Docker on Proxmox LXC: What Actually Works (and Why Unprivileged Doesn't)

Docker on Proxmox LXC requires a privileged container due to changes in runc 1.2+, which fails to create a task for the container. This is because runc unconditionally writes to net.ipv4.ip_unprivileged_port_start=0, requiring CAP_NET_ADMIN. Unprivileged LXC containers cannot provide this capability. To run Docker, a privileged LXC container is necessary. This is a security tradeoff, as a full container compromise can now escape to host root.