Skip to content

Instantly share code, notes, and snippets.

@kuanghan
Created January 3, 2019 18:41
Show Gist options
  • Star 25 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save kuanghan/9aa5dfea243ed109c0878267e2d80b13 to your computer and use it in GitHub Desktop.
Save kuanghan/9aa5dfea243ed109c0878267e2d80b13 to your computer and use it in GitHub Desktop.
Setting up docker to run in a PRIVILEGED LXC container

Setting up docker to run in a PRIVILEGED LXC container

Set up a privileged container

Create container

Let's call the container docker_test1.

$ sudo lxc-create -t download -n docker_test1
...
Follow the prompts on the screen to set up the new container.

Install SSH

While on the host,

$ sudo lxc-start -n docker_test1
$ sudo lxc-attach -n docker_test1
(now inside docker_test1)
$ sudo apt update
$ sudo apt install openssh-server

Note the internal IP of this container docker_test1 from the output of sudo lxc-ls --fancy:

NAME         STATE   AUTOSTART GROUPS IPV4       IPV6 UNPRIVILEGED
docker_test1 RUNNING 0         -      10.0.3.96  -    false

Edit the config file for this container

The config file for this priveleged container in /var/lib/lxc/docker_test1/config. Add the following lines:

# For docker
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = a
lxc.cap.drop =

I also added the lines for GPU passthrough but that is independent of docker.

Restart the container

(On the host)
$ sudo lxc-stop -n docker_test1
$ sudo lxc-start -n docker_test1 -d
(SSH into the container)
$ ssh kuang@10.0.3.96

Install Docker inside the container

Follow the instructions on this page:

(Inside docker_test1)
$ sudo apt-get update
$ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88

pub   4096R/0EBFCD88 2017-02-22
      Key fingerprint = 9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid                  Docker Release (CE deb) <docker@docker.com>
sub   4096R/F273FCD8 2017-02-22
$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
$ sudo apt-get update
$ sudo apt install docker-ce=18.06.1~ce~3-0~ubuntu

Note that the latest version 5:18.09.0~3-0~ubuntu-xenial somehow didn't work...

Test Docker inside the container

While still inside the container, after installing docker-ce:

$ sudo docker run hello-world
[sudo] password for kuang:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

DONE!!

@akorn
Copy link

akorn commented Sep 7, 2022

Is really all of this necessary?

# For docker
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = a
lxc.cap.drop =

It removes almost all restrictions from the container. Shouldn't it be possible to nest containers? Can't that capability be leveraged to nest docker within lxc?

@akorn
Copy link

akorn commented Sep 7, 2022

It removes almost all restrictions from the container. Shouldn't it be possible to nest containers? Can't that capability be leveraged to nest docker within lxc?

https://du.nkel.dev/blog/2021-03-25_proxmox_docker/ looks promising.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment