Default net.ipv4.ip_unprivileged_port_start to 0 inside containers

Author: yashkukrecha

docs/faq.md

@@ -322,6 +322,8 @@ Set sysctl value `net.ipv4.ip_unprivileged_port_start=0` .
 
 See https://rootlesscontaine.rs/getting-started/common/sysctl/#optional-allowing-listening-on-tcp--udp-ports-below-1024
 
+`nerdctl` now defaults `net.ipv4.ip_unprivileged_port_start=0` inside the container unless you override it with `--sysctl`. This does not change the host-side sysctl, which may still need to be configured for rootless port publishing.
+
 ### Can't ping
 
 Set sysctl value `net.ipv4.ping_group_range=0 2147483647` .

pkg/cmd/container/create.go

@@ -330,6 +330,8 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa
 	}
 	opts = append(opts, umaskOpts...)
 
+	opts = append(opts, withDefaultUnprivilegedPortSysctl(options.Sysctl))
+
 	rtCOpts, err := generateRuntimeCOpts(options.GOptions.CgroupManager, options.Runtime)
 	if err != nil {
 		return nil, generateRemoveOrphanedDirsFunc(ctx, id, dataStore, internalLabels), err
@@ -563,6 +565,31 @@ func GenerateLogURI(dataStore string) (*url.URL, error) {
 	return cio.LogURIGenerator("binary", selfExe, args)
 }
 
+func withDefaultUnprivilegedPortSysctl(sysctls []string) oci.SpecOpts {
+	const key = "net.ipv4.ip_unprivileged_port_start"
+	for _, kv := range sysctls {
+		if strings.HasPrefix(kv, key) {
+			return func(_ context.Context, _ oci.Client, _ *containers.Container, _ *oci.Spec) error {
+				return nil
+			}
+		}
+	}
+
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		if s.Linux == nil {
+			return nil
+		}
+		if s.Linux.Sysctl == nil {
+			s.Linux.Sysctl = make(map[string]string)
+		}
+
+		if _, exists := s.Linux.Sysctl[key]; !exists {
+			s.Linux.Sysctl[key] = "0"
+		}
+		return nil
+	}
+}
+
 func withNerdctlOCIHook(cmd string, args []string) (oci.SpecOpts, error) {
 	if rootlessutil.IsRootless() {
 		detachedNetNS, err := rootlessutil.DetachedNetNS()

pkg/cmd/container/create_unprivileged_sysctl_test.go

@@ -0,0 +1,37 @@
+package container
+
+import (
+	"context"
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestWithDefaultUnprivilegedPortSysctl_DefaultsToZero(t *testing.T) {
+	opt := withDefaultUnprivilegedPortSysctl(nil)
+
+	var s specs.Spec
+	s.Linux = &specs.Linux{}
+	if err := opt(context.Background(), nil, nil, &s); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"] != "0" {
+		t.Fatalf("expected net.ipv4.ip_unprivileged_port_start=0, got %q", s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"])
+	}
+}
+
+func TestWithDefaultUnprivilegedPortSysctl_UserOverride(t *testing.T) {
+	sysctls := []string{"net.ipv4.ip_unprivileged_port_start=1000"}
+	opt := withDefaultUnprivilegedPortSysctl(sysctls)
+
+	var s specs.Spec
+	s.Linux = &specs.Linux{Sysctl: map[string]string{}}
+	if err := opt(context.Background(), nil, nil, &s); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if _, ok := s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"]; ok {
+		t.Fatalf("expected helper not to override user setting")
+	}
+}