LXD nesting containers with Docker

Hi, Ive been using LXD for a while now and am really enjoying it.

I want to run Nginx Proxy Manager (in a production environment), but Nginx Proxy Manager only runs in Docker.

I have setup a container like so:

lxc launch ubuntu:20.04 npm
lxc config set npm security.nesting true
lxc config set npm security.syscalls.intercept.mknod=true
lxc config set npm security.syscalls.intercept.setxattr=true

I have installed docker and docker-compose within the container and Nginx Proxy Manager is up and running.

Nesting containers is new to me and I always run my other containers in unprivileged mode.

I guess I’d like to know is this a safe practice to use in production as I was to have Nginx Proxy Manager public facing?
or should I be locking down the container in other ways?


Nesting with unprivileged containers is considered AFAIK.

Is this true @stgraber ?

My understanding is that nesting with privileged containers can be a security problem.

The config above should be fine, security.nesting=true on an unprivileged LXD container is safe and both the mknod and setxattr syscall interception features are also considered safe to use. They could be abused to cause a denial of service attack on the host (using up all the CPU) but as your container doesn’t have limits in place in the first place, that’s unlikely to be an issue here.

1 Like

I’ve read many times here in the forums recommendations about setting security.nesting=true in order to run docker inside nested LXD containers.

lxc config set npm security.syscalls.intercept.mknod=true
lxc config set npm security.syscalls.intercept.setxattr=true

Are these two other options also necessary for running docker in containers? Or only in certain situations?

I’ve read about these settings at System call interception - LXD documentation but am still not quite sure about them. With @stgraber mentioning that they could be abused, I’d rather only set them if necessary.

The Ubuntu tutorial at How to run Docker inside LXD containers | Ubuntu also recommends these settings on page 2. In that tutorial, are these two additional settings used only in relation to enabling the host OS storage pool (detailed higher up on that same tutorial page) for use with docker inside the container?

They should be set when using the overlay2 VFS backend in Docker which is usually the default storage backend. It may work for a while without them, but eventually you’ll hit a layer which will require those options.

Basically those options are needed to handle layers that remove a file or directory from a parent layer. You don’t need them so long as all your layers add stuff, but the moment one of them needs to delete something, if you’re using overlay2, you’ll need them.