Useful or not, from you.
for-win Unable to bind ports: Docker-for-Windows & Hyper-V excluding but not using important port ranges
  • [x] I have tried with the latest version of my channel (Stable or Edge)
  • [x] I have uploaded Diagnostics
  • Diagnostics ID: BB0297BB-C287-4F0B-A007-72B5F2D7BD72/20190102235413

Expected behavior

Be able to bind specific ports that I have always used. Be able to specify which ports docker/hyperv exclude or use, and/or I expect that docker/hyper-v actually use the ports that it is excluding and that they show up in netstat -ano as being used or listened on.

Actual behavior

If I start a service that binds on port 50051 (it is a grpc service, and that is the traditional port used by grpc), it says: listen tcp :50051: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

Information

  • Is it reproducible? Yes
  • Is the problem new? Yes. My previous installation of docker for windows, from a year ago when I was on Windows 1709, didn't have this problem.
  • Did the problem appear with an update? Yes, you could say that. I wiped my harddrive and started over with Windows 1809 and the latest version of Docker for Windows.
  • Windows Version: Windows 10 Pro 1809 (Version 10.0.17763 Build 17763)
  • Docker for Windows Version: 2.0.0.0-win81
  • Docker version: 18.09.0

Steps to reproduce the behavior

MinGW 12:11:50 ~$ docker run -p 50051:50051 hello-world
C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: driver failed programming external connectivity on endpoint infallible_lehmann (906354afc8855cc38fc8ac3e9e5b0642c9470f48f99c48e188ed3c8cfe236c9e): Error starting userland proxy: Bind for 0.0.0.0:50051: unexpected error Permission denied.

My own investigation:

I was extremely confused by this problem, because I was able to bind other ports, such as 8080 or 60000, yet it did not appear that 50051 was in use by anything on my system.

Running netstat -ano shows nothing using 50051.

Running Get-NetTCPConnection in powershell with admin privileges shows nothing using 50051.

Even if I disconnect from the internet and disable both windows firewall and my antivirus, and run everything as admin, I still get the errors.

After hours of google searching, I found a command that showed what happened to 50051:

PS C:\WINDOWS\system32> netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     49692       49791
     49792       49891
     49892       49991
     49992       50091
     50092       50191
     50214       50313
     50498       50597

* - Administered port exclusions.

It seems that 50051 is excluded (whatever that means?!), even though it isn't in use by anything.

After lots of trial and error, I discovered that Docker for Windows and Hyper-V are responsible for all of those excluded port ranges above.

It also seems like all those port ranges change or increase by 1 every time I reboot, so I suppose 450 reboots from now my problem will go away, maybe...

I have never had this problem, despite using docker for years now.

I run lots of containers and setups that other people at my company work on and rely on, so it is not feasible for me to be changing the ports around on them to work around this issue. (Other people use the kube templates and docker-compose, and some of them connect with other docker-compose networks, etc, and expect things on certain ports.)

When I try to delete that excluded port range, I get this, despite running the command as administrator:

PS C:\WINDOWS\system32> netsh interface ipv4 delete excludedportrange protocol=tcp startport=49992 numberofports=100
Access is denied.
That's a useful answer
Without any help

I've submitted feedback via the Windows Feedback hub, upvote here: https://aka.ms/AA6z7h1