updated defaulting logic, documentation, and added integration tests

yashkukrecha · yashkukrecha · commit 9d214b155d08 · 2025-11-26T16:27:31.000-06:00
diff --git a/cmd/nerdctl/container/container_run_runtime_linux_test.go b/cmd/nerdctl/container/container_run_runtime_linux_test.go
@@ -27,3 +27,31 @@ func TestRunSysctl(t *testing.T) {
 	base := testutil.NewBase(t)
 	base.Cmd("run", "--rm", "--sysctl", "net.ipv4.ip_forward=1", testutil.AlpineImage, "cat", "/proc/sys/net/ipv4/ip_forward").AssertOutExactly("1\n")
 }
+
+func TestRunSysctl_DefaultUnprivilegedPortStart(t *testing.T) {
+	t.Parallel()
+	base := testutil.NewBase(t)
+
+	// No --sysctl flags, default network mode (non-host).
+	// We expect net.ipv4.ip_unprivileged_port_start=0 inside the container,
+	// because withDefaultUnprivilegedPortSysctl should apply the default.
+	base.Cmd(
+		"run", "--rm",
+		testutil.AlpineImage,
+		"cat", "/proc/sys/net/ipv4/ip_unprivileged_port_start",
+	).AssertOutExactly("0\n")
+}
+
+func TestRunSysctl_UnprivilegedPortStartOverride(t *testing.T) {
+	t.Parallel()
+	base := testutil.NewBase(t)
+
+	// User explicitly sets net.ipv4.ip_unprivileged_port_start=1000.
+	// We must NOT override this; the container should see "1000".
+	base.Cmd(
+		"run", "--rm",
+		"--sysctl", "net.ipv4.ip_unprivileged_port_start=1000",
+		testutil.AlpineImage,
+		"cat", "/proc/sys/net/ipv4/ip_unprivileged_port_start",
+	).AssertOutExactly("1000\n")
+}
diff --git a/docs/faq.md b/docs/faq.md
@@ -322,8 +322,6 @@ Set sysctl value `net.ipv4.ip_unprivileged_port_start=0` .
 
 See https://rootlesscontaine.rs/getting-started/common/sysctl/#optional-allowing-listening-on-tcp--udp-ports-below-1024
 
-`nerdctl` now defaults `net.ipv4.ip_unprivileged_port_start=0` inside the container unless you override it with `--sysctl`. This does not change the host-side sysctl, which may still need to be configured for rootless port publishing.
-
 ### Can't ping
 
 Set sysctl value `net.ipv4.ping_group_range=0 2147483647` .
diff --git a/pkg/cmd/container/create.go b/pkg/cmd/container/create.go
@@ -29,6 +29,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"slices"
 
 	dockercliopts "github.com/docker/cli/opts"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -331,7 +332,7 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa
 	opts = append(opts, umaskOpts...)
 
 	if !isHostNetwork(netLabelOpts) {
-		opts = append(opts, withDefaultUnprivilegedPortSysctl(options.Sysctl))
+		opts = append(opts, withDefaultUnprivilegedPortSysctl())
 	}
 
 	rtCOpts, err := generateRuntimeCOpts(options.GOptions.CgroupManager, options.Runtime)
@@ -568,37 +569,28 @@ func GenerateLogURI(dataStore string) (*url.URL, error) {
 }
 
 func isHostNetwork(netOpts types.NetworkOptions) bool {
-	for _, n := range netOpts.NetworkSlice {
-		if n == "host" {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(netOpts.NetworkSlice, "host")
 }
 
-func withDefaultUnprivilegedPortSysctl(sysctls []string) oci.SpecOpts {
-	const key = "net.ipv4.ip_unprivileged_port_start"
-	for _, kv := range sysctls {
-		if strings.HasPrefix(kv, key) {
-			return func(_ context.Context, _ oci.Client, _ *containers.Container, _ *oci.Spec) error {
-				return nil
-			}
-		}
-	}
-
-	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
-		if s.Linux == nil {
-			return nil
-		}
-		if s.Linux.Sysctl == nil {
-			s.Linux.Sysctl = make(map[string]string)
-		}
-
-		if _, exists := s.Linux.Sysctl[key]; !exists {
-			s.Linux.Sysctl[key] = "0"
-		}
-		return nil
-	}
+// NOTE: withDefaultUnprivilegedPortSysctl ensures that containers can bind to
+// privileged ports (<1024) without requiring CAP_NET_BIND_SERVICE inside
+// the container by defaulting net.ipv4.ip_unprivileged_port_start to 0
+// in the container's network namespace.
+func withDefaultUnprivilegedPortSysctl() oci.SpecOpts {
+    const key = "net.ipv4.ip_unprivileged_port_start"
+    return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+        if s.Linux == nil {
+            s.Linux = &specs.Linux{}
+        }
+        if s.Linux.Sysctl == nil {
+            s.Linux.Sysctl = make(map[string]string)
+        }
+
+        if _, exists := s.Linux.Sysctl[key]; !exists {
+            s.Linux.Sysctl[key] = "0"
+        }
+        return nil
+    }
 }
 
 func withNerdctlOCIHook(cmd string, args []string) (oci.SpecOpts, error) {
diff --git a/pkg/cmd/container/create_unprivileged_sysctl_test.go b/pkg/cmd/container/create_unprivileged_sysctl_test.go
