Podman: Priviledged port mapping not allowed despite Rootful

[sfleiter]

Hi!

I saw the vind announcement on Reddit and thought it sounded like a great project.

I use Podman 5.7.1 with a Rootful machine instance on a Mac M1.
When creating a first cluster with
vcluster create my-first-cluster

I get the following output:

17:39:18 info Ensuring environment for vCluster my-first-cluster...
17:39:18 info Docker is using the non-containerd image store, please use containerd image store to use the docker daemon registry proxy. For more information, see https://docs.docker.com/engine/storage/containerd/
17:39:21 warn Load balancer type services are not supported inside the vCluster because privileged port mapping is not allowed. If you are using Docker Desktop, please enable it in the Docker Desktop settings

But Podman Machine is rootful:

podman machine inspect --format "{{.Rootful}}"
true

Also I have other containers running using priviledged ports.
Do you have any suggestions what the issue might be?

Thanks!

[FabianKramm]

@sfleiter thanks for creating this issue! Mhh maybe the check we use here doesn't work in podman for some reason, what do you get as an output when running this locally:

docker run -q --rm -p 127.0.0.1:879:80 alpine echo 1

We do this to try if mounting privileged ports are enabled, but if that fails we assume privileged port mapping is not supported.

[sfleiter]

That very much seems to be the cause

❯ > docker run --rm -p 127.0.0.1:879:80 alpine echo 1
unable to upgrade to tcp, received 500
~
❯ > docker run --rm -p 879:80 alpine echo 1
1

[sfleiter]

I created a podman issue for this, but guess this issues does not depend on that being resolved.

[sfleiter]

I tried to build vcluster-cli to check whether things work after removing the IP address in the docker check.
See the changes in my fork here

I failed again.
Do you have any more ideas here?

Output:

❯ > vcluster create my-cluster --debug
14:23:29 info Ensuring environment for vCluster my-cluster...
14:23:29 debug Creating probe network vcluster.my-cluster-probe-1770384209202904000 to discover valid subnet
14:23:29 debug Discovered free subnet: 10.89.6.0/24
14:23:29 debug Running command: docker network create --subnet 10.89.6.0/24 vcluster.my-cluster
14:23:29 done Created network vcluster.my-cluster
14:23:29 info Docker is using the non-containerd image store, please use containerd image store to use the docker daemon registry proxy. For more information, see https://docs.docker.com/engine/storage/containerd/
14:23:32 debug Running command: docker run -q --rm -p 879:80 alpine echo 1
14:23:32 debug Output: 1

14:23:32 warn Load balancer type services are not supported inside the vCluster because this command was executed with insufficient privileges. To enable load balancer type services, run this command with sudo
14:23:32 debug Host DNS server: 192.168.127.1
14:23:33 info Will connect vCluster my-cluster to platform...
14:23:33 debug Running command: docker run -d -h my-cluster --tmpfs /run --tmpfs /tmp --privileged --network vcluster.my-cluster --network-alias my-cluster -e VCLUSTER_NAME=my-cluster -p 12546:8443 --name vcluster.cp.my-cluster -v vcluster.cp.my-cluster.etc:/etc -v vcluster.cp.my-cluster.bin:/usr/local/bin -v vcluster.cp.my-cluster.cni-bin:/opt/cni/bin -v vcluster.cp.my-cluster.var:/var --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/etcd,dst=/var/lib/vcluster/bin/etcd,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/etcdctl,dst=/var/lib/vcluster/bin/etcdctl,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/helm,dst=/var/lib/vcluster/bin/helm,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kine,dst=/var/lib/vcluster/bin/kine,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/konnectivity-server,dst=/var/lib/vcluster/bin/konnectivity-server,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kube-apiserver,dst=/var/lib/vcluster/bin/kube-apiserver,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kube-controller-manager,dst=/var/lib/vcluster/bin/kube-controller-manager,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kube-scheduler,dst=/var/lib/vcluster/bin/kube-scheduler,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kubernetes-v1.34.0-amd64.tar.gz,dst=/var/lib/vcluster/bin/kubernetes-v1.34.0-amd64.tar.gz,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/kubernetes/v1.34.0/kubernetes-v1.34.0-arm64.tar.gz,dst=/var/lib/vcluster/bin/kubernetes-v1.34.0-arm64.tar.gz,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/vcluster/0.32.0-next.0/vcluster,dst=/var/lib/vcluster/bin/vcluster,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/vclusters/my-cluster/vcluster.yaml,dst=/etc/vcluster/vcluster.yaml,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/vclusters/my-cluster/k8s-resolv.conf,dst=/etc/k8s-resolv.conf,ro --mount type=bind,src=/Users/stefanfleiter/.vcluster/docker/vclusters/my-cluster/kubelet.env,dst=/etc/vcluster/vcluster-flags.env,ro ghcr.io/loft-sh/vm-container
14:23:33 info Starting vCluster standalone my-cluster
14:23:33 debug Running command: docker exec vcluster.cp.my-cluster bash -c set -e -o pipefail; mount --make-rshared /; curl -sfLk "https://github.com/loft-sh/vcluster/releases/download/v0.32.0-next.0/install-standalone.sh" | sh -s -- --skip-download --skip-wait --vcluster-name my-cluster --join-token lzrbpfsplqgjfopguhbogwagumypapdzikjepmayjzzxwxuhcpddpafwbtzqmnbg --platform-access-key uShYMgjOuCnu1z8otvGIJ0aOhTx6GWYEOmCd5TM8rPFPyig9qD5TTFu647dREwQO --platform-host lna34gx.loft.host --platform-insecure --platform-project default --platform-instance-name my-cluster
14:23:34 debug Output: 🔄 Setting up persistent logging...
✅ systemd-journald restarted.
🔄 Creating vCluster systemd service...
🔄 Creating systemd service file /etc/systemd/system/vcluster.service
✅ vcluster.service created.
🔄 Starting vcluster.service...
Created symlink /etc/systemd/system/multi-user.target.wants/vcluster.service → /etc/systemd/system/vcluster.service.
✅ Successfully started vcluster.service

