[lxc-users] docker in lxc

Tamas Papp tompos at martos.bme.hu
Fri Oct 16 07:57:10 UTC 2015

On 08/31/2015 03:59 PM, Serge Hallyn wrote:
> Quoting Tamas Papp (tompos at martos.bme.hu):
>> On 08/28/2015 03:48 PM, Serge Hallyn wrote:
>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>> hi,
>>>> I would like to achieve, what is in subject.
>>>> However, I cannot get over on this apparmor issue:
>>>> [7690496.246952] type=1400 audit(1440757904.938:1130):
>>>> apparmor="DENIED" operation="mount" info="failed flags match"
>>>> error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
>>>> pid=32534 comm="docker" flags="rw, private"
>>>> I read some post on various forums, that I need to run the lxc
>>>> container with unconfined profile.
>>>> Is still the case?
>>> Excellent, I've been wanting to bring this up here :)
>>> Maxim at Odin has been working on a proxy graphdriver for
>>> docker.  The PR is at
>>> https://github.com/docker/docker/pull/15594
>>> I'm hoping to test that today and see what else is still
>>> needed.  I would assume a custom apparmor policy will still
>>> be needed, but since the host is doing most of the mounting
>>> you should be able to avoid just being unconfined.
>> hi,
>> For the first look it seems to be a big change, that requires a more
>> qualified one for testing.
>> Did you take a look?
> I've taken a look at the code but haven't built it yet.  (having
> some toolchain issues)


This was merged, does it mean, that docker should be usable in LXC from 
this point?

>> Can it be safely used?
> What do you mean by safely?  It should make it safe from the host's
> point of view to do the mounting, as the container cannot provide
> their own block device (with garbage) to mount(2).  Rather, the
> host always creates the new device, does mkfs, and if needed lays
> out the provided tarfile onto it.

Oops, I forget to answer this?
I mean at least secure, no unconfined container needed and it cannot 
crash the host machine.


More information about the lxc-users mailing list