mirror of
https://github.com/linuxserver/Heimdall.git
synced 2026-03-02 22:56:59 -05:00
Heimdall fails to start on Docker 28.x in Proxmox unprivileged LXC (sysctl net.ipv4.ip_unprivileged_port_start permission denied) #903
Labels
No labels
EnhancedApp
FoundationApp
FoundationApp
FoundationApp
bug
closed-issue-activity
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
no-issue-activity
question
research
research
stale
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/Heimdall#903
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ajax1337 on GitHub (Nov 9, 2025).
After upgrading Docker inside an unprivileged Proxmox LXC (Debian 12) to Docker Engine 28.5.2, the Heimdall container can no longer start.
docker startimmediately fails with an OCI runtime error complaining it cannot opennet.ipv4.ip_unprivileged_port_startbecause of a permission denial. The same happens with a plaindocker run alpine, so it is blocking all containers in that environment. Downgrading Docker back to 27.3.1 makes Heimdall start normally again.Environment
linuxserver/heimdall:latest(LSIO version v2.7.6-ls324)nesting=1services:
heimdall:
image: linuxserver/heimdall:latest
container_name: heimdall
environment:
PUID=1000
PGID=1000
TZ=Asia/Kolkata
volumes:
heimdall_data:/config
ports:
80:80
restart: unless-stopped
volumes:
heimdall_data:
Steps to reproduce1. In a Proxmox unprivileged LXC (Debian 12) install Docker Engine 28.5.2 from Docker’s apt repo.2. Deploy Heimdall via compose (
docker compose up -d).3. Observe the container failing to start.Expected behaviorHeimdall container should start and expose its web UI on port 80 as with Docker 27.x.Actual behaviorContainer startup fails immediately:Error response from daemon: failed to create task for container:
failed to create shim task: OCI runtime create failed: runc create failed:
unable to start container process: error during container init:
open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8:
permission denied: unknown
Additional context
This seems related to a Docker Engine change in 28.x where it tries to modify
net.ipv4.ip_unprivileged_port_starton container boot. That sysctl is read-only inside an unprivileged LXC, causing the hard failure. Downgrading Docker and containerd to (27.3.1 / 1.7.18) restores functionality. Reporting here in case the Heimdall docs need a note for Proxmox users, or if there’s a recommended workaround other than pinning Docker < 28.@ajax1337 commented on GitHub (Nov 9, 2025):
Temp Fix
fixed it by rolling Docker back to a version that doesn’t hit the Proxmox LXC restriction:
Inside container 105, downgraded docker-ce, docker-ce-cli, docker-ce-rootless-extras to 5:27.3.1-1
debian.12bookworm and containerd.io to 1.7.18-1, then apt-mark hold … so they stay pinned.Restarted Docker; Heimdall and Portainer containers started cleanly afterward.
By removing Docker 28.x, i avoid its new attempt to rewrite net.ipv4.ip_unprivileged_port_start, so the LXC now allows containers to launch normally.
@j0nnymoe commented on GitHub (Nov 9, 2025):
We do not support/recommend using docker within lxc container nor do the proxmox Devs. The recommendation is using a standard VM.
@LinuxServer-CI commented on GitHub (Dec 9, 2025):
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.