Sflow-rt docker fails to start "sysctl "net.ipv4.ip_unprivileged_port_start" not allowed in host network namespace"

[gg]

Hi Peter,

I get this error when starting sflow-rt docker with custom script.

ERROR: for sflow-rt  Cannot start service sflow-rt: OCI runtime create failed: sysctl "net.ipv4.ip_unprivileged_port_start" not allowed in host network namespace: unknown

I'm running it with the same settings on a different machine, with same debian 10 linux and docker version. The only difference seems to be that sflow-rt docker is older there.

I'm using the following settings on both machines (docker-compose):

  sflow-rt:

    container_name: sflow-rt

    image: sflow/sflow-rt

    restart: unless-stopped

    sysctls:

      - net.ipv4.ip_unprivileged_port_start=0

    command: -Dsystem.propertyFiles=/sflow-rt/sflowrt.conf

    volumes:

      - ${PWD}/sflow-rt/flowspectest:/sflow-rt/app/flowspectest

      - ${PWD}/sflow-rt/sflowrt.conf:/sflow-rt/sflowrt.conf

    depends_on:

      - nginx

    network_mode: "host"

sflowrt.conf file:

http.hostname=127.0.0.1

bgp.start=yes

bgp.port=179

it's being run as root on both.

Do you think it could be related to the new sflow-rt docker version or it should be some setting on my environment?

Thank you.

Gaston

[gaston gutierrez]

Hi Peter,

Just found out that containerd installs have different versions, I wonder if they work differently regarding the host network.

containerd containerd.io 1.4.4 05f951a3781f4f2c1911b05e61c160e9c30eaa8e

vs

containerd containerd.io 1.3.7 8fba4e9a7d01810a393d5d25a3621dc101981175

Regards,

Gaston

--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/wZ4HuLGPnAk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/671de684-2d8b-40d7-8bac-8ab983b1e94en%40googlegroups.com.

[gaston gutierrez]

Yes, that was it, not related to the sflow-rt docker version. Sorry.

[Peter Phaal]

I tried the latest version of the sflow/sflow-rt image on a Docker engine version 19.03.8 and it works. I get the same error as you reported on a 20.10.5 version. Let me know if you find a work around that allows privileged ports to be opened on the latest docker engines. I'll post a reply to this thread if I find an answer. Thanks for raising the issue.

[Peter Phaal]

It looks like a change that came in with "Rootless" mode in Docker Engine v20.10: 

https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports

You only need to enable a priviliged port if your router doesn't have the option to use the non-privileged port (1179) that sFlow-RT uses by default.

[gaston gutierrez]

Thank you Peter!

To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/2056ec16-ae9a-4c60-b716-fbf2839e28f1n%40googlegroups.com.

[Peter Phaal]

I just uploaded an new image on docker hub that uses setcap to give the sFlow-RT executable permission to open low numbered ports. If you pull the latest release, you should be able to open port 179 without the sysctl option.