Skip to content

Default net.ipv4.ip_unprivileged_port_start to 0 inside containers #4615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Default net.ipv4.ip_unprivileged_port_start to 0 inside containers #4615

wants to merge 1 commit into from

Conversation

@yashkukrecha
Copy link

@yashkukrecha yashkukrecha commented Nov 24, 2025

This PR makes nerdctl default the container's net.ipv4.ip_unprivileged_port_start sysctl to 0, unless the user has explicitly set this sysctl via --sysctl.

Key changes:

  • Adds a new helper withDefaultUnprivilegedPortSysctl in pkg/cmd/container/container.go.
  • Applies this helper during container creation, after user-supplied sysctls are parsed.
  • If the user passes a --sysctl for net.ipv4.ip_unprivileged_port_start, nerdctl does not override it.

Note: Host-wide sysctl configuration and containerd-rootless-setuptool.sh were intentionally left unchanged in this PR to keep the scope focused on the container namespace default requested in the issue.

Fixes #4595

AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
pkg/cmd/container/create.go Outdated
opts = append(opts, umaskOpts...)

if !isHostNetwork(netLabelOpts) {
opts = append(opts, withDefaultUnprivilegedPortSysctl(options.Sysctl))
Copy link
Member

@AkihiroSuda AkihiroSuda Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

conflicts with:

nerdctl/pkg/cmd/container/run_linux.go

Line 100 in 1d69ed9

opts = append(opts, WithSysctls(strutil.ConvertKVStringsToMap(options.Sysctl)))

Copy link
Author

@yashkukrecha yashkukrecha Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the defaulting for net.ipv4.ip_unprivileged_port_start in create.go, building on top of the behavior in run_linux.go. Does this still conflict?

AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 26, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 27, 2025
View reviewed changes
@AkihiroSuda
Copy link
Member

AkihiroSuda commented Nov 27, 2025

Please fix the lint errors, squash the commits, and sign off the DCO

@yashkukrecha
(feat): Default net.ipv4.ip_unprivileged_port_start to 0 inside conta…
56f05ed 
…iners

Signed-off-by: Yash Kukrecha <ykukrecha@gmail.com>
@yashkukrecha yashkukrecha force-pushed the fix-unprivileged-port-default branch from 9d214b1 to 56f05ed Compare November 27, 2025 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Default the sysctl net.ipv4.ip_unprivileged_port_start to 0

2 participants

@yashkukrecha @AkihiroSuda