Default net.ipv4.ip_unprivileged_port_start to 0 inside containers #4615

yashkukrecha · 2025-11-24T21:52:04Z

This PR makes nerdctl default the container's net.ipv4.ip_unprivileged_port_start sysctl to 0, unless the user has explicitly set this sysctl via --sysctl.

Key changes:

Adds a new helper withDefaultUnprivilegedPortSysctl in pkg/cmd/container/container.go.
Applies this helper during container creation, after user-supplied sysctls are parsed.
If the user passes a --sysctl for net.ipv4.ip_unprivileged_port_start, nerdctl does not override it.

Note: Host-wide sysctl configuration and containerd-rootless-setuptool.sh were intentionally left unchanged in this PR to keep the scope focused on the container namespace default requested in the issue.

Fixes #4595

docs/faq.md

AkihiroSuda · 2025-11-26T03:51:40Z

pkg/cmd/container/create.go

 	opts = append(opts, umaskOpts...)

+	if !isHostNetwork(netLabelOpts) {
+		opts = append(opts, withDefaultUnprivilegedPortSysctl(options.Sysctl))


conflicts with:

nerdctl/pkg/cmd/container/run_linux.go

Line 100 in 1d69ed9

opts = append(opts, WithSysctls(strutil.ConvertKVStringsToMap(options.Sysctl)))

I added the defaulting for net.ipv4.ip_unprivileged_port_start in create.go, building on top of the behavior in run_linux.go. Does this still conflict?

pkg/cmd/container/create.go

pkg/cmd/container/create_unprivileged_sysctl_test.go

pkg/cmd/container/create.go

AkihiroSuda · 2025-11-27T10:33:25Z

Please fix the lint errors, squash the commits, and sign off the DCO

yashkukrecha · 2025-12-03T05:36:51Z

Hi @AkihiroSuda, should all the tests be passing?

haytok · 2025-12-03T05:46:16Z

The tests for this update has failed.

=== Failed
=== FAIL: cmd/nerdctl/container TestContainerInspectHostConfigDefaults (0.67s)
    container_inspect_linux_test.go:343: HostConfig in TestContainerInspectHostConfigDefaults: &{ContainerIDFile: LogConfig:{Driver:json-file Opts:map[] LogURI: Address:/run/containerd/containerd.sock} PortBindings:map[] CgroupnsMode:private DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] GroupAdd:[1 2 3 4 6 10 11 20 26 27] IpcMode:private OomScoreAdj:0 PidMode: ReadonlyRootfs:false Tmpfs:map[] UTSMode: ShmSize:0 Sysctls:map[net.ipv4.ip_unprivileged_port_start:0] Runtime:io.containerd.runc.v2 CPUSetMems: CPUSetCPUs: CPUQuota:0 CPUShares:0 CPUPeriod:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 Memory:0 MemorySwap:0 OomKillDisable:false Devices:[] BlkioSettings:{BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[]}}
    container_inspect_linux_test.go:365: assertion failed: 0 (int) != 1 (int)

Therefore, at least the following fixes are required:

nerdctl/cmd/nerdctl/container/container_inspect_linux_test.go

Line 365 in f1591d9

assert.Equal(t, 0, len(inspect.HostConfig.Sysctls))

yashkukrecha · 2025-12-11T17:21:31Z

Hi, the only failing job is in-host - Windows. Looking at the logs, all the cmd/nerdctl/container tests are failing because nerdctl run returns a non-zero exit code with:

failed to create shim task: kernel: 'C:\Program Files\Linux Containers\kernel' not found

This seems like an environment issue in the Windows runner rather than something caused by my PR. Does this test need to be resolved before merging my PR?

AkihiroSuda · 2025-12-12T05:42:57Z

Can you try rebasing with the current main branch ?

AkihiroSuda · 2025-12-15T02:30:38Z

Doesn't look rebased well
https://lima-vm.io/docs/dev/git/#rebasing-onto-upstream-master

…iners Signed-off-by: Yash Kukrecha <[email protected]>

yashkukrecha · 2025-12-15T21:21:29Z

I rebased and it resulted in some failing flaky tests but also some failures unrelated to my PR, such as logging and binding to host port 5000.

AkihiroSuda

Not sure why Windows CI is still failing.
Maybe GHA is now deterministically picking a broken runner instance by the PR number?