meta data for this page
This is an old revision of the document!
LXC
docker inside unprivileged LXC
Docker is recommended to be used inside VM.
From documentation: https://pve.proxmox.com/wiki/Linux_Container#pct_configuration
- edit LXC container config
- /etc/pve/local/lxc/<contained_id
.conf> features: keyctl=1,nesting=1
- stop/start LXC container
docker run hello-world
issue
VFS FS is used by docker.
The vfs backend is a very simple fallback that has no copy-on-write support. Each layer is just a separate directory. Creating a new layer based on another layer is done by making a deep copy of the base layer into a new directory. Since this backend doesn’t share diskspace use between layers, and since creating a new layer is a slow operation this is not a very practical backend. However, it still has its uses, for instance to verify other backends against, or if you need a super robust (if slow) backend that works everywhere.
docker info ... Server Version: 19.03.8 Storage Driver: vfs ...
When restarted in privileged container: NOTE: restarting in privileged container do mess with user permission. Make backup/clone before.
docker info ... Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: zfs Dirs: 0 Dirperm1 Supported: true ...
Solution:
cp /etc/apparmor.d/lxc/lxc-default-with-nesting /etc/apparmor.d/lxc/lxc-default-with-nesting-docker
Edit new file and update profile
name and add some mount permissions:
<file|/etc/apparmor.d/lxc/lxc-default-with-nesting-docker> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-nesting-docker flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base> #include <abstractions/lxc/start-container>
deny /dev/.lxc/proc/** rw, deny /dev/.lxc/sys/** rw, mount fstype=proc -> /var/cache/lxc/**, mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, mount fstype=aufs, mount fstype=overlay,
} </code>
systemctl reload apparmor
Edit /etc/pve/lxc/${container_id}.conf
and append this line:
<file | /etc/pve/lxc/${container_id}.conf >
lxc.apparmor.profile: lxc-container-default-with-nesting-docker
<file>