Can't run Docker container

twelfthdoctor · August 10, 2018, 7:25pm

Hello. I’m trying to run a privileged Docker container inside an LXD one.
LXD container’s config

config:
  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: |-
    lxc.cgroup.devices.allow = a
    lxc.cap.drop =
  security.nesting: "true"
  security.privileged: "true"
description: ""
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdfan0
    type: nic
  root:
    path: /
    pool: local
    type: disk
name: kube
used_by:
- /1.0/containers/kube

Steps to reproduce:

root@dziminv:~# lxc launch ubuntu:16.04 kube -p kube
Creating kube
Starting kube
root@dziminv:~# lxc exec kube bash
root@kube:~# apt-get install docker.io
...
root@kube:~# docker run --privileged hello-world
docker: Error response from daemon: linux runtime spec devices: open /dev/.lxc/proc/1: permission denied.

LXD version: 3.3
Docker version: 17.03.2-ce
Host OS: Ubuntu 16.04

brauner · August 10, 2018, 10:42pm

That won’t currently work since requesting a privileged docker container will effectively tell it to ignore user namespace restriction. So either the LXC container itself needs to be privileged or it won’t work. There’s nothing on LXD’s side we can do about this.

twelfthdoctor · August 11, 2018, 5:45am

But as you can see in my container’s profile it is privileged

config:
  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: |-
    lxc.cgroup.devices.allow = a
    lxc.cap.drop =
  security.nesting: "true"
  security.privileged: "true"

Here your colleague @stgraber managed to run a privileged Docker container - https://github.com/lxc/lxd/issues/4902
But I can’t run it.