Heimdall icon indicating copy to clipboard operation
Heimdall copied to clipboard
verified publisher icon linuxserver

Heimdall fails to start on Docker 28.x in Proxmox unprivileged LXC (sysctl net.ipv4.ip_unprivileged_port_start permission denied)

Open ajax1337 opened this issue 1 month ago • 3 comments

After upgrading Docker inside an unprivileged Proxmox LXC (Debian 12) to Docker Engine 28.5.2, the Heimdall container can no longer start. docker start immediately fails with an OCI runtime error complaining it cannot open net.ipv4.ip_unprivileged_port_start because of a permission denial. The same happens with a plain docker run alpine, so it is blocking all containers in that environment. Downgrading Docker back to 27.3.1 makes Heimdall start normally again.

Environment

  • Heimdall image: linuxserver/heimdall:latest (LSIO version v2.7.6-ls324)
  • Docker Engine: 28.5.2 (client/server), containerd 1.7.29, runc v1.3.3
  • Host OS: Proxmox VE 8.4.14 (kernel 6.8.8-2-pve)
  • Container OS: Debian GNU/Linux 12 (bookworm) running inside an unprivileged LXC with nesting=1
  • Compose snippet:

services: heimdall: image: linuxserver/heimdall:latest container_name: heimdall environment: PUID=1000 PGID=1000 TZ=Asia/Kolkata volumes: heimdall_data:/config ports: 80:80 restart: unless-stopped volumes:

heimdall_data:

Steps to reproduce1. In a Proxmox unprivileged LXC (Debian 12) install Docker Engine 28.5.2 from Docker’s apt repo.2. Deploy Heimdall via compose (docker compose up -d).3. Observe the container failing to start.Expected behaviorHeimdall container should start and expose its web UI on port 80 as with Docker 27.x.Actual behaviorContainer startup fails immediately: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown

Additional context This seems related to a Docker Engine change in 28.x where it tries to modify net.ipv4.ip_unprivileged_port_start on container boot. That sysctl is read-only inside an unprivileged LXC, causing the hard failure. Downgrading Docker and containerd to (27.3.1 / 1.7.18) restores functionality. Reporting here in case the Heimdall docs need a note for Proxmox users, or if there’s a recommended workaround other than pinning Docker < 28.

ajax1337 avatar Nov 09 '25 09:11 ajax1337

Temp Fix

fixed it by rolling Docker back to a version that doesn’t hit the Proxmox LXC restriction:

Inside container 105, downgraded docker-ce, docker-ce-cli, docker-ce-rootless-extras to 5:27.3.1-1~debian.12~bookworm and containerd.io to 1.7.18-1, then apt-mark hold … so they stay pinned. Restarted Docker; Heimdall and Portainer containers started cleanly afterward.

By removing Docker 28.x, i avoid its new attempt to rewrite net.ipv4.ip_unprivileged_port_start, so the LXC now allows containers to launch normally.

ajax1337 avatar Nov 09 '25 09:11 ajax1337

We do not support/recommend using docker within lxc container nor do the proxmox Devs. The recommendation is using a standard VM.

j0nnymoe avatar Nov 09 '25 09:11 j0nnymoe

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

LinuxServer-CI avatar Dec 09 '25 15:12 LinuxServer-CI