How to bind a rootless container to a privileged port on Linux

One of the main innovations introduced by Podman was the ability to run rootless containers. Security wise, this was a big improvement, since a potentially compromised container running as root represents a security threat for the host system. In order to obtain a similar behavior, recent versions of Docker support running the docker daemon in the user context. Running unprivileged containers, albeit more secure, has also its drawbacks, as the inability to bind to privileged host ports.


This is a companion discussion topic for the original entry at https://linuxconfig.org/how-to-bind-a-rootless-container-to-a-privileged-port-on-linux

Port redirection isn’t gonna work with rootless:

[padla@incandescent-work ~]$ podman run --name=traefik  --replace --rm --cgroups=split --network=podman --sdnotify=conmon -d --security-opt label=type:container_runtime_t -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:z -v /opt/containers/padla/volumes/acme.json:/acme.json:z --publish 80:9080 --publish 443:9443 --publish 8080:9880 docker.io/library/traefik:v3.1.5 --api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email=orky@outlook.com --certificatesresolvers.lets-encrypt.acme.storage=/acme.json --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http.address=:80 --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https.address=:443 --providers.docker=true
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied