New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't run a privileged docker container in LXC container #4902

Closed
twelfthdoctor opened this Issue Aug 10, 2018 · 2 comments

Comments

2 participants
@twelfthdoctor

twelfthdoctor commented Aug 10, 2018

Hello. I can`t run a privileged Docker container inside LXC one.
LXD version: 3.3
Docker version: 17.03-2ce

root@kub1:~# docker run --privileged hello-world
docker: Error response from daemon: linux runtime spec devices: lstat /dev/.lxc/proc/1848/fdinfo/16: no such file or directory.
ERRO[0000] error getting events from daemon: net/http: request canceled 

Docker info:

root@kub1:~# docker info
Containers: 55
 Running: 13
 Paused: 0
 Stopped: 42
Images: 10
Server Version: 17.03.2-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-131-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.953 GiB
Name: kub1
ID: NNNI:MR4I:4AID:KKQG:OIJP:57CS:PTCP:HXCY:HOAS:2PI6:XRBC:ZCNP
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Container's config:

config:
  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: "lxc.apparmor.profile = unconfined\nlxc.cgroup.devices.allow = a\nlxc.mount.auto=proc:rw
    sys:rw\nlxc.cap.drop = "
  security.nesting: "true"
  security.privileged: "true"
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdfan0
    type: nic
  root:
    path: /
    pool: local
    type: disk
name: kubernetes
used_by:
- /1.0/containers/kub1
@stgraber

This comment has been minimized.

Member

stgraber commented Aug 10, 2018

root@xenial:~# docker run --privileged hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

In this case, I only had the following in my config:

  linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
  raw.lxc: |-
    lxc.cgroup.devices.allow = a
    lxc.cap.drop =
  security.nesting: "true"
  security.privileged: "true"

@stgraber stgraber closed this Aug 10, 2018

@stgraber

This comment has been minimized.

Member

stgraber commented Aug 10, 2018

Note that support questions tend to be better handled on https://discuss.linuxcontainers.org where search and Google indexing tends to work better than Github.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment