Using Docker with Incus

Luigi_Castro · April 26, 2024, 12:46am

I am writting/learning/looking for some documentation about Incus and its interactions with Docker. For example working with ZFS, BTRFS etc. Does anyone have relevant info on these topics? I did find some info on the documentation and previous treads. By all means please correct anything I state here as I am still learning.

Docker running along and Incus host

Docker inside a LXC container

– I am not sure if this information is still relevant but using docker in a container with VFS will run but can cause slowness and waste of resources due to dockers layering nature.
– Due to container`s unpriviledged nature cannot run as root.

---- Required to run inside a LXC ----

incus config set security.nesting true
security.syscalls.intercept.mknod=true
security.syscalls.intercept.setxattr=true
— with Zfs —
(For ZFS) zfs.delegate=true

Docker running inside an LXD VM

– As per documentation here Btrfs - btrfs - Incus documentation
Avoid running docker in a vm with BTRFS.
– Runs like a normal VM once configured properly. Has access to all modules and root.

ciphermenial · April 26, 2024, 4:38am

I did this recently.

Luigi_Castro · April 26, 2024, 4:54am

Awesome thanks, noted. I was not aware of the zfs.delegate=true, maybe thats affecting me at the moment. I am also struggling with should I install docker alongside the host to run services that require root access? I wanted to keep my host very plain but I ran into trouble running homepage as root so made me question myself. I also considered running a normal VM and using that to host my dockers… so many options hehe.

ciphermenial · April 26, 2024, 4:55am

You can do all of those. I am running a bunch of Docker containers inside LXC with that configuration. Works perfectly.

Luigi_Castro · April 26, 2024, 5:14am

Was testing out the zfs delegation but it will not allow me.

luigi@HomeServer:~/incus_profiles$ incus storage volume set storage MyZpool/Docker zfs.delegate=true
Error: Snapshots are read-only and can't have their configuration changed

incus storage ls
container | Docker                                                           |             | filesystem   | 1
Incus storage volume list MyZpool
container | Docker                                                           |             | filesystem   | 1

ciphermenial · April 26, 2024, 5:33am

It should be container/ and then the container name.

Luigi_Castro · April 26, 2024, 1:24pm

That still did not work,

incus storage volume set storage container/Docker zfs.delegate true
Error: Storage pool not found

root:
    path: /
    pool: MyZpool
    type: disk

Maybe its because of my config.

Stillman · April 26, 2024, 4:58pm

I certainly do not want to hijack your thread and am curious if ciphermential guide would be any different if you want to to run podman in a virtual machine. I believe podman would benefit from ZFS 2.2 and overlayfs support. Would it be as simple as installing ZFS 2.2 and launching a Fedora40 container and installing podman? I know docker is the current standard, but podman rootless containers and direct integration with systemd seems like a better mouse trap at this point.

ZFS 2.2 introduced Linux container support for overlayfs.

incus launch images:debian/12 docker -c security.nesting=true -c security.syscalls.intercept.mknod=true -c security.syscalls.intercept.setxattr=true

Luigi_Castro · April 26, 2024, 5:04pm

By all means feel free, maybe we should add a section at the top for podman.
— On a separate note
I finally got this to work.

incus storage volume set MyZpool container/Docker zfs.delegate=true

Stillman · April 26, 2024, 5:38pm

Great to hear that you got it working. I wonder if the config key would also be needed with a podman/docker virtual machine?

incus storage volume set MyZpool container/Docker zfs.delegate=true

I know a lot of folks seem to run docker as a separate container as opposed to a virtual machine in incus. I assume because it is lighter than running a full vm and having to allocate CPU and RAM. From a security perspective it seems a full VM would be better. Again, Podman in a separate VM with rootless containers would seem to be more secure if I decided to open up some containers to the internet. I am not ready to open anything to the internet, but taking baby steps.

Any thoughts on the topic would be appreciated.

Luigi_Castro · April 26, 2024, 7:42pm

I really wonder if running an lxc container for each docker service you will use is not wasteful, in terms of memory and cpu, not so much storage. I mean I know the point of lXC are to be very lightweight but still having docker installed and doing os operations for each…

stgraber · April 26, 2024, 9:24pm

You’d usually run more than one Docker container in there.

But yeah, our plan over the next few months is to add native support for running OCI application containers alongside full system containers directly on Incus.

That’d use LXC’s native OCI support and would allow running most simple Docker workloads (image with some env variables and some devices/files passed through).

Not trying to full on compete with more complex Docker setups but definitely trying to cover the simpler cases where the extra level just adds needless complexity.

srtcd424 · May 1, 2024, 11:02am

Excuse slight thread hijack! I’m using your Dockerfile as the basis for running incus under BalenaOS, with a few modifications. Just wanted to let you know I had to set the user.max_user_namespaces sysctl to something sensible (a large round number seems to be traditional) - that might something applicable to other OSes, too, so maybe worth documenting if nothing else.

trumee · October 7, 2024, 3:51am

I have on ZFS 2.2.4 (Archlinux host) and have setup incus. I get the following errors in dmesg,

[73630.910868] overlayfs: failed to set xattr on upper
[73630.910873] overlayfs: ...falling back to redirect_dir=nofollow.
[73630.910874] overlayfs: ...falling back to metacopy=off.
[73630.910875] overlayfs: ...falling back to index=off.
[73630.910876] overlayfs: ...falling back to uuid=null.
[73630.910877] overlayfs: ...falling back to xino=off.
[73630.910878] overlayfs: try mounting with 'userxattr' option
[73633.378238] overlayfs: upper fs does not support file handles, falling back to index=off.
[73633.378245] overlayfs: fs on '/var/lib/docker/metacopy-check1052896129/l1' does not support file handles, falling back to xino=off.
[73633.795478] overlayfs: upper fs does not support file handles, falling back to index=off.
[73633.795484] overlayfs: fs on '/var/lib/docker/overlay2/opaque-bug-check293708807/l2' does not support file handles, falling back to xino=off.
[73659.124410] overlayfs: fs on '/var/lib/docker/overlay2/l/6YGTV6ATEZTXWCOVC52VVXRYK5' does not support file handles, falling back to xino=off.
[73662.602416] overlayfs: fs on '/var/lib/docker/overlay2/l/LXEIIQ3OHKP4L2KG46CCLFBCE2' does not support file handles, falling back to xino=off.
[73667.727286] overlayfs: fs on '/var/lib/docker/overlay2/l/LXEIIQ3OHKP4L2KG46CCLFBCE2' does not support file handles, falling back to xino=off.

Do you get this as well? I was wondering if the overlay support in ZFS fixed this or not.