[lxc-users] docker in lxc
mpatlasov at parallels.com
Sat Oct 17 00:23:42 UTC 2015
On 10/16/2015 02:48 PM, Akshay Karle wrote:
> Ok, great! So how can I get started? I've been playing around with
> unprivileged lxc and docker for the last 2 months so I have experience
> using them but little experience developing them. But, I would like to
> start doing some development work and happy to help.
That's great, any help is appreciated!
> To begin with, I will try to build up docker with that PR and see what
> problems I see. Previously, I tried getting the docker inside lxc
> working, faced a bunch of issues and ended up creating a fork of
> <https://github.com/akshaykarle/docker/tree/nesting-docker-lxc> to
> work with. It was basically some devices not being available and mknod
> not working in the unprivileged context. Hopefully, using the
> graphdriver proxy we should get those out of the way. Let me know what
> you all think.
I'm currently working on porting graphdriver proxy-daemon from
https://github.com/docker/docker/pull/15594 to recently merged
"graphdriver extpoint" feature
(https://github.com/docker/docker/pull/13777). If you are interested to
play with some preliminary version, I'll try to publish it in a week or
two. This will allow you to verify if any issues other than "some
devices not being available and mknod not working" exists and work on
On the other hand, if you are interested in development of graphdriver
proxy-daemon itself, there are at least two things worthy to mention.
Both are related to the way how a mount-point to be passed from host
system namespace to container where docker daemon runs. First thing is
about checking if the pid we're going to use for setns() is really
corresponds to mount namespace of the entity who is communicating with
proxy-daemon via unix socket. Serge suggested to use SO_PEERCRED:
> When a request comes in over the unix socket, the proxy gets the
> requestor's (host) pid from SO_PEERCRED. The client passes the
> container-name. The proxy asks the container driver for the init
> pid of the container-name, and verifies that the pid on SO_PEERCRED
> is inside the pid-ns of the container.
but I have not investigated it yet. Another thing is about docker
implementation. I've managed to reuse existing docker code for setns:
but I have not verified yet whether similar approach works for
> On Fri, Oct 16, 2015 at 2:08 PM Serge Hallyn <serge.hallyn at ubuntu.com
> <mailto:serge.hallyn at ubuntu.com>> wrote:
> Absolutely! I've not actually started working on that. (I hadn't
> that the docker PR was merged) Maxim (cc:d) is the one who is
> working on
> this at Odin - I think it'd be best if we can all work together.
> Quoting Akshay Karle (akshay.a.karle at gmail.com
> <mailto:akshay.a.karle at gmail.com>):
> > Hey Serge,
> > This is something I'm interested in as well. Anyway I could help
> with the
> > implementation of the graphdriver proxy?
> > ... <skipped> ...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lxc-users