fix(python): Support binding to ports less than 1024

Introduces subpackage with capabilities set to bind to privileged ports Currently needed by pgAdmin Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
wolfi-dev · Feb 11, 2025 · 51061d0 · 51061d0
1 parent a023917
commit 51061d0
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/python-3.12.yaml b/python-3.12.yaml
@@ -24,6 +24,7 @@ environment:
       - ca-certificates-bundle
       - expat-dev
       - gdbm-dev
+      - libcap-utils
       - libffi-dev
       - libx11-dev
       - linux-headers
@@ -195,6 +196,33 @@ subpackages:
 
             rm -Rf "$d"
 
+  - name: "${{package.name}}-privileged-netbindservice"
+    description: "Allows Python to bind to ports less than 1024"
+    options:
+      # This replaces the Python binary and depends on base. We don't want
+      # to generate any dependencies or provide anything that would clash
+      # with the rest of Python
+      no-depends: true
+      no-provides: true
+    dependencies:
+      replaces:
+        - ${{package.name}}-base
+      runtime:
+        - ${{package.name}}-base=${{package.full-version}}
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.contextdir}}/usr/bin"
+          cp "${{targets.outdir}}/${{package.name}}-base/usr/bin/${{vars.python}}" "${{targets.contextdir}}/usr/bin/"
+          setcap cap_net_bind_service=+eip "${{targets.contextdir}}/usr/bin/${{vars.python}}"
+    test:
+      environment:
+        contents:
+          packages:
+            - libcap-utils
+      pipeline:
+        - runs: |
+            getcap "/usr/bin/${{vars.python}}" | grep "cap_net_bind_service=eip"
+
   - name: "${{package.name}}-tk"
     dependencies:
       provides:

diff --git a/python-3.13.yaml b/python-3.13.yaml
@@ -24,6 +24,7 @@ environment:
       - ca-certificates-bundle
       - expat-dev
       - gdbm-dev
+      - libcap-utils
       - libffi-dev
       - libx11-dev
       - linux-headers
@@ -195,6 +196,33 @@ subpackages:
 
             rm -Rf "$d"
 
+  - name: "${{package.name}}-privileged-netbindservice"
+    description: "Allows Python to bind to ports less than 1024"
+    options:
+      # This replaces the Python binary and depends on base. We don't want
+      # to generate any dependencies or provide anything that would clash
+      # with the rest of Python
+      no-depends: true
+      no-provides: true
+    dependencies:
+      replaces:
+        - ${{package.name}}-base
+      runtime:
+        - ${{package.name}}-base=${{package.full-version}}
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.contextdir}}/usr/bin"
+          cp "${{targets.outdir}}/${{package.name}}-base/usr/bin/${{vars.python}}" "${{targets.contextdir}}/usr/bin/"
+          setcap cap_net_bind_service=+eip "${{targets.contextdir}}/usr/bin/${{vars.python}}"
+    test:
+      environment:
+        contents:
+          packages:
+            - libcap-utils
+      pipeline:
+        - runs: |
+            getcap "/usr/bin/${{vars.python}}" | grep "cap_net_bind_service=eip"
+
   - name: "${{package.name}}-tk"
     dependencies:
       provides: