fix: remove CAP_NET_BIND_SERVICE from python binary and default to port 8080

Dockerfile

@@ -165,7 +165,6 @@ RUN apk update && apk upgrade && \
         tzdata \
         libedit \
         libldap \
-        libcap \
         su-exec && \
     rm -rf /var/cache/apk/*
 
@@ -203,14 +202,13 @@ RUN /venv/bin/python3 -m pip install --no-cache-dir gunicorn==23.0.0 && \
     chown pgadmin:root /pgadmin4/config_distro.py && \
     chmod g=u /pgadmin4/config_distro.py && \
     chmod g=u /etc/passwd && \
-    setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.[0-9][0-9] && \
     echo "pgadmin ALL = NOPASSWD: /usr/sbin/postfix start" > /etc/sudoers.d/postfix && \
     echo "pgadminr ALL = NOPASSWD: /usr/sbin/postfix start" >> /etc/sudoers.d/postfix
 
 USER 5050
 
 # Finish up
 VOLUME /var/lib/pgadmin
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 ENTRYPOINT ["/entrypoint.sh"]

docs/en_US/container_deployment.rst

@@ -104,8 +104,8 @@ of sudo to start Postfix, or if you wish to use an external mail server.
 
 *Default: <null>*
 
-If left un-set, the container will listen on port 80 for connections in plain
-text. If set to any value, the container will listen on port 443 for TLS
+If left un-set, the container will listen on port 8080 for connections in plain
+text. If set to any value, the container will listen on port 8443 for TLS
 connections.
 
 When TLS is enabled, a certificate and key must be provided. Typically these
@@ -122,7 +122,7 @@ for most users - in IPv4-only environments, this may need to be set to
 
 **PGADMIN_LISTEN_PORT**
 
-*Default: 80 or 443 (if TLS is enabled)*
+*Default: 8080 or 8443 (if TLS is enabled)*
 
 Allows the port that the server listens on to be set to a specific value rather
 than using the default.
@@ -227,9 +227,8 @@ instances.
 
         sudo chown -R 5050:5050 <host_directory>
 
-    On some filesystems that do not support extended attributes, it may not be
-    possible to run pgAdmin without specifying a value for *PGADMIN_LISTEN_PORT*
-    that is greater than 1024. In such cases, specify an alternate port when
+    The default listen port is 8080 (or 8443 with TLS), which does not require
+    any special privileges. If you need to use a different port, specify it when
     launching the container by adding the environment variable, for example:
 
     .. code-block:: bash
@@ -280,22 +279,22 @@ certificate.
 Examples
 ********
 
-Run a simple container over port 80:
+Run a simple container over port 8080:
 
 .. code-block:: bash
 
     docker pull dpage/pgadmin4
-    docker run -p 80:80 \
+    docker run -p 8080:8080 \
         -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \
         -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \
         -d dpage/pgadmin4
 
-Run a simple container over port 80, setting some configuration options:
+Run a simple container over port 8080, setting some configuration options:
 
 .. code-block:: bash
 
     docker pull dpage/pgadmin4
-    docker run -p 80:80 \
+    docker run -p 8080:8080 \
         -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' \
         -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' \
         -e 'PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION=True' \
@@ -310,7 +309,7 @@ Run a TLS secured container using a shared config/storage directory in
 .. code-block:: bash
 
     docker pull dpage/pgadmin4
-    docker run -p 443:443 \
+    docker run -p 443:8443 \
         -v /private/var/lib/pgadmin:/var/lib/pgadmin \
         -v /path/to/certificate.cert:/certs/server.cert \
         -v /path/to/certificate.key:/certs/server.key \
@@ -327,13 +326,13 @@ Sometimes it's desirable to have users connect to pgAdmin through a reverse
 proxy rather than directly to the container it's running in. The following
 examples show how this can be achieved. With traditional reverse proxy servers
 such as `Nginx <https://www.nginx.com/>`_, pgAdmin is running in a container on
-the same host, with port 5050 on the host mapped to port 80 on the container,
+the same host, with port 8080 on the host mapped to port 8080 on the container,
 for example:
 
 .. code-block:: bash
 
     docker pull dpage/pgadmin4
-    docker run -p 5050:80 \
+    docker run -p 8080:8080 \
         -e "PGADMIN_DEFAULT_EMAIL=user@domain.com" \
         -e "PGADMIN_DEFAULT_PASSWORD=SuperSecret" \
         -d dpage/pgadmin4
@@ -383,7 +382,7 @@ reverse proxy listening for all hostnames with `Nginx
 
         location / {
             proxy_set_header Host $host;
-            proxy_pass http://localhost:5050/;
+            proxy_pass http://localhost:8080/;
             proxy_redirect off;
         }
     }
@@ -401,7 +400,7 @@ tells the pgAdmin container how to rewrite paths:
         location /pgadmin4/ {
             proxy_set_header X-Script-Name /pgadmin4;
             proxy_set_header Host $host;
-            proxy_pass http://localhost:5050/;
+            proxy_pass http://localhost:8080/;
             proxy_redirect off;
         }
     }
@@ -445,7 +444,7 @@ adjusted as appropriate to the specific deployment:
             proxy_set_header X-Script-Name /pgadmin4;
             proxy_set_header X-Scheme $scheme;
             proxy_set_header Host $host;
-            proxy_pass http://localhost:5050/;
+            proxy_pass http://localhost:8080/;
             proxy_redirect off;
         }
     }

pkg/docker/entrypoint.sh

@@ -268,9 +268,9 @@ if [ -n "${PGADMIN_ENABLE_SOCK}" ]; then
     BIND_ADDRESS="unix:/run/pgadmin/pgadmin.sock"
 else
     if [ -n "${PGADMIN_ENABLE_TLS}" ]; then
-        BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}"
+        BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8443}"
     else
-        BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-80}"
+        BIND_ADDRESS="${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8080}"
     fi
 fi