[lxc-users] docker in lxc

Serge Hallyn serge.hallyn at ubuntu.com
Fri Oct 16 15:10:23 UTC 2015

Quoting Tamas Papp (tompos at martos.bme.hu):
> On 08/31/2015 03:59 PM, Serge Hallyn wrote:
> >Quoting Tamas Papp (tompos at martos.bme.hu):
> >>
> >>On 08/28/2015 03:48 PM, Serge Hallyn wrote:
> >>>Quoting Tamas Papp (tompos at martos.bme.hu):
> >>>>hi,
> >>>>
> >>>>I would like to achieve, what is in subject.
> >>>>
> >>>>
> >>>>However, I cannot get over on this apparmor issue:
> >>>>
> >>>>[7690496.246952] type=1400 audit(1440757904.938:1130):
> >>>>apparmor="DENIED" operation="mount" info="failed flags match"
> >>>>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
> >>>>pid=32534 comm="docker" flags="rw, private"
> >>>>
> >>>>
> >>>>I read some post on various forums, that I need to run the lxc
> >>>>container with unconfined profile.
> >>>>Is still the case?
> >>>Excellent, I've been wanting to bring this up here :)
> >>>
> >>>Maxim at Odin has been working on a proxy graphdriver for
> >>>docker.  The PR is at
> >>>
> >>>https://github.com/docker/docker/pull/15594
> >>>
> >>>I'm hoping to test that today and see what else is still
> >>>needed.  I would assume a custom apparmor policy will still
> >>>be needed, but since the host is doing most of the mounting
> >>>you should be able to avoid just being unconfined.
> >>hi,
> >>
> >>For the first look it seems to be a big change, that requires a more
> >>qualified one for testing.
> >>Did you take a look?
> >I've taken a look at the code but haven't built it yet.  (having
> >some toolchain issues)
> https://github.com/docker/docker/pull/13777
> This was merged, does it mean, that docker should be usable in LXC
> from this point?

Not exactly.  As you can see from the final comment in


it now means that we can write a graphdriver proxy.  The original
openvz pull request would have been almost all we needed - allowing
the graphdriver to talk over a unix socket to the host where the
requested actions could be done.  The pull request which was accepted
does less - only allowing you to implement your own proxy to talk to
a service on the host.  (that service *also* needs to be written)

More information about the lxc-users mailing list