Back to the eternal topic: Running Docker in LXC…
So far I have managed to get Docker running in an unprivileged LXC container by using the following container config:
# Unprivileged container uid and gid mapping
lxc.include = /usr/share/lxc/config/userns.conf
lxc.id_map = u 0 1000000 65536
lxc.id_map = g 0 1000000 65536
# Adjust for Docker inside LXC
lxc.aa_profile = unconfined
lxc.cap.drop =
lxc.cap.drop = sys_time sys_module sys_rawio
lxc.mount.auto = proc:rw sys:rw cgroup
This allows to run the Docker service just fine:
root@kube1:~# docker info
Client:
Debug Mode: false
Server:
Containers: 9
Running: 0
Paused: 0
Stopped: 9
Images: 2
Server Version: 19.03.8
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.0-0.bpo.6-amd64
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 15.66GiB
Name: kube1
ID: IPVA:OEAI:HZLX:BWB4:SX7O:CDLW:JFFX:PXDJ:DXDA:RL7F:GNDC:27ZL
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Simple container images work just fine. This can be tested with the “hello-world” image:
root@kube1:~# docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
But more complicated container images, like Rancher2 (rancher/rancher), seem to need more permissions. The difficult thing is to figure out which permissions exactly.
Side-Spoiler: Installation of rancher/rancher works in a privileged LXC container.
Trying to install the Rancher (single node) server gives a permission error during layer extraction:
root@kube1:~# docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:stable
Unable to find image 'rancher/rancher:stable' locally
stable: Pulling from rancher/rancher
5bed26d33875: Already exists
f11b29a9c730: Already exists
930bda195c84: Already exists
78bf9a5ad49e: Already exists
12a73929b6a7: Pull complete
8434af3b0a23: Pull complete
28db93a68de0: Pull complete
e6dfd852f705: Pull complete
a1fa824ccd2c: Extracting [==================================================>] 99.67MB/99.67MB
1e2d165916be: Download complete
aaf1116b238c: Download complete
375fded79e14: Download complete
e2c84878ed8a: Download complete
f7a8fcb48ebd: Download complete
docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: lchown /usr/bin/etcd: invalid argument.
See 'docker run --help'.
This very error is documented on https://github.com/rancher/rancher/issues/24910.
Trying to install a Kubernetes cluster node using rancher/rancher-agent returns the following error:
root@kube1:~# sudo docker run -d --privileged --restart=unless-stopped --net=host -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/rancher-agent:v2.3.6 --server https://rancher2.example.com --token something --ca-checksum something --etcd --controlplane --worker
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "apply caps: operation not permitted": unknown.
Concerning the first case, Rancher 2 Management Server, I believe that this has something to do with the uid mapping.
Unfortunately neither logs nor the output of docker
show relevant information where to further look.
Any ideas? Did anyone get this to work correctly in an unprivileged LXC container?