nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

Default net.ipv4.ip_unprivileged_port_start to 0 inside containers

Open yashkukrecha opened this issue 2 months ago • 6 comments

This PR makes nerdctl default the container's net.ipv4.ip_unprivileged_port_start sysctl to 0, unless the user has explicitly set this sysctl via --sysctl.

Key changes:

  • Adds a new helper withDefaultUnprivilegedPortSysctl in pkg/cmd/container/container.go.
  • Applies this helper during container creation, after user-supplied sysctls are parsed.
  • If the user passes a --sysctl for net.ipv4.ip_unprivileged_port_start, nerdctl does not override it.

Note: Host-wide sysctl configuration and containerd-rootless-setuptool.sh were intentionally left unchanged in this PR to keep the scope focused on the container namespace default requested in the issue.

Fixes #4595

yashkukrecha avatar Nov 24 '25 21:11 yashkukrecha

Please fix the lint errors, squash the commits, and sign off the DCO

AkihiroSuda avatar Nov 27 '25 10:11 AkihiroSuda

Hi @AkihiroSuda, should all the tests be passing?

yashkukrecha avatar Dec 03 '25 05:12 yashkukrecha

The tests for this update has failed.

=== Failed
=== FAIL: cmd/nerdctl/container TestContainerInspectHostConfigDefaults (0.67s)
    container_inspect_linux_test.go:343: HostConfig in TestContainerInspectHostConfigDefaults: &{ContainerIDFile: LogConfig:{Driver:json-file Opts:map[] LogURI: Address:/run/containerd/containerd.sock} PortBindings:map[] CgroupnsMode:private DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] GroupAdd:[1 2 3 4 6 10 11 20 26 27] IpcMode:private OomScoreAdj:0 PidMode: ReadonlyRootfs:false Tmpfs:map[] UTSMode: ShmSize:0 Sysctls:map[net.ipv4.ip_unprivileged_port_start:0] Runtime:io.containerd.runc.v2 CPUSetMems: CPUSetCPUs: CPUQuota:0 CPUShares:0 CPUPeriod:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 Memory:0 MemorySwap:0 OomKillDisable:false Devices:[] BlkioSettings:{BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[]}}
    container_inspect_linux_test.go:365: assertion failed: 0 (int) != 1 (int)

Therefore, at least the following fixes are required:

  • https://github.com/containerd/nerdctl/blob/f1591d9bd3b86b9fac9fc59dcb6069cd67142033/cmd/nerdctl/container/container_inspect_linux_test.go#L365

haytok avatar Dec 03 '25 05:12 haytok

Hi, the only failing job is in-host - Windows. Looking at the logs, all the cmd/nerdctl/container tests are failing because nerdctl run returns a non-zero exit code with:

failed to create shim task: kernel: 'C:\Program Files\Linux Containers\kernel' not found

This seems like an environment issue in the Windows runner rather than something caused by my PR. Does this test need to be resolved before merging my PR?

yashkukrecha avatar Dec 11 '25 17:12 yashkukrecha

Can you try rebasing with the current main branch ?

AkihiroSuda avatar Dec 12 '25 05:12 AkihiroSuda

Doesn't look rebased well https://lima-vm.io/docs/dev/git/#rebasing-onto-upstream-master

AkihiroSuda avatar Dec 15 '25 02:12 AkihiroSuda

I rebased and it resulted in some failing flaky tests but also some failures unrelated to my PR, such as logging and binding to host port 5000.

yashkukrecha avatar Dec 15 '25 21:12 yashkukrecha