[lxc-users] docker in lxc

Fri Oct 16 16:16:11 UTC 2015

Hey Serge,

This is something I'm interested in as well. Anyway I could help with the
implementation of the graphdriver proxy?

On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hallyn at ubuntu.com>
wrote:

> Quoting Tamas Papp (tompos at martos.bme.hu):
> >
> >
> > On 08/31/2015 03:59 PM, Serge Hallyn wrote:
> > >Quoting Tamas Papp (tompos at martos.bme.hu):
> > >>
> > >>On 08/28/2015 03:48 PM, Serge Hallyn wrote:
> > >>>Quoting Tamas Papp (tompos at martos.bme.hu):
> > >>>>hi,
> > >>>>
> > >>>>I would like to achieve, what is in subject.
> > >>>>
> > >>>>
> > >>>>However, I cannot get over on this apparmor issue:
> > >>>>
> > >>>>[7690496.246952] type=1400 audit(1440757904.938:1130):
> > >>>>apparmor="DENIED" operation="mount" info="failed flags match"
> > >>>>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
> > >>>>pid=32534 comm="docker" flags="rw, private"
> > >>>>
> > >>>>
> > >>>>I read some post on various forums, that I need to run the lxc
> > >>>>container with unconfined profile.
> > >>>>Is still the case?
> > >>>Excellent, I've been wanting to bring this up here :)
> > >>>
> > >>>Maxim at Odin has been working on a proxy graphdriver for
> > >>>docker.  The PR is at
> > >>>
> > >>>https://github.com/docker/docker/pull/15594
> > >>>
> > >>>I'm hoping to test that today and see what else is still
> > >>>needed.  I would assume a custom apparmor policy will still
> > >>>be needed, but since the host is doing most of the mounting
> > >>>you should be able to avoid just being unconfined.
> > >>hi,
> > >>
> > >>For the first look it seems to be a big change, that requires a more
> > >>qualified one for testing.
> > >>Did you take a look?
> > >I've taken a look at the code but haven't built it yet.  (having
> > >some toolchain issues)
> >
> > https://github.com/docker/docker/pull/13777
> >
> > This was merged, does it mean, that docker should be usable in LXC
> > from this point?
>
> Not exactly.  As you can see from the final comment in
>
> https://github.com/docker/docker/pull/15924
>
> it now means that we can write a graphdriver proxy.  The original
> openvz pull request would have been almost all we needed - allowing
> the graphdriver to talk over a unix socket to the host where the
> requested actions could be done.  The pull request which was accepted
> does less - only allowing you to implement your own proxy to talk to
> a service on the host.  (that service *also* needs to be written)
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151016/959a42f9/attachment.html>