Problem
When running the MCP Gateway container as a non-root user (via --user $(id -u):$(id -g) from #26658), binding to port 80 fails with:
HTTP server error: listen tcp 0.0.0.0:80: bind: permission denied
Port 80 is a privileged port (<1024) and requires either root or CAP_NET_BIND_SERVICE. This was observed in CI: https://github.com/github/gh-aw/actions/runs/24607686133/job/71956606316
Proposed Fix
-
Change the gateway listen port from 80 to 8080 in the container launch configuration. Port 8080 is non-privileged and does not require root or special capabilities.
-
Update firewall rules to allow traffic on port 8080 instead of (or in addition to) port 80 for the gateway container.
-
Update --add-host / DNS configuration — the same CI run also showed host.docker.internal DNS lookup failure for the safeoutputs HTTP backend. Ensure the container is launched with --add-host host.docker.internal:host-gateway or equivalent so that HTTP backends using host.docker.internal can resolve correctly.
-
Update any hardcoded port 80 references in gh-aw that generate the gateway container run command or construct URLs to the gateway (e.g., http://127.0.0.1:80/mcp/... → http://127.0.0.1:8080/mcp/...).
Context
Acceptance Criteria
Problem
When running the MCP Gateway container as a non-root user (via
--user $(id -u):$(id -g)from #26658), binding to port 80 fails with:Port 80 is a privileged port (<1024) and requires either root or
CAP_NET_BIND_SERVICE. This was observed in CI: https://github.com/github/gh-aw/actions/runs/24607686133/job/71956606316Proposed Fix
Change the gateway listen port from 80 to 8080 in the container launch configuration. Port 8080 is non-privileged and does not require root or special capabilities.
Update firewall rules to allow traffic on port 8080 instead of (or in addition to) port 80 for the gateway container.
Update
--add-host/ DNS configuration — the same CI run also showedhost.docker.internalDNS lookup failure for the safeoutputs HTTP backend. Ensure the container is launched with--add-host host.docker.internal:host-gatewayor equivalent so that HTTP backends usinghost.docker.internalcan resolve correctly.Update any hardcoded port 80 references in gh-aw that generate the gateway container run command or construct URLs to the gateway (e.g.,
http://127.0.0.1:80/mcp/...→http://127.0.0.1:8080/mcp/...).Context
--listen 0.0.0.0:80/etc/hostswrite fix), Add --group-add for Docker socket access when running gateway as non-root #26749 (--group-addfor Docker socket)Acceptance Criteria
host.docker.internalresolves inside the gateway container