I can run docker containers in lxc with following lxc config:
Is it secure or not?
I want use this for many users that want to work with docker in their lxc vm.
Assuming the container is also privileged (which it likely is in this case), no, it’s not safe.
Privileged containers without apparmor enabled make it easy for a user inside the container to escape to the host.
It’s no worse than running Docker directly on the host with your users having administrative access to the host, but if your goal is to separate your various users in a way where they can’t harm each another or the host, privileged containers without apparmor will not achieve this.
Can we say, there is not a secure way to run docker inside lxc ?
Unprivileged container, overylay storage backend for docker, security.nesting=true
That’s the secure way. This whole myth of docker not functioning well or securely in LXD/LXC needs to go away.
@trystan First person with the RIGHT knowledge… thanks
Just to extend the response:
- Add “aufs” or “overlay” (or both) to
/etc/modules-load.d/modules.confin your PVE host and reboot. Check it with
lsmod | grep -E 'overlay|aufs'
- Use a LXC image with unprivilege features (you can check them here)
- Create the container with unprivilege option, and “keyctl=1, nesting=1” features (Options section in proxmox).
- Maybe you would want to mount an external point into /var/lib/docker (Resources section in proxmox)
- Check this link to change your storage-driver in docker to use aufs or overlay2.
P.S: now people please keep worring about having docker inside LXC or even in the PVE host, but now worried at all having docker in a bare production host … thats cool