Rancher (docker) not honoring sysctl settings


(Hmmmm: this seems somewhat related to this topic.)

I just wanted to spin up a quick Rancher server through Docker, however the container ignores my current net.netfilter.nf_conntrack_max setting which is currently set to 524288 (net.netfilter.nf_conntrack_max = 524288). The “closing” log lines look like:

I0830 07:20:54.939399      31 node.go:136] Successfully retrieved node IP:
I0830 07:20:54.939433      31 server_others.go:143] kube-proxy node IP is an IPv4 address (, assume IPv4 operation
I0830 07:20:54.940737      31 server_others.go:186] Using iptables Proxier.
I0830 07:20:54.941232      31 server.go:650] Version: v1.19.8+k3s1
I0830 07:20:54.941806      31 conntrack.go:103] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072
F0830 07:20:54.941829      31 server.go:495] open /proc/sys/net/netfilter/nf_conntrack_max: permission denied
2021/08/30 07:20:54 [FATAL] k3s exited with: exit status 1

The startup command is the “plain vanilla”:

sudo docker run -d --restart=unless-stopped -p 80:80 -p 443:443 --privileged rancher/rancher

OS: Ubuntu 20.04 Desktop (Linux 5.11.0-27-generic #29~20.04.1-Ubuntu SMP)

What am I missing here?