Working install of Docker-CE in LXC unprivileged container in Proxmox


Hi all,

Like many others it took me some time to figure out how to have a working Docker-CE installation inside an unprivileged LXC container created on my Proxmox server. I currently run Proxmox v.5.3-6.

I considered that it might be interresting to summarize my thoughts with others in search of a similar config. So here is how Docker-CE was successfully installed for me on Ubuntu 16.04, Ubuntu 18.04 and Debian 9.6.

  • create an unprivileged LXC container in Proxmox based on the the template of your choice

  • apt-get update & apt-get upgrade (eventually 2x if you get an « unable to fetch some archives… » message in the end)

  • install curl if it was not provided by the distribution

  • curl -fsSL<your_distro>/gpg | sudo apt-key add -
    where <your_distro> is “debian” or “ubuntu” or whatever (altough I didn’t test the others)

  • edit /etc/apt/sources.list and add the appropriate repository from docker :
    deb [arch=amd64] stretch stable
    deb [arch=amd64] xenial stable

  • apt-get update

  • apt-cache policy docker-ce to ensure that a package for docker-ce is available

  • apt-get install docker-ce

  • systemctl status docker
    should return « Active (running) »
    In case not (trick #1), work around the systemd bug by adding an “ExecStartPre=” to containerd service.
    This link has a clear explanation of the steps:
    a) mkdir -p /etc/systemd/system/containerd.service.d
    b) echo -e “[Service]\nExecStartPre=\n” > /etc/systemd/system/containerd.service.d/override.conf
    c) systemctl daemon-reload
    d) systemctl start docker
    e) systemctl enable docker

  • Now the docker daemon should be OK ; it’s time for the second error:
    docker run hello-world returns an error « mounting proc to rootfs…permission denied »

  • Fix it (trick #2) by inserting manually a line containing the following :

              features:  keyctl=1,nesting=1

in the config file of your LXC as documented in this Proxmox doc.
In Proxmox you find the LXC config here: /etc/pve/local/lxc/<container_id>.conf
So you have to do it via an SSH connection directly into your Proxmox host.

  • stop/start the LXC container
  • docker run hello-world gives you « Hello from Docker ! » now.


However I can hardly appreciate whether “keyctl=1,nesting=1” could be regarded as a security concern of not. Maybe Stéphane can provide some light on this question.


Thanks for this.

When you try with docker-ce in a LXD container, it requires the overlay kernel module to be loaded on the host. Is that kernel module already loaded for you?


No, the “overlay” module is not loaded by default on Proxmox v.5.3-6. And I didn’t have to load it manually either for LXC. But I don’t have any experience with LXD.