meta data for this page
  •  
Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

LXC

docker inside unprivileged LXC

Docker is recommended to be used inside VM.

From documentation: https://pve.proxmox.com/wiki/Linux_Container#pct_configuration

  • edit LXC container config
/etc/pve/local/lxc/<contained_id
.conf>
features:  keyctl=1,nesting=1
  • stop/start LXC container
  • docker run hello-world

issue

docker info
...
 Server Version: 19.03.8
 Storage Driver: vfs
...

When restarted in privileged container: 

docker info
...
 Storage Driver: aufs
  Root Dir: /var/lib/docker/aufs
  Backing Filesystem: zfs
  Dirs: 0
  Dirperm1 Supported: true
...

Solution: 

cp /etc/apparmor.d/lxc/lxc-default-with-nesting /etc/apparmor.d/lxc/lxc-default-with-nesting-docker

Edit new file and update profile name and add some mount permissions:

<file|/etc/apparmor.d/lxc/lxc-default-with-nesting-docker> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nesting-docker flags=(attach_disconnected,mediate_deleted) { 

#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
mount fstype=aufs,
mount fstype=overlay,

} </code> 

systemctl reload apparmor

Edit /etc/pve/lxc/${container_id}.conf and append this line: <file | /etc/pve/lxc/${container_id}.conf > lxc.apparmor.profile: lxc-container-default-with-nesting-docker <file>