Working install of Docker-CE in LXC unprivileged container in Proxmox

Ansfrid1066 · January 18, 2019, 10:08am

Hi all,

Like many others it took me some time to figure out how to have a working Docker-CE installation inside an unprivileged LXC container created on my Proxmox server. I currently run Proxmox v.5.3-6.

I considered that it might be interresting to summarize my thoughts with others in search of a similar config. So here is how Docker-CE was successfully installed for me on Ubuntu 16.04, Ubuntu 18.04 and Debian 9.6.

create an unprivileged LXC container in Proxmox based on the the template of your choice
apt-get update & apt-get upgrade (eventually 2x if you get an « unable to fetch some archives… » message in the end)
install curl if it was not provided by the distribution
curl -fsSL https://download.docker.com/linux/<your_distro>/gpg | sudo apt-key add -
where <your_distro> is “debian” or “ubuntu” or whatever (altough I didn’t test the others)
edit /etc/apt/sources.list and add the appropriate repository from docker :
deb [arch=amd64] https://download.docker.com/linux/debian stretch stable
deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable
apt-get update
apt-cache policy docker-ce to ensure that a package for docker-ce is available
apt-get install docker-ce
systemctl status docker
should return « Active (running) »
In case not (trick #1), work around the systemd bug by adding an “ExecStartPre=” to containerd service.
This link has a clear explanation of the steps:
a) mkdir -p /etc/systemd/system/containerd.service.d
b) echo -e “[Service]\nExecStartPre=\n” > /etc/systemd/system/containerd.service.d/override.conf
c) systemctl daemon-reload
d) systemctl start docker
e) systemctl enable docker
Now the docker daemon should be OK ; it’s time for the second error:
docker run hello-world returns an error « mounting proc to rootfs…permission denied »
Fix it (trick #2) by inserting manually a line containing the following :
```
          features:  keyctl=1,nesting=1
```

in the config file of your LXC as documented in this Proxmox doc.
In Proxmox you find the LXC config here: /etc/pve/local/lxc/<container_id>.conf
So you have to do it via an SSH connection directly into your Proxmox host.

stop/start the LXC container
docker run hello-world gives you « Hello from Docker ! » now.

Enjoy!

However I can hardly appreciate whether “keyctl=1,nesting=1” could be regarded as a security concern of not. Maybe Stéphane can provide some light on this question.

simos · January 18, 2019, 3:09pm

Thanks for this.

When you try with docker-ce in a LXD container, it requires the overlay kernel module to be loaded on the host. Is that kernel module already loaded for you?

Ansfrid1066 · January 21, 2019, 1:24pm

Hello,
No, the “overlay” module is not loaded by default on Proxmox v.5.3-6. And I didn’t have to load it manually either for LXC. But I don’t have any experience with LXD.

Dutch2005 · July 12, 2019, 9:25am

overlay can be loaded via “modprobe overlay” (overlay2 is not available with the proxmox kernel, not in proxmox 5 nor in proxmox 6 (beta1)

to keep the module loaded be sure to edit the /etc/modules file

e.g.

nano /etc/modules

then type “overlay” in the file below the comment section, save & exit

dixiecup · July 18, 2019, 10:18pm

Are you sure overlay2 doesn’t work for Docker in an LXC container on Proxmox?

I edited the /etc/modules-load.d/modules.conf file to say just overlay - rebooted the Proxmox host and went through the steps of selecting overlay2 as the storage driver for the Docker LXC container. Restarted the service, typed docker info and it shows that it’s working:

Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false

This is all on Proxmox 6, so I assume overlay2 works correctly? Or would I need to edit /etc/modules-load.d/modules.conf to say overlay2 instead of overlay?

Sami_Mattila · August 3, 2019, 8:51am

Seems to work without overlay. What specifically is it needed for? We are only looking to virtualize Apps not OS with Docker.

overflyer · August 15, 2019, 2:13pm

Sorry, but this does not work for containers like rancher that actually need to mount device nodes. You still need privileged containers for that. Even with Proxmox 6.

Thomas_Munn · August 26, 2019, 3:48am

You can add these (the mentioned fixes in the GUI now for proxmox.) No need to edit the files anymore. How well does the networking work with unprivileged?

TrevorHikes · September 1, 2019, 8:53am

Worked like a charm!

mtlynch · June 14, 2020, 3:31pm

Thanks so much for figuring this out, Ansfrid1066!

In case it’s helpful for anyone else, I created a shell script that works on an ubuntu18 template.

In the container, run the following:

apt-get update && \
  apt install curl gnupg2 -y && \
  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
  echo 'deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable' >> /etc/apt/sources.list && \
  apt-get update && \
  apt-get install docker-ce -y && \
  shutdown -h now

Note the VMID of your container. Then, on your Proxmox host, run the following:

VMID=113 # Replace this with the VMID of your container
echo 'features:  keyctl=1,nesting=1' | tee -a "/etc/pve/local/lxc/${VMID}.conf"

When you start your container again, you should be able to successfully run the following command:

docker run hello-world

arbermejo0417 · November 25, 2020, 3:26pm

Hey, this worked great, thanks for the post. One thing is missing though
There is one last error with your current config, and it is related to app armor
To fix it you need to add some extra lines to the container configuration

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

with the steps you described and this lines worked for me, running Proxmox 6.2-15 and an lxc container with ubuntu 18.04

swuecho · February 22, 2021, 2:34am

If ‘Unprivileged container’ = ‘Yes’, then apparmor related config is not required.