[lxc-users] Running docker inside unprivileged LXC containers

Wed Jun 10 15:58:30 UTC 2015

nope. almost all device creation and iptables modification has to be
refactored, offloaded to a service and the docker daemon would use them
using dbus. you can drop a mail on docker mailing list as well, mentioning
if they would be interested in such a feature. Im sure they have some
roadmap for usernamespace and unprivileged containers..

On Wed, Jun 10, 2015 at 7:52 AM, Akshay Karle <akshay.a.karle at gmail.com>
wrote:

> https://github.com/docker/docker/issues/1034
>> https://github.com/docker/docker/issues/2918
>> https://github.com/docker/docker/issues/2919
>>
>> resume: Docker daemon requires real root rights in the node for aufs
>> mount/dismount layers, iptables rules. unprivileged containers == user
>> namespaces, and this will not work with Docker (one reason why i prefer
>> lxc/lxd + Ansible than Docker)
>>
>
> Yes, the docker daemon does fail when you try to use a layered FS for
> storage and their libcontainer driver. But when I switched to VFS for
> storage and LXC driver for exec, I did manage to get the docker daemon
> running. I think this is very recent, but after docker 1.2 I think when the
> removed a bunch of capabilities that docker would need. So I definitely
> can't run a privileged docker container inside LXC but should be able to
> run a docker container without any capabilities. I'm I missing something?
> The problem is what Serge mentions that the docker containers try to create
> devices and fail to do so because of the containers have no perms.
>
> Switching the app_armor profile also won't help if I understand correct?
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150610/55c27bfc/attachment.html>