Error when running docker images in a LXC container

Hello all,

On my fresh LXD server default profile:

@lxc1:~$ lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: br0
type: nic
root:
path: /
pool: RAID1
type: disk
name: default
used_by:

  • /1.0/instances/c1
  • /1.0/instances/vm1

I have two clients, in the container c1 I have installed Ubuntu 20.04 LTS and installed docker:

Docker version:

Client: Docker Engine - Community
Version: 20.10.12

LXC systems:

@lxc1:~$ lxc list
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| c1 | RUNNING | 192.168.0.21 (eth0) | 2405:6580:2cc0:100:216:3eff:fe41:590b (eth0) | CONTAINER | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| vm1 | STOPPED | | | VIRTUAL-MACHINE | 0 |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+

I was able to pull a docker image without issues:

@c1:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
public.ecr.aws/h0w1j9u3/grinch-aoc latest f886f0052070 2 months ago 508MB

However, when I try to run the docker container I get this:

@c1:~$ docker run -it f886f0052070
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting “proc” to rootfs at “/proc” caused: mount through procfd: permission denied: unknown.
ERRO[0013] error waiting for container: context canceled

I am not sure what can be causing this, I am pretty sure that docker containers running nested in LXC containers is supported.

I tried to reproduce the error on another system, a physical machine kumo1 running Ubuntu 20.04 LTS, same version of docker and I didn’t have any problems:

@kumo1:~$ docker run -it f886f0052070
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”

Thank you in advance for any suggestions.

Sincerely,

I did additional testing in the same LXD server and installed the same version of Ubuntu and Docker in the LXC virtual machine vm1:

@vm1:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE

@lxc1:~$ lxc list
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| c1 | RUNNING | 192.168.0.21 (eth0) | 2405:6580:2cc0:100:216:3eff:fe41:590b (eth0) | CONTAINER | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| vm1 | RUNNING | 192.168.0.31 (enp5s0) | 2405:6580:2cc0:100:216:3eff:fe27:798c (enp5s0) | VIRTUAL-MACHINE | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+

@vm1:~$ docker pull public.ecr.aws/h0w1j9u3/grinch-aoc:latest
latest: Pulling from h0w1j9u3/grinch-aoc
7b1a6ab2e44d: Pull complete
7181c3c4941b: Pull complete
148b30b9ae2d: Pull complete
6f5a7c388565: Pull complete
ef099323cb4a: Pull complete
de5bf7e2abf0: Pull complete
455d5424d859: Pull complete
b1ee65a7e02a: Pull complete
a47021107475: Pull complete
Digest: sha256:593c79eaaa1a905c533e389b0034022e074969da3936df648172c4efc8d421d8
Status: Downloaded newer image for public.ecr.aws/h0w1j9u3/grinch-aoc:latest
public.ecr.aws/h0w1j9u3/grinch-aoc:latest

@vm1:~$ docker run -it public.ecr.aws/h0w1j9u3/grinch-aoc:latest
$ uptime
02:14:51 up 27 min, 0 users, load average: 0.60, 0.37, 0.18
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$

Works with no issues on the LXC VM.

Still investigating the error on the LXC container…

Try adding -c security.nesting=true when you launch container:

lxc launch images:ubuntu docker -c security.nesting=true

1 Like

Hello nula,

Thank you for checking my post/inquiry. Just to confirm, I cannot add that setting you are recommending to an existing container? or it works only for a new container image?

I look forward to your response.

Sincerely,

Regarding testing this approach with a new container it worked!

@c2:~$ docker pull public.ecr.aws/h0w1j9u3/grinch-aoc:latest
latest: Pulling from h0w1j9u3/grinch-aoc
7b1a6ab2e44d: Pull complete
7181c3c4941b: Pull complete
148b30b9ae2d: Pull complete
6f5a7c388565: Pull complete
ef099323cb4a: Pull complete
de5bf7e2abf0: Pull complete
455d5424d859: Pull complete
b1ee65a7e02a: Pull complete
a47021107475: Pull complete
Digest: sha256:593c79eaaa1a905c533e389b0034022e074969da3936df648172c4efc8d421d8
Status: Downloaded newer image for public.ecr.aws/h0w1j9u3/grinch-aoc:latest
public.ecr.aws/h0w1j9u3/grinch-aoc:latest

@c2:~$ docker run -it public.ecr.aws/h0w1j9u3/grinch-aoc:latest
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$

I wonder if I am able to change the parameters on the other container c1 and get it to boot instead of destroying it and launching it again with the parameters -c security.nesting=true

Thank you in advance, and I look forward to your response.

Sincerely,

Yes, you can do: lxc config set c1 security.nesting=true

1 Like

Thank you nula! it also worked!

@c1:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
public.ecr.aws/h0w1j9u3/grinch-aoc latest f886f0052070 2 months ago 508MB

@c1:~$ docker run -it f886f0052070
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$

Really appreciate it!