14:23:34 done Successfully created virtual cluster my-cluster
14:23:34 info Finding docker container vcluster.cp.my-cluster...
14:23:34 debug Found exposed port 12546 for vcluster container vcluster.cp.my-cluster
14:23:34 info Waiting for vCluster kubeconfig to be available...
14:23:34 debug Kubeconfig not yet available: exit status 1
14:23:36 debug Kubeconfig not yet available: exit status 1
14:23:38 debug Kubeconfig not yet available: exit status 1
14:23:40 debug Kubeconfig not yet available: exit status 1
14:23:42 debug Kubeconfig not yet available: exit status 1
14:23:45 fatal failed to get kubeconfig: timeout waiting for kubeconfig: vCluster failed: Feb 06 13:23:34 my-cluster systemd[1]: Starting vcluster.service - vcluster...
Feb 06 13:23:34 my-cluster vcluster[178]: 13:23:34 info vCluster version: 0.32.0-next.0
Feb 06 13:23:34 my-cluster systemd[1]: Started vcluster.service - vcluster.
Feb 06 13:23:34 my-cluster vcluster[178]: 2026-02-06 13:23:34        INFO        config/config.go:56        Reading vcluster.yaml config from        {"component": "vcluster", "path": "/etc/vcluster/vcluster.yaml"}
Feb 06 13:23:34 my-cluster vcluster[178]: 2026-02-06 13:23:34        ERROR        cmd/root.go:59        error        {"component": "vcluster", "error": "parse vCluster config: error unmarshaling JSON: while decoding JSON: json: unknown field \"docker\""}
Feb 06 13:23:34 my-cluster vcluster[178]: 2026-02-06 13:23:34        INFO        osutil/interrupt_unix.go:70        running interrupt handlers        {"component": "vcluster"}
Feb 06 13:23:34 my-cluster systemd[1]: vcluster.service: Main process exited, code=exited, status=1/FAILURE
Feb 06 13:23:34 my-cluster systemd[1]: vcluster.service: Failed with result 'exit-code'.
Feb 06 13:23:39 my-cluster systemd[1]: vcluster.service: Scheduled restart job, restart counter is at 1.
Feb 06 13:23:39 my-cluster systemd[1]: Starting vcluster.service - vcluster...
Feb 06 13:23:39 my-cluster vcluster[191]: 13:23:39 info vCluster version: 0.32.0-next.0
Feb 06 13:23:39 my-cluster systemd[1]: Started vcluster.service - vcluster.
Feb 06 13:23:39 my-cluster vcluster[191]: 2026-02-06 13:23:39        INFO        config/config.go:56        Reading vcluster.yaml config from        {"component": "vcluster", "path": "/etc/vcluster/vcluster.yaml"}
Feb 06 13:23:39 my-cluster vcluster[191]: 2026-02-06 13:23:39        ERROR        cmd/root.go:59        error        {"component": "vcluster", "error": "parse vCluster config: error unmarshaling JSON: while decoding JSON: json: unknown field \"docker\""}
Feb 06 13:23:39 my-cluster vcluster[191]: 2026-02-06 13:23:39        INFO        osutil/interrupt_unix.go:70        running interrupt handlers        {"component": "vcluster"}
Feb 06 13:23:39 my-cluster systemd[1]: vcluster.service: Main process exited, code=exited, status=1/FAILURE
Feb 06 13:23:39 my-cluster systemd[1]: vcluster.service: Failed with result 'exit-code'.
.
vCluster failed to start, please check the logs above for more information (last error: exit status 1)