Hello all,
On my fresh LXD server default profile:
@lxc1 :~$ lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: br0
type: nic
root:
path: /
pool: RAID1
type: disk
name: default
used_by:
/1.0/instances/c1
/1.0/instances/vm1
I have two clients, in the container c1 I have installed Ubuntu 20.04 LTS and installed docker:
Docker version:
Client: Docker Engine - Community
Version: 20.10.12
LXC systems:
@lxc1 :~$ lxc list
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| c1 | RUNNING | 192.168.0.21 (eth0) | 2405:6580:2cc0:100:216:3eff:fe41:590b (eth0) | CONTAINER | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
| vm1 | STOPPED | | | VIRTUAL-MACHINE | 0 |
±-----±--------±---------------------±---------------------------------------------±----------------±----------+
I was able to pull a docker image without issues:
@c1 :~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
public.ecr.aws/h0w1j9u3/grinch-aoc latest f886f0052070 2 months ago 508MB
However, when I try to run the docker container I get this:
@c1 :~$ docker run -it f886f0052070
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting “proc” to rootfs at “/proc” caused: mount through procfd: permission denied: unknown.
ERRO[0013] error waiting for container: context canceled
I am not sure what can be causing this, I am pretty sure that docker containers running nested in LXC containers is supported.
I tried to reproduce the error on another system, a physical machine kumo1 running Ubuntu 20.04 LTS, same version of docker and I didn’t have any problems:
@kumo1 :~$ docker run -it f886f0052070
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
Thank you in advance for any suggestions.
Sincerely,
I did additional testing in the same LXD server and installed the same version of Ubuntu and Docker in the LXC virtual machine vm1 :
@vm1 :~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
@lxc1 :~$ lxc list
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| c1 | RUNNING | 192.168.0.21 (eth0) | 2405:6580:2cc0:100:216:3eff:fe41:590b (eth0) | CONTAINER | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
| vm1 | RUNNING | 192.168.0.31 (enp5s0) | 2405:6580:2cc0:100:216:3eff:fe27:798c (enp5s0) | VIRTUAL-MACHINE | 0 |
| | | 172.17.0.1 (docker0) | | | |
±-----±--------±----------------------±-----------------------------------------------±----------------±----------+
@vm1 :~$ docker pull public.ecr.aws/h0w1j9u3/grinch-aoc:latest
latest: Pulling from h0w1j9u3/grinch-aoc
7b1a6ab2e44d: Pull complete
7181c3c4941b: Pull complete
148b30b9ae2d: Pull complete
6f5a7c388565: Pull complete
ef099323cb4a: Pull complete
de5bf7e2abf0: Pull complete
455d5424d859: Pull complete
b1ee65a7e02a: Pull complete
a47021107475: Pull complete
Digest: sha256:593c79eaaa1a905c533e389b0034022e074969da3936df648172c4efc8d421d8
Status: Downloaded newer image for public.ecr.aws/h0w1j9u3/grinch-aoc:latest
public.ecr.aws/h0w1j9u3/grinch-aoc:latest
@vm1 :~$ docker run -it public.ecr.aws/h0w1j9u3/grinch-aoc:latest
$ uptime
02:14:51 up 27 min, 0 users, load average: 0.60, 0.37, 0.18
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$
Works with no issues on the LXC VM.
Still investigating the error on the LXC container…
nula
December 22, 2021, 3:59pm
3
Try adding -c security.nesting=true when you launch container:
lxc launch images:ubuntu docker -c security.nesting=true
1 Like
Hello nula,
Thank you for checking my post/inquiry. Just to confirm, I cannot add that setting you are recommending to an existing container? or it works only for a new container image?
I look forward to your response.
Sincerely,
Regarding testing this approach with a new container it worked!
@c2 :~$ docker pull public.ecr.aws/h0w1j9u3/grinch-aoc:latest
latest: Pulling from h0w1j9u3/grinch-aoc
7b1a6ab2e44d: Pull complete
7181c3c4941b: Pull complete
148b30b9ae2d: Pull complete
6f5a7c388565: Pull complete
ef099323cb4a: Pull complete
de5bf7e2abf0: Pull complete
455d5424d859: Pull complete
b1ee65a7e02a: Pull complete
a47021107475: Pull complete
Digest: sha256:593c79eaaa1a905c533e389b0034022e074969da3936df648172c4efc8d421d8
Status: Downloaded newer image for public.ecr.aws/h0w1j9u3/grinch-aoc:latest
public.ecr.aws/h0w1j9u3/grinch-aoc:latest
@c2 :~$ docker run -it public.ecr.aws/h0w1j9u3/grinch-aoc:latest
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$
I wonder if I am able to change the parameters on the other container c1 and get it to boot instead of destroying it and launching it again with the parameters -c security.nesting=true
Thank you in advance, and I look forward to your response.
Sincerely,
nula
December 23, 2021, 10:37am
6
Yes, you can do: lxc config set c1 security.nesting=true
1 Like
Thank you nula! it also worked!
@c1 :~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
public.ecr.aws/h0w1j9u3/grinch-aoc latest f886f0052070 2 months ago 508MB
@c1 :~$ docker run -it f886f0052070
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”
$
Really appreciate it!