docker run \
-it \
--rm \
--name=my-vaultwarden \
--log-driver=none \
--user=12345:12345 \
--cap-drop=ALL \
--read-only \
-e ROCKET_PORT=8080 \
--tmpfs=/tmp:rw,noexec,nosuid,size=128m \
--tmpfs=/data:rw,noexec,nosuid,size=128m \
--tmpfs=/cache:rw,noexec,nosuid,size=128m \
--tmpfs=/ephemeral:rw,noexec,nosuid,size=128m \
docker.io/vaultwarden/server:1.28.0-alpine

And it leads to an error like this:

/start.sh: exec: line 25: /vaultwarden: Operation not permitted

Adding --cap-add=NET_BIND_SERVICE \ after --cap-drop=ALL \ fixes the problem and lets the process proceed further.

When using 1.27.0 instead of 1.28.0, the NET_BIND_SERVICE capability was not required. This can be tried by changing the version in the original command above and not adding NET_BIND_SERVICE.

I've explicitly configured ROCKET_PORT to use 8080 in an effort to escape needing NET_BIND_SERVICE in this container.

This seems to be caused by https://github.com/dani-garcia/vaultwarden/pull/3170

By adding the NET_BIND_SERVICE to the executable, it can no longer be used without having this privilege, not matter which ports you will need later.

Building my own container image that removes the capabilities added to /vaultwarden fixes the problem:

FROM docker.io/vaultwarden/server:1.28.0-alpine

RUN apk add --no-cache libcap && setcap cap_net_bind_service=-ep /vaultwarden

Seems like #3170 is only usable for niche situations with old Docker versions and is causing trouble otherwise. I suppose it's better to revert it.

*Originally created by @spantaleev on 3/29/2023* I'm launching a Vaultwarden container like this: ```sh docker run \ -it \ --rm \ --name=my-vaultwarden \ --log-driver=none \ --user=12345:12345 \ --cap-drop=ALL \ --read-only \ -e ROCKET_PORT=8080 \ --tmpfs=/tmp:rw,noexec,nosuid,size=128m \ --tmpfs=/data:rw,noexec,nosuid,size=128m \ --tmpfs=/cache:rw,noexec,nosuid,size=128m \ --tmpfs=/ephemeral:rw,noexec,nosuid,size=128m \ docker.io/vaultwarden/server:1.28.0-alpine ``` And it leads to an error like this: > /start.sh: exec: line 25: /vaultwarden: Operation not permitted Adding `--cap-add=NET_BIND_SERVICE \` **after** `--cap-drop=ALL \` fixes the problem and lets the process proceed further. When using 1.27.0 instead of 1.28.0, the `NET_BIND_SERVICE` capability was not required. This can be tried by changing the version in the original command above and not adding `NET_BIND_SERVICE`. I've explicitly configured `ROCKET_PORT` to use `8080` in an effort to escape needing `NET_BIND_SERVICE` in this container. ------ This seems to be caused by https://github.com/dani-garcia/vaultwarden/pull/3170 By adding the `NET_BIND_SERVICE` to the executable, it can no longer be used without having this privilege, not matter which ports you will need later. Building my own container image that removes the capabilities added to `/vaultwarden` fixes the problem: ```Dockerfile FROM docker.io/vaultwarden/server:1.28.0-alpine RUN apk add --no-cache libcap && setcap cap_net_bind_service=-ep /vaultwarden ``` Seems like #3170 is only usable for niche situations with old Docker versions and is causing trouble otherwise. I suppose it's better to revert it.

MrUnknownDE closed this issue

2026-04-06 02:12:24 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1678