[Docker, Inc.'s package] net.ipv4.ip_unprivileged_port_start permission denied only on 1.7.28-2~debian.13~trixie #12484
Description
Description
Hi,
Given the bug, I'm not sure if it is the right place to report it. Don't hesitate to redirect me to the right person.
When using containerd.io=1.7.28-2~debian.13~trixie in a lxc (host is a proxmox server), running containers raise the following error:
$ docker run hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown
When rolling back to containerd.io=1.7.28-1~debian.13~trixie it works fine (at least for hello-world).
What makes me think it is unrelated to the actual containerd.io binary is that both apt package give containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866 as their version (using containerd --version).
Steps to reproduce the issue
- in a lxc (unprivileged, nesting=1), on an up-to-date debian 13 (12 seems to have the same issue) with the normal docker installation (from docs.docker.com)
- run
docker run hello-world
Describe the results you received and expected
The container does not start when using 1.7.28-2~debian.13~trixie but it does with 1.7.28-1~debian.13~trixie. The error is the following.
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown
What version of containerd are you using?
containerd containerd.io v1.7.28 b98a3aa
Any other relevant information
The final test I did before posting this:
root@test:~# apt update
[...]
All packages are up to date.
root@test:~# apt list --installed | grep containerd
containerd.io/trixie,now 1.7.28-2~debian.13~trixie amd64 [installed]
root@test:~# containerd --version
containerd containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866
root@test:~# docker run hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown
Run 'docker run --help' for more information
root@test:~# apt install -y containerd.io=1.7.28-1~debian.13~trixie
[...]
root@test:~# apt list --installed | grep containerd
containerd.io/trixie,now 1.7.28-1~debian.13~trixie amd64 [installed,upgradable to: 1.7.28-2~debian.13~trixie]
root@test:~# containerd --version
containerd containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866
docker run hello-world
Hello from Docker!
[...]
Let me know if it would be interesting to check on a bare bone machine.
Show configuration if it is related to CRI plugin.
No response