Hi all,
I have been following this discussion and I was a bit irritated by the post of @rnz. Everything started to make sense after I read this article on the kubernetes blog on the kernel modules for virtual IP management.
I finalised my LXD config and have a fully working docker swarm with 4 nodes running in a small cluster of 3 boxes. None of the LXC containers (not VMs) runs privileged, which is a big pro.
Below you find the relevant profile section from my lxd preseed configuration.
profiles:
- name: docker
config:
# the security settings are needed for docker
security.nesting: true
security.syscalls.intercept.mknod: true
security.syscalls.intercept.setxattr: true
linux.kernel_modules: bridge,ip_tables,ip6_tables,iptable_nat,iptable_mangle,netlink_diag,nf_nat,overlay,br_netfilter,bonding,ip_vs,ip_vs_dh,ip_vs_ftp,ip_vs_lblc,ip_vs_lblcr,ip_vs_lc,ip_vs_nq,ip_vs_rr,ip_vs_sed,ip_vs_sh,ip_vs_wlc,ip_vs_wrr,xfrm_user,xt_conntrack,xt_MASQUERADE
# containers don't like swap ;)
limits.memory.swap: false
# limit the memory and cpu resources
# use the limits suited for your environment
limits.memory: 16GB
limits.cpu: 2
have fun