Can't run a privileged docker container in LXC container

[dapapko]

Hello. I can`t run a privileged Docker container inside LXC one.
LXD version: 3.3
Docker version: 17.03-2ce

root@kub1:~# docker run --privileged hello-world
docker: Error response from daemon: linux runtime spec devices: lstat /dev/.lxc/proc/1848/fdinfo/16: no such file or directory.
ERRO[0000] error getting events from daemon: net/http: request canceled 

Docker info:

root@kub1:~# docker info
Containers: 55
 Running: 13
 Paused: 0
 Stopped: 42
Images: 10
Server Version: 17.03.2-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-131-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.953 GiB
Name: kub1
ID: NNNI:MR4I:4AID:KKQG:OIJP:57CS:PTCP:HXCY:HOAS:2PI6:XRBC:ZCNP
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Container's config:

config:
  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: "lxc.apparmor.profile = unconfined\nlxc.cgroup.devices.allow = a\nlxc.mount.auto=proc:rw
    sys:rw\nlxc.cap.drop = "
  security.nesting: "true"
  security.privileged: "true"
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdfan0
    type: nic
  root:
    path: /
    pool: local
    type: disk
name: kubernetes
used_by:
- /1.0/containers/kub1

[stgraber]

root@xenial:~# docker run --privileged hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

In this case, I only had the following in my config:

  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: |-
    lxc.cgroup.devices.allow = a
    lxc.cap.drop =
  security.nesting: "true"
  security.privileged: "true"

[stgraber]

Note that support questions tend to be better handled on https://discuss.linuxcontainers.org where search and Google indexing tends to work better than Github.

[hack2spider]

docker run --privileged hello-world
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: process_linux.go:508: setting cgroup config for procHooks process caused: failed to write "a : rwm": write /sys/fs/cgroup/devices/docker/68fec85a2c039c8955c94ef82b10764a19e228479c4a09ac2d02195268cad785/devices.allow: operation not permitted: unknown.
ERRO[0000] error waiting for container: context canceled

[hack2spider]

Client:
Context: default
Debug Mode: false

Server:
Containers: 5
Running: 0
Paused: 0
Stopped: 5
Images: 3
Server Version: 20.10.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version:
init version:
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.4.106-1-pve
Operating System: Ubuntu 20.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 2GiB
Name: ubuntu
ID: 2HMU:KZFV:YRAW:VUOF:NNUT:3QLT:YKTN:JO3X:DETK:GGK4:KB4V:DVIW
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

[hack2spider]

docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce
0664b8f2cd741fcca9431c9a788d18499d4ce8def5e21f6cd4b71cff886f0fb0
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running /sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default226146096 failed with output: apparmor_parser: Unable to replace "docker-default". Permission denied; attempted to load a profile while confined?

error: exit status 243.

[hack2spider]

I have docker running fine under lxc with debian turnkey core ... however I can`t seem to make it run under ubuntu 20