nested docker 28.5.2 unable start containers; net.ipv4.ip_unprivileged_port_start permission denied

[elburb]

Is there an existing issue for this?

• There is no existing issue for this bug

Is this happening on an up to date version of Incus?

• This is happening on a supported version of Incus

Incus system details

Fresh incus install from zabbly sources in to debian trixie
Tested with incus 6.16 and latest 6.18

Instance details

fresh debian/trixie container with security.nesting enabled
also tested with ext4 and zfs.block filesystems

# incus launch images:debian/13/amd64 docker-test -c security.nesting=true

# incus config show docker-test
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian trixie amd64 (20251105_05:24)
  image.os: Debian
  image.release: trixie
  image.serial: "20251105_05:24"
  image.type: squashfs
  image.variant: default
  security.nesting: "true"
  volatile.base_image: 8b7ffaf176b50c50ce2f0d80dac321690b08fe28512dcd788717f7eaf8576ce1
  volatile.bdn42-tier2.host_name: veth6b9e339f
  volatile.bdn42-tier2.hwaddr: 10:66:6a:6a:35:bf
  volatile.bdn42-tier2.name: eth0
  volatile.cloud-init.instance-id: b8394c57-ee98-4e1a-94e2-18b99b198caa
  volatile.idmap.base: "1196608"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1196608,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":1196608,"Nsid":0,"Maprange":65536},{"Isuid":true,"Isgid":true,"Hostid":80000,"Nsid":80000,"Maprange":20000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1196608,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":1196608,"Nsid":0,"Maprange":65536},{"Isuid":true,"Isgid":true,"Hostid":80000,"Nsid":80000,"Maprange":20000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: b13706af-53f7-4cee-a7bf-249651927703
  volatile.uuid.generation: b13706af-53f7-4cee-a7bf-249651927703
devices:
  eth0
    nictype: bridged
    parent: incusbr0
    type: nic
ephemeral: false
profiles:
- default
stateful: false
description: ""

Instance log

No log output produced

Current behavior

The latest version of docker (28.5.2) fails to run containers when nested inside an incus debian/trixie container.
The specific error is:

error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown

This is consistent when trying different (docker) containers

Whilst I don't think this is an issue introduced in incus, the issue appears to be based on docker rather than incus version, nested docker should be able to run.

Install docker-ce from docker sources:

apt install curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list
apt update
apt install docker-ce docker-ce-cli

Check version

# docker version
Client: Docker Engine - Community
 Version:           28.5.2
 API version:       1.51
 Go version:        go1.25.3
 Git commit:        ecc6942
 Built:             Wed Nov  5 14:43:33 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.5.2
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.25.3
  Git commit:       89c5e8f
  Built:            Wed Nov  5 14:43:33 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.28
  GitCommit:        b98a3aace656320842a23f4a392a33f46af97866
 runc:
  Version:          1.3.3
  GitCommit:        v1.3.3-0-gd842d771
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Attempt to run a container

# docker run hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown

Run 'docker run --help' for more information

Expected behavior

The latest version of docker prior to 28.5.2 I have able to test is 28.4.0 and this works and is able to run containers without problems.

Steps to reproduce

As noted in current behaviour

This is a major bug. But it doesn't seem to be caused by the latest docker version, because downgrading to docker-1:28.5.1-1 does not fix the issue. For me it seemed to have happened when upgrading to the latest incus package from zabbly repos today.

Edit: Downgrading the incus packages doesn't fix it either, so now I'm really confused.

[elburb]

I was able to test the following combinations:

6.16 + 28.4.0 = working
6.16 + 28.5.2 = broken
6.18 + 28.4.0 = working
6.18 + 28.5.2 = broken

[stgraber]

I've pinged @cyphar who happens to be both an Incus and runc maintainer. There's been a bunch of security work happening over there very recently, I don't know if that's related at all, but the timing is somewhat suspicious.

We definitely didn't make any changes on the Incus side that would affect that as we've not messed with AppArmor policies or the like in quite a while.

@elburb @broizter can you maybe compare the runc --version of working and broken systems?
That may be more relevant here than comparing Docker versions.

[cyphar]

There are some bugs open against Docker about this. I was under the impression this was Proxmox-specific, likely caused by their AppArmor profile. See containerd/containerd#12484 and moby/moby#51405.

The error is coming from the /proc/self/fd/$n reopening code failing with a permission error, which I've never seen before nor does it make sense from a generic VFS perspective. My guess is that it is caused by an AppArmor rule blocking O_WRONLY opens of /proc/self/fd/$n but I'm not convinced -- does AppArmor actually block operations on unattached fsopen(2)s?

I'm looking at this today.

[stgraber]

Right so this fixes it:

diff --git a/internal/server/apparmor/instance_lxc.profile.go b/internal/server/apparmor/instance_lxc.profile.go
index 1270600f29..383e9dd5df 100644
--- a/internal/server/apparmor/instance_lxc.profile.go
+++ b/internal/server/apparmor/instance_lxc.profile.go
@@ -390,7 +390,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /proc/sys/user?*{,/**} wklx,
 
   # Block dangerous paths under /sys
-  deny /sys/[^fdck]*{,/**} wklx,
+  deny /sys/[^fdckn]*{,/**} wklx,
   deny /sys/c[^l]*{,/**} wklx,
   deny /sys/cl[^a]*{,/**} wklx,
   deny /sys/cla[^s]*{,/**} wklx,

Now this is not a good fix AT ALL because it allows writing to /sys/n* but there is no such thing on a normal Linux system. Instead what that rule does is workaround an AppArmor bug where because /proc is a file descriptor, accessing /sys/net/ivp4/ip_unprivileged_port_start is turned into a check for /sys/net/ipv4/ip_unprivileged_port_start...

This ultimately feels like an AppArmor bug/design issue...

[cyphar]

Yeah, see my analysis as well as a test program in containerd/containerd#12484. The core issue is that d_name for detached mounts looks like /<subpath> as if whatever mount is mounted on / which means that <procfs-fd>/sys/foo/bar looks like /sys/foo/bar to AppArmor...