From c6a5202c7d4d1eaf40bae159fce44f8c8927d4d5 Mon Sep 17 00:00:00 2001 From: Neel Patel Date: Tue, 19 May 2026 17:03:23 +0530 Subject: [PATCH 1/2] fix: remove CAP_NET_BIND_SERVICE from python binary and default to port 5050 #9657 --- Dockerfile | 4 +--- docs/en_US/container_deployment.rst | 25 ++++++++++++------------- pkg/docker/entrypoint.sh | 2 +- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index a219bfd959b..e2704547f7c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -165,7 +165,6 @@ RUN apk update && apk upgrade && \ tzdata \ libedit \ libldap \ - libcap \ su-exec && \ rm -rf /var/cache/apk/* @@ -203,7 +202,6 @@ RUN /venv/bin/python3 -m pip install --no-cache-dir gunicorn==23.0.0 && \ chown pgadmin:root /pgadmin4/config_distro.py && \ chmod g=u /pgadmin4/config_distro.py && \ chmod g=u /etc/passwd && \ - setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.[0-9][0-9] && \ echo "pgadmin ALL = NOPASSWD: /usr/sbin/postfix start" > /etc/sudoers.d/postfix && \ echo "pgadminr ALL = NOPASSWD: /usr/sbin/postfix start" >> /etc/sudoers.d/postfix @@ -211,6 +209,6 @@ USER 5050 # Finish up VOLUME /var/lib/pgadmin -EXPOSE 80 443 +EXPOSE 5050 443 ENTRYPOINT ["/entrypoint.sh"] diff --git a/docs/en_US/container_deployment.rst b/docs/en_US/container_deployment.rst index 0b71a7ebe44..ea288fef7aa 100644 --- a/docs/en_US/container_deployment.rst +++ b/docs/en_US/container_deployment.rst @@ -104,7 +104,7 @@ of sudo to start Postfix, or if you wish to use an external mail server. *Default: * -If left un-set, the container will listen on port 80 for connections in plain +If left un-set, the container will listen on port 5050 for connections in plain text. If set to any value, the container will listen on port 443 for TLS connections. @@ -122,7 +122,7 @@ for most users - in IPv4-only environments, this may need to be set to **PGADMIN_LISTEN_PORT** -*Default: 80 or 443 (if TLS is enabled)* +*Default: 5050 or 443 (if TLS is enabled)* Allows the port that the server listens on to be set to a specific value rather than using the default. @@ -227,14 +227,13 @@ instances. sudo chown -R 5050:5050 - On some filesystems that do not support extended attributes, it may not be - possible to run pgAdmin without specifying a value for *PGADMIN_LISTEN_PORT* - that is greater than 1024. In such cases, specify an alternate port when - launching the container by adding the environment variable, for example: + The default listen port is 5050, which does not require any special + privileges. If you need to use a different port, specify it when launching + the container by adding the environment variable, for example: .. code-block:: bash - -e 'PGADMIN_LISTEN_PORT=5050' + -e 'PGADMIN_LISTEN_PORT=8080' Don't forget to adjust any host-container port mapping accordingly. @@ -280,22 +279,22 @@ certificate. Examples ******** -Run a simple container over port 80: +Run a simple container over port 5050: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 80:80 \ + docker run -p 5050:5050 \ -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \ -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \ -d dpage/pgadmin4 -Run a simple container over port 80, setting some configuration options: +Run a simple container over port 5050, setting some configuration options: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 80:80 \ + docker run -p 5050:5050 \ -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \ -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \ -e 'PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION=True' \ @@ -327,13 +326,13 @@ Sometimes it's desirable to have users connect to pgAdmin through a reverse proxy rather than directly to the container it's running in. The following examples show how this can be achieved. With traditional reverse proxy servers such as `Nginx `_, pgAdmin is running in a container on -the same host, with port 5050 on the host mapped to port 80 on the container, +the same host, with port 5050 on the host mapped to port 5050 on the container, for example: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 5050:80 \ + docker run -p 5050:5050 \ -e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \ -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \ -d dpage/pgadmin4 diff --git a/pkg/docker/entrypoint.sh b/pkg/docker/entrypoint.sh index 6a83bec4494..5664b651ee0 100755 --- a/pkg/docker/entrypoint.sh +++ b/pkg/docker/entrypoint.sh @@ -270,7 +270,7 @@ else if [ -n "${PGADMIN_ENABLE_TLS}" ]; then BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}" else - BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-80}" + BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-5050}" fi fi From 528a57ebe300fb859650faed889c1f13053d0f3b Mon Sep 17 00:00:00 2001 From: Neel Patel Date: Tue, 19 May 2026 17:55:53 +0530 Subject: [PATCH 2/2] fix: use 8080 for non-TLS and 8443 for TLS port --- Dockerfile | 2 +- docs/en_US/container_deployment.rst | 34 ++++++++++++++--------------- pkg/docker/entrypoint.sh | 4 ++-- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index