[lxc-users] docker in lxc

Tamas Papp tompos at martos.bme.hu
Mon Oct 19 11:36:02 UTC 2015


Whooo. Thanks in advance, guys!

I'm not a programmer, cannot work by myself on this, but look forward 
the feature.
Please keep the list posted, I'm sure many of us are interested and also 
willing to test the code.

Cheers,
tamas

On 10/16/2015 07:08 PM, Serge Hallyn wrote:
> Absolutely!  I've not actually started working on that.  (I hadn't noticed
> that the docker PR was merged)  Maxim (cc:d) is the one who is working on
> this at Odin - I think it'd be best if we can all work together.
>
> -serge
>
> Quoting Akshay Karle (akshay.a.karle at gmail.com):
>> Hey Serge,
>>
>> This is something I'm interested in as well. Anyway I could help with the
>> implementation of the graphdriver proxy?
>>
>> On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hallyn at ubuntu.com>
>> wrote:
>>
>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>
>>>> On 08/31/2015 03:59 PM, Serge Hallyn wrote:
>>>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>>> On 08/28/2015 03:48 PM, Serge Hallyn wrote:
>>>>>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>>>>> hi,
>>>>>>>>
>>>>>>>> I would like to achieve, what is in subject.
>>>>>>>>
>>>>>>>>
>>>>>>>> However, I cannot get over on this apparmor issue:
>>>>>>>>
>>>>>>>> [7690496.246952] type=1400 audit(1440757904.938:1130):
>>>>>>>> apparmor="DENIED" operation="mount" info="failed flags match"
>>>>>>>> error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
>>>>>>>> pid=32534 comm="docker" flags="rw, private"
>>>>>>>>
>>>>>>>>
>>>>>>>> I read some post on various forums, that I need to run the lxc
>>>>>>>> container with unconfined profile.
>>>>>>>> Is still the case?
>>>>>>> Excellent, I've been wanting to bring this up here :)
>>>>>>>
>>>>>>> Maxim at Odin has been working on a proxy graphdriver for
>>>>>>> docker.  The PR is at
>>>>>>>
>>>>>>> https://github.com/docker/docker/pull/15594
>>>>>>>
>>>>>>> I'm hoping to test that today and see what else is still
>>>>>>> needed.  I would assume a custom apparmor policy will still
>>>>>>> be needed, but since the host is doing most of the mounting
>>>>>>> you should be able to avoid just being unconfined.
>>>>>> hi,
>>>>>>
>>>>>> For the first look it seems to be a big change, that requires a more
>>>>>> qualified one for testing.
>>>>>> Did you take a look?
>>>>> I've taken a look at the code but haven't built it yet.  (having
>>>>> some toolchain issues)
>>>> https://github.com/docker/docker/pull/13777
>>>>
>>>> This was merged, does it mean, that docker should be usable in LXC
>>>> from this point?
>>> Not exactly.  As you can see from the final comment in
>>>
>>> https://github.com/docker/docker/pull/15924
>>>
>>> it now means that we can write a graphdriver proxy.  The original
>>> openvz pull request would have been almost all we needed - allowing
>>> the graphdriver to talk over a unix socket to the host where the
>>> requested actions could be done.  The pull request which was accepted
>>> does less - only allowing you to implement your own proxy to talk to
>>> a service on the host.  (that service *also* needs to be written)
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list