From 98ace317ea3a4c2713ada09fdf305410c0a1a9a1 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Wed, 18 Dec 2024 18:54:20 +0200
Subject: [PATCH] Remove set bind permissions

---
 CHANGELOG.md                 | 5 +++++
 cmd/grafana-agent/Dockerfile | 3 +--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5d963a34896..39b6605203a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,11 @@ internal API changes are not present.
 Main (unreleased)
 -----------------
 
+### Other changes
+
+- Remove setcap for `cap_net_bind_service` to allow Agent to run in restricted environments.
+  Modern container runtimes allow binding to unprivileged ports as non-root. (@ptodev)
+
 v0.43.4 (2024-11-25)
 -----------------
 
diff --git a/cmd/grafana-agent/Dockerfile b/cmd/grafana-agent/Dockerfile
index 558f3f96629b..fad889abab9f 100644
--- a/cmd/grafana-agent/Dockerfile
+++ b/cmd/grafana-agent/Dockerfile
@@ -41,7 +41,7 @@ LABEL org.opencontainers.image.source="https://github.com/grafana/agent"
 # Install dependencies needed at runtime.
 RUN <<EOF
   apt-get update
-  apt-get install -qy libsystemd-dev tzdata ca-certificates libcap2-bin
+  apt-get install -qy libsystemd-dev tzdata ca-certificates
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 EOF
 
@@ -53,7 +53,6 @@ RUN groupadd --gid $UID $USERNAME
 RUN useradd -m -u $UID -g $UID $USERNAME
 RUN chown -R $USERNAME:$USERNAME /etc/agent
 RUN chown -R $USERNAME:$USERNAME /bin/grafana-agent
-RUN setcap 'cap_net_bind_service=+ep' /bin/grafana-agent
 
 ENTRYPOINT ["/bin/grafana-agent"]
 ENV AGENT_DEPLOY_MODE=docker