25082903959
84%
master: 93%

Ran 28 Apr 2026 11:28PM UTC

Jobs 1

Files 23

Run time 1min

Badge

Embed ▾

Committed 28 Apr 2026 11:26PM UTC coverage: 83.829%. Remained the same

Build # 25082903959

Build Type

push

github

Committed by

web-flow

Commit Message

chore(docker): drop the setcap line; rely on ip_unprivileged_port_start=0 (#1234)

The Dockerfile re-applied `cap_net_bind_service+ep` on the binary so
non-root processes could bind 80/443 (#1222). It is no longer needed:

- Modern container runtimes (Docker 20.10+, containerd 1.5+, cri-o)
  set `net.ipv4.ip_unprivileged_port_start=0` inside the container, so
  any unprivileged process can bind any port directly. The setcap was
  load-bearing on older runtimes but is moot today.
- Worse, the file capability collides with restrictive Kubernetes
  securityContexts that drop ALL capabilities: the kernel refuses to
  exec a binary whose file permitted caps are not a subset of the
  process's bounding set, so `drop: [ALL]` (without a matching `add`)
  crash-loops the pod with `exec /usr/bin/caddy: operation not
  permitted`. Dropping setcap removes that footgun.

Update the chart's `securityContext` example/comment and the
`docs/hub/install.md` rootless sections to describe the actual
mechanism (no file caps, runtime sysctl), and keep the
`service.targetPort: 8080` workaround for older runtimes as a fallback.

Coverage Stats

1747 of 2084 relevant lines covered (83.83%)

49.54 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	0 - 25082903959.1	28 Apr 2026 11:28PM UTC	23	83.83	GitHub Action Run

dunglas / mercure / 25082903959
84%
master: 93%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 25082903959

dunglas / mercure / 25082903959 84% master: 93%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 25082903959

dunglas / mercure / 25082903959
84%
master: 93%

README BADGES
x