Heimdall fails to start on Docker 28.x in Proxmox unprivileged LXC (sysctl net.ipv4.ip_unprivileged_port_start permission denied)

[ajax1337]

After upgrading Docker inside an unprivileged Proxmox LXC (Debian 12) to Docker Engine 28.5.2, the Heimdall container can no longer start. docker start immediately fails with an OCI runtime error complaining it cannot open net.ipv4.ip_unprivileged_port_start because of a permission denial. The same happens with a plain docker run alpine, so it is blocking all containers in that environment. Downgrading Docker back to 27.3.1 makes Heimdall start normally again.

Environment

• Heimdall image: linuxserver/heimdall:latest (LSIO version v2.7.6-ls324)
• Docker Engine: 28.5.2 (client/server), containerd 1.7.29, runc v1.3.3
• Host OS: Proxmox VE 8.4.14 (kernel 6.8.8-2-pve)
• Container OS: Debian GNU/Linux 12 (bookworm) running inside an unprivileged LXC with nesting=1
• Compose snippet:

services:
heimdall:
image: linuxserver/heimdall:latest
container_name: heimdall
environment:
PUID=1000
PGID=1000
TZ=Asia/Kolkata
volumes:
heimdall_data:/config
ports:
80:80
restart: unless-stopped
volumes:

heimdall_data:

Steps to reproduce1. In a Proxmox unprivileged LXC (Debian 12) install Docker Engine 28.5.2 from Docker’s apt repo.2. Deploy Heimdall via compose (docker compose up -d).3. Observe the container failing to start.Expected behaviorHeimdall container should start and expose its web UI on port 80 as with Docker 27.x.Actual behaviorContainer startup fails immediately:
Error response from daemon: failed to create task for container:
failed to create shim task: OCI runtime create failed: runc create failed:
unable to start container process: error during container init:
open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8:
permission denied: unknown

Additional context
This seems related to a Docker Engine change in 28.x where it tries to modify net.ipv4.ip_unprivileged_port_start on container boot. That sysctl is read-only inside an unprivileged LXC, causing the hard failure. Downgrading Docker and containerd to (27.3.1 / 1.7.18) restores functionality. Reporting here in case the Heimdall docs need a note for Proxmox users, or if there’s a recommended workaround other than pinning Docker < 28.

[ajax1337]

Temp Fix

fixed it by rolling Docker back to a version that doesn’t hit the Proxmox LXC restriction:

Inside container 105, downgraded docker-ce, docker-ce-cli, docker-ce-rootless-extras to 5:27.3.1-1debian.12bookworm and containerd.io to 1.7.18-1, then apt-mark hold … so they stay pinned.
Restarted Docker; Heimdall and Portainer containers started cleanly afterward.

By removing Docker 28.x, i avoid its new attempt to rewrite net.ipv4.ip_unprivileged_port_start, so the LXC now allows containers to launch normally.

[j0nnymoe]

We do not support/recommend using docker within lxc container nor do the proxmox Devs. The recommendation is using a standard VM.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.