I have read How to run Docker inside LXD containers, and would like to have a profile that I can use during lxc launch that applies the configuration changes, and uses the correct storage.
I created a storage volume like this:
lxc storage create docker btrfs
❯ lxc storage list
+---------------------+--------+-------------------------------------------+-------------+---------+---------+
| NAME | DRIVER | SOURCE | DESCRIPTION | USED BY | STATE |
+---------------------+--------+-------------------------------------------+-------------+---------+---------+
| default | zfs | rpool/lxd | | 5 | CREATED |
+---------------------+--------+-------------------------------------------+-------------+---------+---------+
| docker | btrfs | /var/snap/lxd/common/lxd/disks/docker.img | | 2 | CREATED |
+---------------------+--------+-------------------------------------------+-------------+---------+---------+
| workstation-default | zfs | barra500/Ubuntu-Workstation/lxd-storage | | 99 | CREATED |
+---------------------+--------+-------------------------------------------+-------------+---------+---------+
My workstation file-systems are zfs.
I created a profile docker after inspecting the config of the container created in the exercise. It looks like this:
lxc profile copy default docker - (do not edit the default copy it back it up and use a new one)
lxc profile edit docker
insert / save
lxc launch ubuntu
lxc assign docker ubuntu
Lxc profiles can be somewhat confusing to a new comer and the logic of how they work is also different so def check out the tuts on profiling in the interim here is a "complete example of a complete basic nested/privileged lxc profile… " modify to fit.
This has br0 instead lxdbr0 - basic dir/ext4 storage.
Newcomers to lxd need to see exact complete code examples in order to gain perspective and learn/ snippets comments and one liner inserts, only add to confusion, fatigue, and more error.
Its worth pointing out that the use of these two settings together effectively removes all isolation from the host, as it is trivial for the container to break out onto the host.
This is fine if you trust the workloads inside the container, but something to be aware of.
I’m using the following profile for running Docker, it’s working well unprivileged for most cases (I never tried running K8S/Rancher inside, I think it will be a bit wonky in unprivileged mode).