Add net_bind_service capability to nats-server binary

[tamalsaha]

I am trying to run nats in k8s as nonroot user and hostport mode. nats-server is listening to port 443 for wss protocol. This change allows nats-server to bind to port 443 .

The reason this is required is because k8s does not support ambient capabilities yet.

• Support for ambient capabilities in kubernetes. kubernetes/enhancements#2763
• Kubernetes should configure the ambient capability set kubernetes/kubernetes#56374

ingress-nginx project also uses this in their Dockerfile to allow nonroot user
https://github.com/kubernetes/ingress-nginx/blob/48fbdfe3ba0c0e258890c970e2561caecea532dd/rootfs/Dockerfile#L70

Signed-off-by: Tamal Saha tamal@appscode.com

[wallyqs]

Thanks for the PR, this also seems to be what caddy is doing in its official image so it should be supported when published by docker team:

• https://github.com/caddyserver/caddy-docker/blob/5cc71afbebe1b590a9996c24e714e7b67ab53d03/2.7/builder/Dockerfile#L14C5-L14C18
• https://github.com/caddyserver/xcaddy/blob/743ce51c13f7dadb32ee932b1298790330145f1f/README.md?plain=1#L190

[wallyqs]

LGTM

[wallyqs]

related feedback from when including into the official release: docker-library/official-images#16797 (comment)

[ramonberrutti-f3]

I believe that will be better to nats internally or by the entrypoint.sh request the capability if is needed.

Maybe you can also try:

    - containerPort: 8443
      hostPort: 443

[rverenich]

Hello! Secure installations stopped working (with non-root user and dropped capabilities by default). Maybe it is better to request capability change only if needed, not by default?

[wallyqs]

Thanks for the report, we are going to rollback this change: #155