Unable to set ephemeral port range in Dockerfile

[t-bzhan]

There seem to be some issues with setting the ephemeral port range in a Dockerfile for a Windows container.

Using the Dockerfile below:

# Use the Windows Server Core image
FROM mcr.microsoft.com/windows/servercore:ltsc2022

# Run the netsh command to set the dynamic port range
RUN netsh int ipv4 set dynamicport tcp start=1025 num=64511

CMD ["cmd.exe"]

Below is my docker build output:

λ docker build . -t portchange:1.0
Sending build context to Docker daemon  2.048kB
Step 1/3 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
ltsc2022: Pulling from windows/servercore
2c91985a0408: Pull complete
166fe75ceb2a: Pull complete
Digest: sha256:cd409960f9b87fcc02e1c236fea3852e1323ffb16d9522bf693330ebf878f5c0
Status: Downloaded newer image for mcr.microsoft.com/windows/servercore:ltsc2022
 ---> 16f22363f4ac
Step 2/3 : RUN netsh int ipv4 set dynamicport tcp start=1025 num=64511
 ---> Running in 60be39df2c67
Ok.

 ---> Removed intermediate container 60be39df2c67
 ---> d83c6c98ad8e
Step 3/3 : CMD ["cmd.exe"]
 ---> Running in 4031d7193cda
 ---> Removed intermediate container 4031d7193cda
 ---> 7a6cbff3611a
Successfully built 7a6cbff3611a
Successfully tagged portchange:1.0

The netsh command does not appear to persist. If I run a container with the image, netsh int ipv4 show dynamicport tcp still shows the unchanged value. However, if I manually run the command in the container, it works as expected.

Is this a known limitation in Windows containers?

[github-actions]

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

[t-bzhan]

One more thing: even though I set the ephemeral port range in the container, it still seems to be using the default port range. Does this mean the setting is not available in Windows containers, or is it just a red herring?

[ntrappe-msft]

Hi @t-bzhan thanks for your question. There's a few things to unpack here.

First, I was able to reproduce your Issue. It is possible to set the ephemeral port range in a running container but not via a Dockerfile. This is likely by design. Some changes (e.g., setting port ranges) may not persist into the final runtime container unless they are set in the same layer in which you'll be using it. (I'm double-checking with networking to confirm that this is true.)

Second, netsh int ipv4 show dynamicport tcp displays the configured ephemeral port range (which ports Windows will use when assigning dynamic TCP ports). It's considered the "gold standard" and what you should use to check if setting ports worked. (So good on you for using it).

Third, netstat -ano | findstr /si /c:”TCP” displays active TCP connections (which ports are currently being used. As long as you're seeing a port within your new range (1025 to 65535-ish), that confirms ephemeral allocation is happening. Sometimes, you may see ports in the "old" range so you should make new outbound connections (e.g., curl google.com) to confirm.

[ntrappe-msft]

Ok, confirmed with networking that this is by design. I have an alternative option for you. If you modify your Dockerfile to include the following script, it'll run when the container starts up and set the ephemeral port range.

Filename: SetDynamicPorts.ps1
Create this in the same folder as your Dockerfile.

Write-Host "Setting ephemeral port range start=1025 num=64511..."
netsh int ipv4 set dynamicport tcp start=1025 num=64511

Write-Host "`nVerifying new ephemeral port range..."
netsh int ipv4 show dynamicport tcp

Write-Host "`nExpected: Start Port = 1025, Number of Ports = 64511"
Write-Host "If the above output matches, then the setting was successful."

Filename: Dockerfile
Your modified Dockerfile.

# escape=`
FROM mcr.microsoft.com/windows/servercore:ltsc2022

# Use PowerShell for our shell to make commands cleaner
SHELL ["powershell", "-NoProfile", "-Command", "$ErrorActionPreference = 'Stop';"]

# Copy the script into the container
COPY SetDynamicPorts.ps1 C:\\Scripts\\SetDynamicPorts.ps1

# Set the container entrypoint to run our script
ENTRYPOINT ["powershell.exe", "-NoProfile", "-File", "C:\\Scripts\\SetDynamicPorts.ps1"]

When you start up the container built from this image, you should now see:

[ntrappe-msft]

@t-bzhan does this workaround work for you? If so, I'll close the Issue.