Working install of Docker-CE in LXC unprivileged container in Proxmox

Hi all,

Like many others it took me some time to figure out how to have a working Docker-CE installation inside an unprivileged LXC container created on my Proxmox server. I currently run Proxmox v.5.3-6.

I considered that it might be interresting to summarize my thoughts with others in search of a similar config. So here is how Docker-CE was successfully installed for me on Ubuntu 16.04, Ubuntu 18.04 and Debian 9.6.

  • create an unprivileged LXC container in Proxmox based on the the template of your choice

  • apt-get update & apt-get upgrade (eventually 2x if you get an « unable to fetch some archives… » message in the end)

  • install curl if it was not provided by the distribution

  • curl -fsSL<your_distro>/gpg | sudo apt-key add -
    where <your_distro> is “debian” or “ubuntu” or whatever (altough I didn’t test the others)

  • edit /etc/apt/sources.list and add the appropriate repository from docker :
    deb [arch=amd64] stretch stable
    deb [arch=amd64] xenial stable

  • apt-get update

  • apt-cache policy docker-ce to ensure that a package for docker-ce is available

  • apt-get install docker-ce

  • systemctl status docker
    should return « Active (running) »
    In case not (trick #1), work around the systemd bug by adding an “ExecStartPre=” to containerd service.
    This link has a clear explanation of the steps:
    a) mkdir -p /etc/systemd/system/containerd.service.d
    b) echo -e “[Service]\nExecStartPre=\n” > /etc/systemd/system/containerd.service.d/override.conf
    c) systemctl daemon-reload
    d) systemctl start docker
    e) systemctl enable docker

  • Now the docker daemon should be OK ; it’s time for the second error:
    docker run hello-world returns an error « mounting proc to rootfs…permission denied »

  • Fix it (trick #2) by inserting manually a line containing the following :

              features:  keyctl=1,nesting=1

in the config file of your LXC as documented in this Proxmox doc.
In Proxmox you find the LXC config here: /etc/pve/local/lxc/<container_id>.conf
So you have to do it via an SSH connection directly into your Proxmox host.

  • stop/start the LXC container
  • docker run hello-world gives you « Hello from Docker ! » now.


However I can hardly appreciate whether “keyctl=1,nesting=1” could be regarded as a security concern of not. Maybe Stéphane can provide some light on this question.


Thanks for this.

When you try with docker-ce in a LXD container, it requires the overlay kernel module to be loaded on the host. Is that kernel module already loaded for you?

No, the “overlay” module is not loaded by default on Proxmox v.5.3-6. And I didn’t have to load it manually either for LXC. But I don’t have any experience with LXD.

overlay can be loaded via “modprobe overlay” (overlay2 is not available with the proxmox kernel, not in proxmox 5 nor in proxmox 6 (beta1)

to keep the module loaded be sure to edit the /etc/modules file


nano /etc/modules

then type “overlay” in the file below the comment section, save & exit

1 Like

Are you sure overlay2 doesn’t work for Docker in an LXC container on Proxmox?

I edited the /etc/modules-load.d/modules.conf file to say just overlay - rebooted the Proxmox host and went through the steps of selecting overlay2 as the storage driver for the Docker LXC container. Restarted the service, typed docker info and it shows that it’s working:

Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false

This is all on Proxmox 6, so I assume overlay2 works correctly? Or would I need to edit /etc/modules-load.d/modules.conf to say overlay2 instead of overlay?

1 Like

Seems to work without overlay. What specifically is it needed for? We are only looking to virtualize Apps not OS with Docker.

Sorry, but this does not work for containers like rancher that actually need to mount device nodes. You still need privileged containers for that. Even with Proxmox 6.

You can add these (the mentioned fixes in the GUI now for proxmox.) No need to edit the files anymore. How well does the networking work with unprivileged?

Worked like a charm!

Thanks so much for figuring this out, Ansfrid1066!

In case it’s helpful for anyone else, I created a shell script that works on an ubuntu18 template.

In the container, run the following:

apt-get update && \
  apt install curl gnupg2 -y && \
  curl -fsSL | apt-key add - && \
  echo 'deb [arch=amd64] xenial stable' >> /etc/apt/sources.list && \
  apt-get update && \
  apt-get install docker-ce -y && \
  shutdown -h now

Note the VMID of your container. Then, on your Proxmox host, run the following:

VMID=113 # Replace this with the VMID of your container
echo 'features:  keyctl=1,nesting=1' | tee -a "/etc/pve/local/lxc/${VMID}.conf"

When you start your container again, you should be able to successfully run the following command:

docker run hello-world

Hey, this worked great, thanks for the post. One thing is missing though
There is one last error with your current config, and it is related to app armor
To fix it you need to add some extra lines to the container configuration

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a

with the steps you described and this lines worked for me, running Proxmox 6.2-15 and an lxc container with ubuntu 18.04

If ‘Unprivileged container’ = ‘Yes’, then apparmor related config is not required.