nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

Default the sysctl `net.ipv4.ip_unprivileged_port_start` to `0`

Open polarathene opened this issue 3 months ago • 3 comments

What is the problem you're trying to solve

This FAQ entry:

https://github.com/containerd/nerdctl/blob/2165e30feb950635f1d22becacfa5a1121412749/docs/faq.md?plain=1#L319-L323

There is also this somewhat related issue regarding --cap-add NET_BIND_SERVICE with extra details (I chimed in Dec 2023, which would be containerd 1.x).

The sysctl is namespaced, affecting binding of a port within the container, not the port on the host. It's generally considered a safe default to lower this down to 0 for containers.

Describe the solution you'd like

Default net.ipv4.ip_unprivileged_port_start to 0.

It is considered safe:

  • Podman and Docker already lower this to 0 by default and have for some time now.
  • Containerd allows it since 2.0, but only via the CRI plugin which nerdctl does not use.
  • Kubernetes does not yet default to it, but it is considered a safe sysctl. Other tools in the k8s ecosystem (such as k3s, kind, minikube) do however default enable this setting.

Additional context

nerdctl was one of the few I came across that hasn't adopted this change - yet has a FAQ entry about it (and only one report where a user encountered an issue).

It's mostly a convenience, but it does help avoid a practice of images relying on setcap to enforce the associated capability for non-root processes to use. Which as my prior link details, when such images make a capability mandatory it prevents dropping it for security reasons (even when that capability would not be used within the container).

polarathene avatar Nov 08 '25 01:11 polarathene

The sysctl is namespaced, affecting binding of a port within the container, not the port on the host.

In the context of faq.md the sysctl is mentioned for rootless port forwarding, so it is the matter of the port on the host.

AkihiroSuda avatar Nov 10 '25 14:11 AkihiroSuda

Hi! Me, @ShivanshNikhra, and @aravsrid are a group of three students working on open-source issues for our virtualization course. We’re interested in taking on this issue and coordinating the work among ourselves to submit a single PR.

We estimate we can complete it within the next month. Would it be okay if we proceed with this issue? If you prefer assignments, we’re happy to be assigned as well. Thanks!

yashkukrecha avatar Nov 11 '25 20:11 yashkukrecha

@AkihiroSuda ah my mistake, thanks for pointing that out. I haven't used rootless much and overlooked that context in the FAQ completely 😓

In that case there is only the related nerdctl issue I linked and my reference comment at CoreDNS for how the sysctl is adjusted elsewhere such as Docker and Podman. It would be good to see adoption of that with nerdctl too 👍

polarathene avatar Nov 11 '25 22:11 polarathene