Let's call the container docker_test1
.
$ sudo lxc-create -t download -n docker_test1
...
Follow the prompts on the screen to set up the new container.
While on the host,
$ sudo lxc-start -n docker_test1
$ sudo lxc-attach -n docker_test1
(now inside docker_test1)
$ sudo apt update
$ sudo apt install openssh-server
Note the internal IP of this container docker_test1
from the output of sudo lxc-ls --fancy
:
NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
docker_test1 RUNNING 0 - 10.0.3.96 - false
The config file for this priveleged container in /var/lib/lxc/docker_test1/config
. Add the following lines:
# For docker
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = a
lxc.cap.drop =
I also added the lines for GPU passthrough but that is independent of docker.
(On the host)
$ sudo lxc-stop -n docker_test1
$ sudo lxc-start -n docker_test1 -d
(SSH into the container)
$ ssh kuang@10.0.3.96
Follow the instructions on this page:
(Inside docker_test1)
$ sudo apt-get update
$ sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88
pub 4096R/0EBFCD88 2017-02-22
Key fingerprint = 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
uid Docker Release (CE deb) <docker@docker.com>
sub 4096R/F273FCD8 2017-02-22
$ sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
$ sudo apt-get update
$ sudo apt install docker-ce=18.06.1~ce~3-0~ubuntu
Note that the latest version 5:18.09.0~3-0~ubuntu-xenial
somehow didn't work...
While still inside the container, after installing docker-ce
:
$ sudo docker run hello-world
[sudo] password for kuang:
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
DONE!!
Is really all of this necessary?
It removes almost all restrictions from the container. Shouldn't it be possible to nest containers? Can't that capability be leveraged to nest docker within lxc?