Default net.ipv4.ip_unprivileged_port_start to 0 inside containers #4615
+58 −0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
AkihiroSuda reviewed Nov 26, 2025
AkihiroSuda reviewed Nov 26, 2025
pkg/cmd/container/create.go Outdated
| opts = append(opts, umaskOpts...) | ||
| | ||
| if !isHostNetwork(netLabelOpts) { | ||
| opts = append(opts, withDefaultUnprivilegedPortSysctl(options.Sysctl)) |
Member
There was a problem hiding this comment.
conflicts with:
nerdctl/pkg/cmd/container/run_linux.go
Line 100 in 1d69ed9
Author
There was a problem hiding this comment.
I added the defaulting for net.ipv4.ip_unprivileged_port_start in create.go, building on top of the behavior in run_linux.go. Does this still conflict?
AkihiroSuda reviewed Nov 26, 2025
AkihiroSuda reviewed Nov 26, 2025
AkihiroSuda reviewed Nov 26, 2025
AkihiroSuda reviewed Nov 26, 2025
AkihiroSuda reviewed Nov 27, 2025
Member
| Please fix the lint errors, squash the commits, and sign off the DCO |
…iners Signed-off-by: Yash Kukrecha <ykukrecha@gmail.com>
yashkukrecha force-pushed the fix-unprivileged-port-default branch from 9d214b1 to 56f05ed Compare Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
This PR makes nerdctl default the container's
net.ipv4.ip_unprivileged_port_startsysctl to0, unless the user has explicitly set this sysctl via--sysctl.Key changes:
withDefaultUnprivilegedPortSysctlinpkg/cmd/container/container.go.--sysctlfornet.ipv4.ip_unprivileged_port_start, nerdctl does not override it.Note: Host-wide sysctl configuration and containerd-rootless-setuptool.sh were intentionally left unchanged in this PR to keep the scope focused on the container namespace default requested in the issue.
Fixes #4595