[lxc-users] docker in lxc

Serge Hallyn serge.hallyn at ubuntu.com
Fri Oct 16 17:08:32 UTC 2015 

Absolutely!  I've not actually started working on that.  (I hadn't noticed
that the docker PR was merged)  Maxim (cc:d) is the one who is working on
this at Odin - I think it'd be best if we can all work together.

-serge

Quoting Akshay Karle (akshay.a.karle at gmail.com):
> Hey Serge,
> 
> This is something I'm interested in as well. Anyway I could help with the
> implementation of the graphdriver proxy?
> 
> On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> wrote:
> 
> > Quoting Tamas Papp (tompos at martos.bme.hu):
> > >
> > >
> > > On 08/31/2015 03:59 PM, Serge Hallyn wrote:
> > > >Quoting Tamas Papp (tompos at martos.bme.hu):
> > > >>
> > > >>On 08/28/2015 03:48 PM, Serge Hallyn wrote:
> > > >>>Quoting Tamas Papp (tompos at martos.bme.hu):
> > > >>>>hi,
> > > >>>>
> > > >>>>I would like to achieve, what is in subject.
> > > >>>>
> > > >>>>
> > > >>>>However, I cannot get over on this apparmor issue:
> > > >>>>
> > > >>>>[7690496.246952] type=1400 audit(1440757904.938:1130):
> > > >>>>apparmor="DENIED" operation="mount" info="failed flags match"
> > > >>>>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
> > > >>>>pid=32534 comm="docker" flags="rw, private"
> > > >>>>
> > > >>>>
> > > >>>>I read some post on various forums, that I need to run the lxc
> > > >>>>container with unconfined profile.
> > > >>>>Is still the case?
> > > >>>Excellent, I've been wanting to bring this up here :)
> > > >>>
> > > >>>Maxim at Odin has been working on a proxy graphdriver for
> > > >>>docker.  The PR is at
> > > >>>
> > > >>>https://github.com/docker/docker/pull/15594
> > > >>>
> > > >>>I'm hoping to test that today and see what else is still
> > > >>>needed.  I would assume a custom apparmor policy will still
> > > >>>be needed, but since the host is doing most of the mounting
> > > >>>you should be able to avoid just being unconfined.
> > > >>hi,
> > > >>
> > > >>For the first look it seems to be a big change, that requires a more
> > > >>qualified one for testing.
> > > >>Did you take a look?
> > > >I've taken a look at the code but haven't built it yet.  (having
> > > >some toolchain issues)
> > >
> > > https://github.com/docker/docker/pull/13777
> > >
> > > This was merged, does it mean, that docker should be usable in LXC
> > > from this point?
> >
> > Not exactly.  As you can see from the final comment in
> >
> > https://github.com/docker/docker/pull/15924
> >
> > it now means that we can write a graphdriver proxy.  The original
> > openvz pull request would have been almost all we needed - allowing
> > the graphdriver to talk over a unix socket to the host where the
> > requested actions could be done.  The pull request which was accepted
> > does less - only allowing you to implement your own proxy to talk to
> > a service on the host.  (that service *also* needs to be written)
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list