Having trouble using docker

So I read this article about using Docker within an lxd container. I’m unfortunately unable to get it to work. When I try to run docker within my unprivileged container, I get this:

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b04784fba78d: Pull complete
Digest: sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f
Status: Downloaded newer image for hello-world:latest
container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:53: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\""
docker: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:359: container init caused \\\"rootfs_linux.go:53: mounting \\\\\\\"proc\\\\\\\" to rootfs \\\\\\\"/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243\\\\\\\" at \\\\\\\"/proc\\\\\\\" caused \\\\\\\"permission denied\\\\\\\"\\\"\"\n".

In the host I see this apparmor denial:

Jul 21 15:31:55 parallax kernel: [1776529.731031] audit: type=1400 audit(1500676315.076:1824): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-gitlab-runner-docker_</var/lib/lxd>" name="/var/lib/docker/vfs/dir/263c4de19f5f2632de66eb963f72f6c4108d449ec3c209ec296b22823718d243/proc/" pid=23678 comm="exe" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

That article didn’t discuss confinement, so I feel like I’m missing something here. Any help would be appreciated. Note that I’m using lxd v2.12 on Ubuntu Xenial.

Oops, sorry, this article needs to be slightly tweaked as its last update wasn’t quite correct.

You want: “lxc launch ubuntu:16.04 -c security.nesting=true” so that nesting is allowed for the container.

3 Likes

Excellent, thank you @stgraber, that was it indeed.

this safe my live