#docker#containerd#linux#devops
Docker permission denied error: how to fix it
How to fix the Docker permission denied error on sysctl net.ipv4.ip_unprivileged_port_start caused by containerd.
•3 minutes read
How to fix the Docker permission denied error on sysctl net.ipv4.ip_unprivileged_port_start caused by containerd.
When starting Docker containers on recent Linux systems, you may encounter a critical error that completely prevents containers from running.
This issue is especially tricky because it is not related to container configuration, but to a compatibility issue between Docker and containerd.
The typical error looks like this:
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown
In this article, you will learn why this happens and how to permanently fix it on Ubuntu, Debian, and Proxmox (Debian CTs).
The root cause is a containerd version that is incompatible with the installed Docker runtime.
Some newer containerd releases introduced changes in sysctl handling, resulting in a permission denied error during container initialization.
This issue cannot be fixed by changing permissions, sysctl values, or Dockerfiles.
The correct solution is to downgrade containerd to a stable and known working version.
The verified working version is: containerd.io 1.7.28
On Ubuntu, explicitly install the correct containerd version:
sudo apt update
sudo apt install --allow-downgrades containerd.io=1.7.28-1~ubuntu.25.04~plucky
Then restart Docker:
sudo systemctl restart docker
On Debian Bookworm, run:
sudo apt update
sudo apt install containerd.io=1.7.28-1~debian.12~bookworm
Restart Docker afterward:
sudo systemctl restart docker
If you are using Proxmox VE with Debian-based LXC containers, the issue behaves exactly the same.
For Proxmox Debian CT users, the fix is identical to standard Debian.
Inside the Debian container, run:
apt update apt install containerd.io=1.7.28-1~debian.12~bookworm
No changes are required on the Proxmox host.
To confirm everything works correctly:
docker run --rm hello-world
If the container starts successfully, the issue is resolved.
This Docker error may look complex, but the cause is clear: a containerd compatibility regression. By pinning containerd 1.7.28, you can immediately restore Docker functionality on Ubuntu, Debian, and Proxmox.