Run docker in lxc is secure?

I can run docker containers in lxc with following lxc config:
lxc.apparmor.profile: unconfined
Is it secure or not?
I want use this for many users that want to work with docker in their lxc vm.

Assuming the container is also privileged (which it likely is in this case), no, it’s not safe.
Privileged containers without apparmor enabled make it easy for a user inside the container to escape to the host.

It’s no worse than running Docker directly on the host with your users having administrative access to the host, but if your goal is to separate your various users in a way where they can’t harm each another or the host, privileged containers without apparmor will not achieve this.


Can we say, there is not a secure way to run docker inside lxc ?

Unprivileged container, overylay storage backend for docker, security.nesting=true

That’s the secure way. This whole myth of docker not functioning well or securely in LXD/LXC needs to go away.


@trystan First person with the RIGHT knowledge… thanks

Just to extend the response:

  1. Add “aufs” or “overlay” (or both) to /etc/modules-load.d/modules.conf in your PVE host and reboot. Check it with lsmod | grep -E 'overlay|aufs'
  2. Use a LXC image with unprivilege features (you can check them here)
  3. Create the container with unprivilege option, and “keyctl=1, nesting=1” features (Options section in proxmox).
  4. Maybe you would want to mount an external point into /var/lib/docker (Resources section in proxmox)
  5. Check this link to change your storage-driver in docker to use aufs or overlay2.
  6. Voilá…

P.S: now people please keep worring about having docker inside LXC or even in the PVE host, but now worried at all having docker in a bare production host … thats cool

1 Like

I’ve done all the steps in this post (including mounting an external point into /var/lib/docker) but Docker is failing.

‘overlay2’ is not supported over zfs"

Is there a work-around?

On top of ZFS, your only real option I believe is to use the vfs storage backend in Docker.

Thanks, but it might use a lot more disk space than I would like. I’ve heard numbers of 30 GB for a Bitwarden install.

And how about creating a zfs-dataset with a file system (ext4?), add it as storage in Proxmox, then mount that to container?

I think I might use a virtual machine (KVM) for Docker to be more flexibel.

Yeah, passing a disk device that’s ext4 and mounting this on top of Docker’s storage directory would then let you use overlay