LXCFS with security.nesting=true

I noticed this while running a Docker container in an LXD container:

root@lxdcontainer:~# grep -c processor /proc/cpuinfo 
root@lxdcontainer:~# grep MemTotal /proc/meminfo 
MemTotal:         488280 kB
root@lxdcontainer:~# docker run -it ubuntu bash 
root@fcd00479a2c1:/# grep -c processor /proc/cpuinfo 
root@fcd00479a2c1:/# grep MemTotal /proc/meminfo 
MemTotal:       263758600 kB

I have been trying to figure out why Docker has access to the host machine’s /proc/cpuinfo and /proc/meminfo files, but haven’t been able to tell much from docker events.

Is this an artifact of setting security.nesting=true for the LXD container in order to run Docker containers?

My goal is to get the Docker container to only see resources that have been allocated to the LXD container and nothing else. Please let me know how I can do so.

LXD detects the presence of LXCFS and over-mounts the relevant files in /proc for the container.
Docker doesn’t know a thing about LXCFS and mounts its own copy of /proc.

Therefore Docker sees the unmasked values and will simply hit the resource limits and fail at that point.

But the Docker container is being run within the LXD container, so shouldn’t it see the files in /proc that have been over-mounted by LXCFS like you mentioned?

No, as I said mounts its own copy of /proc.

I misunderstood your first response. Thanks for the clarification.

Do you have any suggestions to overcome this? I would like Docker containers within LXD containers to only use and see resources that have been allocated to the LXD container.