Sflow-rt docker fails to start "sysctl "net.ipv4.ip_unprivileged_port_start" not allowed in host network namespace"

577 views
Skip to first unread message

gg

unread,
May 6, 2021, 3:06:15 PM5/6/21
to sFlow-RT
Hi Peter,

I get this error when starting sflow-rt docker with custom script.

ERROR: for sflow-rt  Cannot start service sflow-rt: OCI runtime create failed: sysctl "net.ipv4.ip_unprivileged_port_start" not allowed in host network namespace: unknown

I'm running it with the same settings on a different machine, with same debian 10 linux and docker version. The only difference seems to be that sflow-rt docker is older there.

I'm using the following settings on both machines (docker-compose):

  sflow-rt:
    container_name: sflow-rt
    image: sflow/sflow-rt
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    command: -Dsystem.propertyFiles=/sflow-rt/sflowrt.conf
    volumes:
      - ${PWD}/sflow-rt/flowspectest:/sflow-rt/app/flowspectest
      - ${PWD}/sflow-rt/sflowrt.conf:/sflow-rt/sflowrt.conf
    depends_on:
      - nginx
    network_mode: "host"

sflowrt.conf file:

http.hostname=127.0.0.1
bgp.start=yes
bgp.port=179

it's being run as root on both.

Do you think it could be related to the new sflow-rt docker version or it should be some setting on my environment?

Thank you.

Gaston

gaston gutierrez

unread,
May 6, 2021, 3:12:20 PM5/6/21
to sFlow-RT
Hi Peter,

Just found out that containerd installs have different versions, I wonder if they work differently regarding the host network.

containerd containerd.io 1.4.4 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
vs
containerd containerd.io 1.3.7 8fba4e9a7d01810a393d5d25a3621dc101981175

Regards,
Gaston


--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/wZ4HuLGPnAk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/671de684-2d8b-40d7-8bac-8ab983b1e94en%40googlegroups.com.

gaston gutierrez

unread,
May 6, 2021, 3:24:53 PM5/6/21
to sFlow-RT
Yes, that was it, not related to the sflow-rt docker version. Sorry.

Peter Phaal

unread,
May 6, 2021, 3:55:05 PM5/6/21
to sFlow-RT
I tried the latest version of the sflow/sflow-rt image on a Docker engine version 19.03.8 and it works. I get the same error as you reported on a 20.10.5 version. Let me know if you find a work around that allows privileged ports to be opened on the latest docker engines. I'll post a reply to this thread if I find an answer. Thanks for raising the issue.

Peter Phaal

unread,
May 6, 2021, 8:38:13 PM5/6/21
to sFlow-RT
It looks like a change that came in with "Rootless" mode in Docker Engine v20.10: 


You only need to enable a priviliged port if your router doesn't have the option to use the non-privileged port (1179) that sFlow-RT uses by default.

gaston gutierrez

unread,
May 6, 2021, 9:54:16 PM5/6/21
to Peter Phaal, sFlow-RT
Thank you Peter!

Peter Phaal

unread,
May 7, 2021, 3:06:52 PM5/7/21
to sFlow-RT
I just uploaded an new image on docker hub that uses setcap to give the sFlow-RT executable permission to open low numbered ports. If you pull the latest release, you should be able to open port 179 without the sysctl option.
Reply all
Reply to author
Forward
0 new messages