Run Docker inside Incus Container on MacOS (ARM)

liszca · January 4, 2026, 2:24am

Trying to run Docker inside Incus:

docker run -d -P --name iamfoo traefik/whoami
b58a7757433d0a2ad3fc47376b8985f3b7d16d8ea7aea1090a50e1b78af24385
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied

After that I tried to change the container config and added:

config:
  image.architecture: aarch64
  image.description: Alpinelinux edge aarch64 (20260102_13:00)
  image.name: alpinelinux-edge-aarch64-default-20260102_13:00
  image.os: alpinelinux
  image.release: edge
  image.serial: "20260102_13:00"
  image.variant: default
  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"

But no change here. Is it possible on MacOS to have it running?

stgraber · January 4, 2026, 2:53am

What version of Incus is that?
It sounds like an older release what’s missing a change to handle the newer runc.

liszca · January 4, 2026, 2:54am

v6.20

stgraber · January 4, 2026, 3:05am

Hmm, that’s odd, 6.20 should have the fix for it so long as the container was started up under 6.20 and with security.nesting=true set.

liszca · January 4, 2026, 3:31am

I figured out colima could be updated, but that didn’t help.

But besides that I wonder why I can’t start VMs I got the message something like KVM is missing. Colima looks like an ordinary Ubuntu. It can’t provide KVM because it uses Apples HVF?

stgraber · January 4, 2026, 12:09pm

You can run VMs inside of the Colima VM, but you need to be on an Apple platform that supports it (M2 or higher I believe) and you need the Colima VM to have it enabled too.

There is a --nested-virtualization flag you need to pass and in my case I also had to pass --vm-type=vz (my MacOS test environment is an M4 Mac Mini).

candlerb · January 4, 2026, 6:18pm

Nested virtualization requires M3 or higher, and macOS 15 or higher.

liszca · January 4, 2026, 6:45pm

Am I doing this right, not so sure as I have an M1?

colima start --cpu 4 --memory 8 --nested-virtualization --vm-type=vz

It gives me:

FATA[0000] unknown flag: --nested-virtualization

And I noticed there is only qemu and vz while vz is the default.

stgraber · January 4, 2026, 6:48pm

As I said above, nested virtualization requires M2 or later

liszca · January 4, 2026, 7:35pm

You think I can go around the missing nesting abilities by using x86 emulation (vz-rosetta?) ?

candlerb · January 4, 2026, 7:45pm

IIUC, rosetta lets you run x86 binaries, not x86 VMs. For example, you could run an amd64 docker container image (I haven’t tested it myself). But you couldn’t boot an x86 kernel.

You can always use qemu for running VMs, arm or x86, but it will be slooooooow.

EDIT: to be clear, the nested virtualization with M3 + macOS 15 is arm VMs inside arm VMs.

stgraber · January 4, 2026, 7:46pm

Yeah, it won’t be providing the hardware KVM extensions that Incus requires.