[lxc-users] docker in lxc

Akshay Karle akshay.a.karle at gmail.com
Fri Oct 16 21:48:57 UTC 2015 

Ok, great! So how can I get started? I've been playing around with
unprivileged lxc and docker for the last 2 months so I have experience
using them but little experience developing them. But, I would like to
start doing some development work and happy to help.

To begin with, I will try to build up docker with that PR and see what
problems I see. Previously, I tried getting the docker inside lxc working,
faced a bunch of issues and ended up creating a fork of docker
<https://github.com/akshaykarle/docker/tree/nesting-docker-lxc> to work
with. It was basically some devices not being available and mknod not
working in the unprivileged context. Hopefully, using the graphdriver proxy
we should get those out of the way. Let me know what you all think.

On Fri, Oct 16, 2015 at 2:08 PM Serge Hallyn <serge.hallyn at ubuntu.com>
wrote:

> Absolutely!  I've not actually started working on that.  (I hadn't noticed
> that the docker PR was merged)  Maxim (cc:d) is the one who is working on
> this at Odin - I think it'd be best if we can all work together.
>
> -serge
>
> Quoting Akshay Karle (akshay.a.karle at gmail.com):
> > Hey Serge,
> >
> > This is something I'm interested in as well. Anyway I could help with the
> > implementation of the graphdriver proxy?
> >
> > On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> > wrote:
> >
> > > Quoting Tamas Papp (tompos at martos.bme.hu):
> > > >
> > > >
> > > > On 08/31/2015 03:59 PM, Serge Hallyn wrote:
> > > > >Quoting Tamas Papp (tompos at martos.bme.hu):
> > > > >>
> > > > >>On 08/28/2015 03:48 PM, Serge Hallyn wrote:
> > > > >>>Quoting Tamas Papp (tompos at martos.bme.hu):
> > > > >>>>hi,
> > > > >>>>
> > > > >>>>I would like to achieve, what is in subject.
> > > > >>>>
> > > > >>>>
> > > > >>>>However, I cannot get over on this apparmor issue:
> > > > >>>>
> > > > >>>>[7690496.246952] type=1400 audit(1440757904.938:1130):
> > > > >>>>apparmor="DENIED" operation="mount" info="failed flags match"
> > > > >>>>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
> > > > >>>>pid=32534 comm="docker" flags="rw, private"
> > > > >>>>
> > > > >>>>
> > > > >>>>I read some post on various forums, that I need to run the lxc
> > > > >>>>container with unconfined profile.
> > > > >>>>Is still the case?
> > > > >>>Excellent, I've been wanting to bring this up here :)
> > > > >>>
> > > > >>>Maxim at Odin has been working on a proxy graphdriver for
> > > > >>>docker.  The PR is at
> > > > >>>
> > > > >>>https://github.com/docker/docker/pull/15594
> > > > >>>
> > > > >>>I'm hoping to test that today and see what else is still
> > > > >>>needed.  I would assume a custom apparmor policy will still
> > > > >>>be needed, but since the host is doing most of the mounting
> > > > >>>you should be able to avoid just being unconfined.
> > > > >>hi,
> > > > >>
> > > > >>For the first look it seems to be a big change, that requires a
> more
> > > > >>qualified one for testing.
> > > > >>Did you take a look?
> > > > >I've taken a look at the code but haven't built it yet.  (having
> > > > >some toolchain issues)
> > > >
> > > > https://github.com/docker/docker/pull/13777
> > > >
> > > > This was merged, does it mean, that docker should be usable in LXC
> > > > from this point?
> > >
> > > Not exactly.  As you can see from the final comment in
> > >
> > > https://github.com/docker/docker/pull/15924
> > >
> > > it now means that we can write a graphdriver proxy.  The original
> > > openvz pull request would have been almost all we needed - allowing
> > > the graphdriver to talk over a unix socket to the host where the
> > > requested actions could be done.  The pull request which was accepted
> > > does less - only allowing you to implement your own proxy to talk to
> > > a service on the host.  (that service *also* needs to be written)
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151016/f97af9c1/attachment.html>

More information about the lxc-users mailing list