e2704547f7c..5bc663d4baa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -209,6 +209,6 @@ USER 5050 # Finish up VOLUME /var/lib/pgadmin -EXPOSE 5050 443 +EXPOSE 8080 8443 ENTRYPOINT ["/entrypoint.sh"] diff --git a/docs/en_US/container_deployment.rst b/docs/en_US/container_deployment.rst index ea288fef7aa..1b350b51c8e 100644 --- a/docs/en_US/container_deployment.rst +++ b/docs/en_US/container_deployment.rst @@ -104,8 +104,8 @@ of sudo to start Postfix, or if you wish to use an external mail server. *Default: * -If left un-set, the container will listen on port 5050 for connections in plain -text. If set to any value, the container will listen on port 443 for TLS +If left un-set, the container will listen on port 8080 for connections in plain +text. If set to any value, the container will listen on port 8443 for TLS connections. When TLS is enabled, a certificate and key must be provided. Typically these @@ -122,7 +122,7 @@ for most users - in IPv4-only environments, this may need to be set to **PGADMIN_LISTEN_PORT** -*Default: 5050 or 443 (if TLS is enabled)* +*Default: 8080 or 8443 (if TLS is enabled)* Allows the port that the server listens on to be set to a specific value rather than using the default. @@ -227,13 +227,13 @@ instances. sudo chown -R 5050:5050 - The default listen port is 5050, which does not require any special - privileges. If you need to use a different port, specify it when launching - the container by adding the environment variable, for example: + The default listen port is 8080 (or 8443 with TLS), which does not require + any special privileges. If you need to use a different port, specify it when + launching the container by adding the environment variable, for example: .. code-block:: bash - -e 'PGADMIN_LISTEN_PORT=8080' + -e 'PGADMIN_LISTEN_PORT=5050' Don't forget to adjust any host-container port mapping accordingly. @@ -279,22 +279,22 @@ certificate. Examples ******** -Run a simple container over port 5050: +Run a simple container over port 8080: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 5050:5050 \ + docker run -p 8080:8080 \ -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \ -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \ -d dpage/pgadmin4 -Run a simple container over port 5050, setting some configuration options: +Run a simple container over port 8080, setting some configuration options: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 5050:5050 \ + docker run -p 8080:8080 \ -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \ -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \ -e 'PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION=True' \ @@ -309,7 +309,7 @@ Run a TLS secured container using a shared config/storage directory in .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 443:443 \ + docker run -p 443:8443 \ -v /private/var/lib/pgadmin:/var/lib/pgadmin \ -v /path/to/certificate.cert:/certs/server.cert \ -v /path/to/certificate.key:/certs/server.key \ @@ -326,13 +326,13 @@ Sometimes it's desirable to have users connect to pgAdmin through a reverse proxy rather than directly to the container it's running in. The following examples show how this can be achieved. With traditional reverse proxy servers such as `Nginx `_, pgAdmin is running in a container on -the same host, with port 5050 on the host mapped to port 5050 on the container, +the same host, with port 8080 on the host mapped to port 8080 on the container, for example: .. code-block:: bash docker pull dpage/pgadmin4 - docker run -p 5050:5050 \ + docker run -p 8080:8080 \ -e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \ -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \ -d dpage/pgadmin4 @@ -382,7 +382,7 @@ reverse proxy listening for all hostnames with `Nginx location / { proxy_set_header Host $host; - proxy_pass http://localhost:5050/; + proxy_pass http://localhost:8080/; proxy_redirect off; } } @@ -400,7 +400,7 @@ tells the pgAdmin container how to rewrite paths: location /pgadmin4/ { proxy_set_header X-Script-Name /pgadmin4; proxy_set_header Host $host; - proxy_pass http://localhost:5050/; + proxy_pass http://localhost:8080/; proxy_redirect off; } } @@ -444,7 +444,7 @@ adjusted as appropriate to the specific deployment: proxy_set_header X-Script-Name /pgadmin4; proxy_set_header X-Scheme $scheme; proxy_set_header Host $host; - proxy_pass http://localhost:5050/; + proxy_pass http://localhost:8080/; proxy_redirect off; } } diff --git a/pkg/docker/entrypoint.sh b/pkg/docker/entrypoint.sh index 5664b651ee0..5df0dfe47ab 100755 --- a/pkg/docker/entrypoint.sh +++ b/pkg/docker/entrypoint.sh @@ -268,9 +268,9 @@ if [ -n "${PGADMIN_ENABLE_SOCK}" ]; then BIND_ADDRESS="unix:/run/pgadmin/pgadmin.sock" else if [ -n "${PGADMIN_ENABLE_TLS}" ]; then - BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}" + BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8443}" else - BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-5050}" + BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8080}" fi fi