Tutorial - "Running Docker inside LXD Containers" ... no longer works

bmullan · February 25, 2023, 11:37pm

LXD container of 22.04 ubuntu …

Everything was ok until the Step that says…

Finally, we can install Docker itself:

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

where it fails/errors on installing containerd.io !

> Job for docker.service failed because the control process exited with error code.
> See “systemctl status docker.service” and “journalctl -xeu docker.service” for details.
> invoke-rc.d: initscript docker, action “start” failed.
> ● docker.service - Docker Application Container Engine
> Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
> Active: activating (auto-restart) (Result: exit-code) since Sat 2023-02-25 23:44:49 UTC; 4ms ago
> TriggeredBy: ● docker.socket
> Docs: https://docs.docker.com
> Process: 5010 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=1/FAILURE)
> Main PID: 5010 (code=exited, status=1/FAILURE)
> CPU: 74ms
> dpkg: error processing package docker-ce (–configure):
> installed docker-ce package post-installation script subprocess returned error exit status 1
> Errors were encountered while processing:
> docker-ce
> E: Sub-process /usr/bin/dpkg returned an error code (1)

Any ideas what is causing the failure with containerd.io?

thanks
brian

bmullan · February 26, 2023, 3:47pm

NOTE1: my system is BTRFS.
NOTE2: the same caveat about ZFS in the online guide stands.

However… the following Steps did successfully install Docker “nested” in an LXD contiainer…

##================================================================================
## Purpose: install Docker" “nested” inside an LXD Container

##================================================================================
## Create an LXD container (CN1 in example below) and set its config for nesting etc

## On the Host…

$ lxc launch ubuntu:22.04 CN1
$ lxc config set CN1 security.nesting=true
$ lxc config set CN1 security.syscalls.intercept.mknod=true
$ lxc config set CN1 security.syscalls.intercept.setxattr=true

$ lxc restart CN1

##================================================================================
## Enter CN1 container

$ lxc exec CN1 bash

# apt update && apt upgrade -y

##================================================================================
## Install Docker “nested” in CN1 container

# apt install docker docker-compose -y

##================================================================================
## test that Docker is running in the CN1 container…
## You should see a response “Hello from Docker!”

# docker run hello-world

victoitor · February 26, 2023, 11:04pm

My memory might be misleading me, but I think I saw @stgraber running docker only with security.nesting=true. I initially followed the link posted here and set security.syscalls.intercept.mknod=true and security.syscalls.intercept.setxattr=true. After seeing @stgraber’s videos, I moved to only setting nesting=true.

I always wondered if those extra settings are really necessary. Are they doing anything?

Hope this is not hijacking the post. I always had this curiosity and never thought about asking and it seemed appropriate here.

As an extra question, I tend to set nesting=true then running snaps. Some apparmor log messages disappear with it. As with docker, I tend to see the Stéphane’s LXD videos running snaps without nesting which seem to work fine. Is it really needed?

bmullan · February 26, 2023, 11:43pm

Yes… I did those settings also! Thanks.

bmullan · February 27, 2023, 1:38am

Okay… I just tried this and it seems to work
1 - create the container
2 - set security.nesting=true
3 - apt update && apt upgrade -y
4 - apt install docker docker-compose -y
5 - reboot
6 - enter the container
7 - docker run hello-world

and it works!
So maybe those other 2 “config set” commands are no longer need??