So I read this article about using Docker within an lxd container. I’m unfortunately unable to get it to work. When I try to run docker within my unprivileged container, I get this:
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b04784fba78d: Pull complete
Digest: sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f
Status: Downloaded newer image for hello-world:latest
container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:53: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\""
docker: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:359: container init caused \\\"rootfs_linux.go:53: mounting \\\\\\\"proc\\\\\\\" to rootfs \\\\\\\"/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243\\\\\\\" at \\\\\\\"/proc\\\\\\\" caused \\\\\\\"permission denied\\\\\\\"\\\"\"\n".
In the host I see this apparmor denial:
Jul 21 15:31:55 parallax kernel: [1776529.731031] audit: type=1400 audit(1500676315.076:1824): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-gitlab-runner-docker_</var/lib/lxd>" name="/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243/proc/" pid=23678 comm="exe" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
That article didn’t discuss confinement, so I feel like I’m missing something here. Any help would be appreciated. Note that I’m using lxd v2.12 on Ubuntu Xenial.