[lxc-users] Running docker inside unprivileged LXC containers
Akshay Karle
akshay.a.karle at gmail.com
Mon Jun 15 19:10:33 UTC 2015
Hi,
After the comments here, I had a look closer look at the docker code. The
problem was that it would always try to create some default devices
<https://github.com/docker/libcontainer/blob/master/configs/device_defaults.go>
without
it checking if it had the permissions to do so. For now, I've created a
fork of docker and added a fix to create the devices only if the devices
cgroup is present
<https://github.com/akshaykarle/docker/commit/0299d2c2084d7f42e7c2c433fca7f5ab3066d2be>.
This seems to work and I'm now able to run docker inside unprivileged LXC
containers.
But I don't know if just checking for the devices cgroup mountpoint is the
right fix. I feel the right way would be to create only those devices that
are allowed by lxc.cgroup.devices.allow, but I don't know how I can check
the devices enabled in the unprivileged lxc container itself. Any way to do
so?
On Mon, Jun 15, 2015 at 2:42 PM Serge Hallyn <serge.hallyn at ubuntu.com>
wrote:
> Quoting Stewart Brodie (sbrodie at espial.com):
> > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >
> > > Quoting Stewart Brodie (sbrodie at espial.com):
>
> > > > However, another far neater way of doing this could be to use the
> > > > freezer instead. Just give lxc-start a new command-line option to
> start
> > > > the container *but* crucially, leave it frozen when lxc-start exits.
> > > > The caller can then just do lxc-start, lxc-device, lxc-unfreeze.
> >
> > > > [can you run lxc-device on a frozen container?]
> >
> > For future reference, this does indeed work. I like the idea, because it
> > would allow all sorts of fettling to go on with the new container from
> the
> > host side before it really starts executing.
>
> fwiw I'm not opposed to this if someone wants to code it up. Basically
> right before exec(2)ing /sbin/init, the task would freeze itself.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150615/9460cadf/attachment.html>
More information about the lxc-users
mailing list