Docker inside LXC (net.ipv4.ip_unprivileged_port_start error)

[lynze]

@lynze Could you add the link to solution in the head post. https://github.com/opencontainers/runc/issues/4968

It’s a workaround. Is not a solution for the moment.

 

[Johannes S]

It’s a workaround. Is not a solution for the moment.

And a rather nasty one since it removes AppArmors additional security mechanism for the container. I can't believe people think, that this should be adopted as a fix in an update of ProxmoxVE. Maybe it's time to change the wording in the doc from "it's recommended to run docker/podman inside vms " to "don't use docker/poman etc in lxcs, it will break". @Neobin filed a ticket for this some years agp , maybe time to revive it? https://bugzilla.proxmox.com/show_bug.cgi?id=4712

 

[lordcheeto]

That problem of "resource allocation" isn't one really. Of course if you want to have one VM for each docker container you want to run you will end up in using more RAM (but not neccesarily way more see https://pve.proxmox.com/wiki/Dynamic_Memory_Management#KSM ). But normally you wouldn't do this but run all your docker containers in one lightweight VM. My main docker Debian Trixie vm is configured with 4 GB RAM, right now it uses 1.5 GB. And this can propably reduced even more without changing anything, since Linux always uses part of the memory as cache. By changing the VM os to alpine an even more lightweight VM should be possible. Another benefit of fitting all docker containers in one vm is, that you need the system maintenance (like updates etc) only once instead of doing housekeeping for every lxc instance.
I prefer to save on my time budget instead of saving RAM for the sake of saving RAM.
But if for the sake of "saving resources" you prefer to waste your private time by trouble shooting after breaking changes be my guest.

I think it's an uncontroversial statement that VMs require more resources than LXCs. By definition, the VM will always need a resource allocation that is separate from the host. Anything that you do to reduce the resource usage on a VM (e.g. use alpine) can be done with an LXC, but the resources you have to reserve for the VM host will always be there.

For many users getting started with a homelab, their time is cheaper than hardware. My docker host is an LXC because I started with a very old PC with limited RAM and CPU. I could have put it in a VM, but I wouldn't have been able to run as many services on that hardware.

 

[lordcheeto]

And a rather nasty one since it removes AppArmors additional security mechanism for the container. I can't believe people think, that this should be adopted as a fix in an update of ProxmoxVE. Maybe it's time to change the wording in the doc from "it's recommended to run docker/podman inside vms " to "don't use docker/poman etc in lxcs, it will break". @Neobin filed a ticket for this some years agp , maybe time to revive it? https://bugzilla.proxmox.com/show_bug.cgi?id=4712

I think downgrading to 1.7.28-1 is a better workaround at the moment.

The *recommendation* to use a VM is valid, but nested containers are supposed to work. As long as the upstream projects support nested containers, Proxmox shouldn't be telling users they can't use them.

 

[Spaghetti]

Maybe it's time to change the wording in the doc from "it's recommended to run docker/podman inside vms " to "don't use docker/poman etc in lxcs, it will break". @Neobin filed a ticket for this some years agp , maybe time to revive it? https://bugzilla.proxmox.com/show_bug.cgi?id=4712

And the solid reason is...
Really curious, personal preferences aside. I'm a kind of IT guy, can understand technical arguments.
Better isolation in VMs? Not everybody needs it. Not worse than docker on bare metal.
Unstable? Didn't see it for the last 5-6 years. All the links to issues look more like individual ones. The current is more related to overprotection (https://github.com/lxc/incus/pull/2624). As I got it, it literally broke `nesting` option.
Insecure? LXC in general are less secure comparing to VMs. Although Proxmox Web UI (unlike pct tool, btw) defaults create pretty secure LXC containers, the options to make them full of holes are still there.

For now I just see something like holly war against docker in LXC containers. Don't because don't.

 

[GoXLd]

Just to add another data point here — exact same breakage also hit Ubuntu 24.04 (Noble) LXC on Proxmox.

open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd N: permission denied: unknown

What worked for me:

apt install -y --allow-downgrades containerd.io=1.7.28-1~ubuntu.24.04~noble
apt-mark hold containerd.io
systemctl restart containerd docker wings

After downgrading + hold — Docker & Wings start fine again inside the unprivileged LXC.

 

[Johannes S]

apt-mark hold containerd.io

As soon as a working update is available you should revert this with apt-mark unhold containerd.io because otherwise any future update won't be installed. And in general it's not a good idea to sit on old versions forever since they might and will contain security or other bugs not present in the newest version.