[lxc-users] docker in lxc

Maxim Patlasov mpatlasov at parallels.com
Sat Oct 17 00:23:42 UTC 2015


On 10/16/2015 02:48 PM, Akshay Karle wrote:
> Ok, great! So how can I get started? I've been playing around with 
> unprivileged lxc and docker for the last 2 months so I have experience 
> using them but little experience developing them. But, I would like to 
> start doing some development work and happy to help.

That's great, any help is appreciated!

> To begin with, I will try to build up docker with that PR and see what 
> problems I see. Previously, I tried getting the docker inside lxc 
> working, faced a bunch of issues and ended up creating a fork of 
> docker 
> <https://github.com/akshaykarle/docker/tree/nesting-docker-lxc> to 
> work with. It was basically some devices not being available and mknod 
> not working in the unprivileged context. Hopefully, using the 
> graphdriver proxy we should get those out of the way. Let me know what 
> you all think.

I'm currently working on porting graphdriver proxy-daemon from 
https://github.com/docker/docker/pull/15594 to recently merged 
"graphdriver extpoint" feature 
(https://github.com/docker/docker/pull/13777). If you are interested to 
play with some preliminary  version, I'll try to publish it in a week or 
two. This will allow you to verify if any issues other than "some 
devices not being available and mknod not working" exists and work on 
fixing them.

On the other hand, if you are interested in development of graphdriver 
proxy-daemon itself, there are at least two things worthy to mention. 
Both are related to the way how a mount-point to be passed from host 
system namespace to container where docker daemon runs. First thing is 
about checking if the pid we're going to use for setns() is really 
corresponds to mount namespace of the entity who is communicating with 
proxy-daemon via unix socket. Serge suggested to use SO_PEERCRED:

> When a request comes in over the unix socket, the proxy gets the
> requestor's (host) pid from SO_PEERCRED.  The client passes the
> container-name.  The proxy asks the container driver for the init
> pid of the container-name, and verifies that the pid on SO_PEERCRED
> is inside the pid-ns of the container.

but I have not investigated it yet. Another thing is about docker 
implementation. I've managed to reuse existing docker code for setns: 
but I have not verified yet whether similar approach works for 
stand-alone proxy-daemon.


> On Fri, Oct 16, 2015 at 2:08 PM Serge Hallyn <serge.hallyn at ubuntu.com 
> <mailto:serge.hallyn at ubuntu.com>> wrote:
>     Absolutely! I've not actually started working on that.  (I hadn't
>     noticed
>     that the docker PR was merged)  Maxim (cc:d) is the one who is
>     working on
>     this at Odin - I think it'd be best if we can all work together.
>     -serge
>     Quoting Akshay Karle (akshay.a.karle at gmail.com
>     <mailto:akshay.a.karle at gmail.com>):
>     > Hey Serge,
>     >
>     > This is something I'm interested in as well. Anyway I could help
>     with the
>     > implementation of the graphdriver proxy?
>     >
>     > ... <skipped> ...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151016/44485a06/attachment.html>

More information about the lxc-users mailing list