If you’re running Docker inside a Proxmox LXC container, you may have encountered this frustrating error when trying to spin up containers:
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied
Your Docker image builds successfully, the network gets created, but the container fails to start. Here’s why it happens and how to fix it.
Why This Happens
LXC containers share the host kernel with the Proxmox hypervisor. By default, they run in a restricted environment that prevents modification of kernel parameters (sysctls). When Docker tries to configure networking for your container, it attempts to adjust net.ipv4.ip_unprivileged_port_start—and gets denied.
This is a security feature, but it breaks nested containerization out of the box.
The Fix
You need to modify the LXC container’s configuration on the Proxmox host. SSH into your Proxmox server (not the LXC container) and edit the config file:
nano /etc/pve/lxc/<CTID>.conf
Replace <CTID> with your container’s ID (e.g., 100).
Add these lines:
features: nesting=1
lxc.apparmor.profile: unconfined
Save the file and restart the container:
pct restart <CTID>
Now try your docker compose up again—it should work.
What These Options Do
features: nesting=1 enables nested containerization, allowing Docker (or Podman, LXD, etc.) to run inside the LXC container. This is the essential setting for any Docker-in-LXC setup.
lxc.apparmor.profile: unconfined disables AppArmor restrictions for the container. This is the more permissive option that resolves sysctl access issues but reduces isolation.
A More Targeted Alternative
If you’d rather not disable AppArmor entirely, you can allow just the specific sysctl that Docker needs:
features: nesting=1
lxc.sysctl.net.ipv4.ip_unprivileged_port_start: 0
This permits unprivileged processes to bind to any port (including privileged ports below 1024) without opening up other kernel parameters.
Additional Tips for Docker in Proxmox LXC
- Use privileged containers sparingly. While setting
unprivileged: 0in the config solves many permission issues, it significantly reduces security. The nesting + AppArmor approach above is preferable. - Check for keyring issues. If you’re also seeing GPG errors when installing Docker, ensure your apt sources point to a valid keyring:
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc - Allocate sufficient resources. Docker workloads inside LXC can be memory-hungry. Make sure your container has adequate RAM and consider enabling swap if needed.
- Use the Proxmox web UI. You can also enable nesting via the GUI: select your container → Options → Features → check “Nesting.”
Conclusion
Running Docker inside Proxmox LXC containers is a powerful way to maximize your homelab’s efficiency, but it requires some configuration tweaks. The nesting=1 feature is non-negotiable, and you’ll likely need to relax AppArmor or whitelist specific sysctls to get everything running smoothly.
Once configured, you get the best of both worlds: the lightweight resource footprint of LXC with the application portability of Docker.
Running into other Proxmox or Docker issues? Drop a comment below.