<div dir="ltr">nope. almost all device creation and iptables modification has to be refactored, offloaded to a service and the docker daemon would use them using dbus. you can drop a mail on docker mailing list as well, mentioning if they would be interested in such a feature. Im sure they have some roadmap for usernamespace and unprivileged containers..</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 10, 2015 at 7:52 AM, Akshay Karle <span dir="ltr"><<a href="mailto:akshay.a.karle@gmail.com" target="_blank">akshay.a.karle@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><a href="https://github.com/docker/docker/issues/1034" target="_blank">https://github.com/docker/docker/issues/1034</a></div><div><a href="https://github.com/docker/docker/issues/2918" target="_blank">https://github.com/docker/docker/issues/2918</a></div><div><a href="https://github.com/docker/docker/issues/2919" target="_blank">https://github.com/docker/docker/issues/2919</a></div><div><br></div><div>resume: Docker daemon requires real root rights in the node for aufs mount/dismount layers, iptables rules. unprivileged containers == user namespaces, and this will not work with Docker (one reason why i prefer lxc/lxd + Ansible than Docker)</div></blockquote><div><br></div></span><div>Yes, the docker daemon does fail when you try to use a layered FS for storage and their libcontainer driver. But when I switched to VFS for storage and LXC driver for exec, I did manage to get the docker daemon running. I think this is very recent, but after docker 1.2 I think when the removed a bunch of capabilities that docker would need. So I definitely can't run a privileged docker container inside LXC but should be able to run a docker container without any capabilities. I'm I missing something? The problem is what Serge mentions that the docker containers try to create devices and fail to do so because of the containers have no perms.</div><div><br></div><div>Switching the app_armor profile also won't help if I understand correct?</div></div></div>
<br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br></div>