Docker installation inside LXD failing

When trying to install Docker inside an LXD v2.15 container it fails. Here are my steps:

lxc launch ubuntu:16.04 docker
lxc config edit docker

Then I add security.nesting: "true", save and exit the editor before logging into the container with lxc exec docker bash. Finally, I follow the instructions from https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/#install-using-the-repository.

The command sudo apt-get install docker-ce inside the container fails with the following error:

Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
invoke-rc.d: initscript docker, action "start" failed.
â—Ź docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Sun 2017-07-02 16:36:10 UTC; 13ms ago
     Docs: https://docs.docker.com
  Process: 679 ExecStart=/usr/bin/dockerd -H fd:// (code=exited, status=1/FAILURE)
 Main PID: 679 (code=exited, status=1/FAILURE)
    Tasks: 2
   Memory: 4.0K
      CPU: 181ms
   CGroup: /system.slice/docker.service

Jul 02 16:36:10 dckr1 systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Jul 02 16:36:10 dckr1 systemd[1]: Failed to start Docker Application Container Engine.
Jul 02 16:36:10 dckr1 systemd[1]: docker.service: Unit entered failed state.
Jul 02 16:36:10 dckr1 systemd[1]: docker.service: Failed with result 'exit-code'.
dpkg: error processing package docker-ce (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 docker-ce
E: Sub-process /usr/bin/dpkg returned an error code (1)

Restarting the container or the entire host does not change a thing. I can consistently reproduce this error. The host itself is a virtual machine (running on Hyper-V, in case this matters).

Thanks for any help on how to get Docker running in LXD.

PS: This error also occurred in LXD v2.14.

I’m unable to reproduce this problem here. Can you include the output of “journalctl -u docker”?

My guess is that some kernel modules haven’t been loaded and that makes Docker unhappy in your case.

This is the output:

Jul 02 16:36:12 dckr1 systemd[1]: Starting Docker Application Container Engine...
Jul 02 16:36:12 dckr1 dockerd[825]: time="2017-07-02T16:36:12.039936500Z" level=info msg="libcontainerd: new co
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.053320600Z" level=error msg="'overlay' not found
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.056371100Z" level=error msg="'overlay' not found
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.065960700Z" level=info msg="Graph migration to co
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.066460900Z" level=warning msg="Your kernel does n
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.066550600Z" level=warning msg="Your kernel does n
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.066570200Z" level=warning msg="Your kernel does n
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.069806700Z" level=info msg="Loading containers: s
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.072738500Z" level=warning msg="Running modprobe b
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.076188400Z" level=warning msg="Running modprobe n
Jul 02 16:36:13 dckr1 dockerd[825]: time="2017-07-02T16:36:13.078585200Z" level=warning msg="Running modprobe x
Jul 02 16:36:13 dckr1 dockerd[825]: Error starting daemon: Error initializing network controller: error obtaini
Jul 02 16:36:13 dckr1 dockerd[825]: modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.4.0
Jul 02 16:36:13 dckr1 dockerd[825]: iptables v1.6.0: can't initialize iptables table `nat': Table does not exis
Jul 02 16:36:13 dckr1 dockerd[825]: Perhaps iptables or your kernel needs to be upgraded.
Jul 02 16:36:13 dckr1 dockerd[825]:  (exit status 3)
Jul 02 16:36:13 dckr1 systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Jul 02 16:36:13 dckr1 systemd[1]: Failed to start Docker Application Container Engine.
Jul 02 16:36:13 dckr1 systemd[1]: docker.service: Unit entered failed state.
Jul 02 16:36:13 dckr1 systemd[1]: docker.service: Failed with result 'exit-code'.
Jul 02 16:36:13 dckr1 systemd[1]: docker.service: Service hold-off time over, scheduling restart.
Jul 02 16:36:13 dckr1 systemd[1]: Stopped Docker Application Container Engine.
Jul 02 16:36:13 dckr1 systemd[1]: docker.service: Start request repeated too quickly.
Jul 02 16:36:13 dckr1 systemd[1]: Failed to start Docker Application Container Engine.

Ok, so the problem is that the ip_tables kernel module isn’t loaded.

You can either just load that module on the host with modprobe, or you can add it to the container’s “linux.kernel_modules” config option so that LXD makes sure to have that module loaded before your container starts.

That solved it! Thanks so much for the prompt responses on a Sunday.

Just to clarify what needed to be done on the host:

lxc config edit docker

Then add the following line somewhere in the config part:

linux.kernel_modules: ip_tables

After saving and closing the editor, I restarted the container with:

lxc restart docker

Now, installing Docker within the container was successful. Thanks again!

1 Like

Cool. Note that not everyone will need this. LXD usually causes that module to be loaded already on the host as it uses it itself for the LXD managed bridges. It is however a problem that can arise for any number of kernel modules that container software may need and won’t be able to load themselves (for obvious security reasons).

Fixing the Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details. problem, for me this worked:

  • create daemon.json in /etc/docker/

  • put this in it:

    {
    "exec-root": "/path/to/docker/run",
    "storage-driver": "overlay",
    "graph": "/path/to/docker/lib"
    }

  • then try: docker daemon

  • reboot

  • docker run hello-world should succeed now

No changes to the docker systemd unit should be needed either with the latest Ubuntu docker.io package or with the latest upstream package. Both work fine unmodified here.

same happen here Ubuntu 16.04 server LTS LXD v 2.18
after add … linux.kernel_modules: ip_tables… in the config file …bumpbacata!!! done it work perfect.
JC