Alpine Linux in LXC + docker

[VecH]

Installed Alpine Linux in LXC container

Spoiler: Install Alpine template

root@host:~# pveam available | grep -i alpine
system          alpine-3.18-default_20230607_amd64.tar.xz
system          alpine-3.19-default_20240207_amd64.tar.xz

root@host:~# pveam download local alpine-3.19-default_20240207_amd64.tar.xz
downloading http://download.proxmox.com/images/system/alpine-3.19-default_20240207_amd64.tar.xz to /var/lib/vz/template/cache/alpine-3.19-default_20240207_amd64.tar.xz
--2024-09-01 15:35:10--  http://download.proxmox.com/images/system/alpine-3.19-default_20240207_amd64.tar.xz
Resolving download.proxmox.com (download.proxmox.com)... 212.224.123.70, 2a01:7e0:0:424::249
Connecting to download.proxmox.com (download.proxmox.com)|212.224.123.70|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2976220 (2.8M) [application/octet-stream]
Saving to: '/var/lib/vz/template/cache/alpine-3.19-default_20240207_amd64.tar.xz.tmp_dwnl.682457'
     0K ..                                 100% 3.08M=0.9s
2024-09-01 15:35:11 (3.08 MB/s) - '/var/lib/vz/template/cache/alpine-3.19-default_20240207_amd64.tar.xz.tmp_dwnl.682457' saved [2976220/2976220]
calculating checksum...OK, checksum verified
download of 'http://download.proxmox.com/images/system/alpine-3.19-default_20240207_amd64.tar.xz' to '/var/lib/vz/template/cache/alpine-3.19-default_20240207_amd64.tar.xz' finished

Installed docker inside it according to the official instructions
https://wiki.alpinelinux.org/wiki/Docker#Installation
With these parameters:

Unprivileged container = Yes
Features: nesting=1

At the startup stage I get an error

alpine-test:~# service docker start
sh: error setting limit: Operation not permitted
* docker: unable to apply RC_ULIMIT settings
* Starting Docker Daemon ...

Here they suggest a fix
https://stackoverflow.com/questions...-container-unable-to-apply-rc-ulimit-settings

lxc config set <container> security.nesting true

How to fix this and where to do it?

 

[LnxBil]

How to fix this and where to do it?

LX(C) Container -> Options -> Features -> check nesting

 

[VecH]

LX(C) Container -> Options -> Features -> check nesting

I wrote that this option is enabled

Unprivileged container = Yes
Features: nesting=1

What else does it need to run?

 

[VecH]

inside the container there are not enough rights to change the limits

# ulimit -c unlimited -n 1048576 -u unlimited
ash: error setting limit: Operation not permitted

how can I change these limits individually for the container?

 

[LnxBil]

I wrote that this option is enabled

You also wrote that you should run some lxc config command that does exactly this and then your question.

how can I change these limits individually for the container?

Why? Docker runs also without this limit.

 

[esi_y]

You also wrote that you should run some lxc config command that does exactly this and then your question.

That works for lxd/incus. I think he is asking why his container cannot run docker still under PVE. I won't pretend I have lots of experience with docker in LXC in PVE (not what I would use it for), but I remember I had trouble with that myself whilst in lxd the nesting would do just all that was needed.

So someone who knows the pct hocus-pocus should know the answer.

 

[LnxBil]

That works for lxd/incus. I think he is asking why his container cannot run docker still under PVE. I won't pretend I have lots of experience with docker in LXC in PVE (not what I would use it for), but I remember I had trouble with that myself whilst in lxd the nesting would do just all that was needed.

So someone who knows the pct hocus-pocus should know the answer.

OP didn't wrote that Docker is not working, he just wrote that some error is displayed with ulimit, which is negligible (or at least things you cannot change due to LXC and have to live with). I'm running Docker in Alpine in LXC without any problems and I just did what OP did and it works (with the ulimit error display):

root@d3 /etc > apk add docker
[...]

root@d3 /etc > rc-update add docker default
 * service docker added to runlevel default

root@d3 /etc > service docker start
 * Caching service dependencies ...                                     [ ok ]
mount: mounting none on /sys/fs/cgroup failed: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: write error: Resource busy
sh: error setting limit: Operation not permitted
 * docker: unable to apply RC_ULIMIT settings
 * /var/log/docker.log: creating file
 * /var/log/docker.log: correcting owner
 * Starting Docker Daemon ...                                                 [ ok ]

root@d3 /etc > docker run -it --rm alpine
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
c6a83fedfae6: Pull complete
Digest: sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
Status: Downloaded newer image for alpine:latest

/ # cat /etc/alpine-release
3.20.2

So, another non-PVE-related issue has been solved

 

[esi_y]

So, another non-PVE-related issue has been solved

I do not remember such "issue" on LXD with Docker containers though. In this sense, except a logical error in a Perl script, everything is non-PVE related. Not helpful in my book.

 

[LnxBil]

I do not remember such "issue" on LXD with Docker containers though. In this sense, except a logical error in a Perl script, everything is non-PVE related. Not helpful in my book.

I suspect that this is a ulimit setting, so unless the host has a higher setting and you restrict it (like with syscfg), your cannot change it to a higher value than your LX(C) container already has.

Therefore ... DON'T RUN DOCKER IN LX(C) CONTAINERS as it is stated everywhere ... or at least don't come crawling in this forum.

 

[esi_y]

I suspect that this is a ulimit setting, so unless the host has a higher setting and you restrict it (like with syscfg), your cannot change it to a higher value than your LX(C) container already has.

@VecH I suppose you would get a better answer on this from Stephane Graber despite he has nothing to do with either PVE or Docker.

Therefore ...

This is a logical fallacy.

DON'T RUN DOCKER IN LX(C) CONTAINERS

I do not, but for different reasons. Which is why I cannot help the OP, but I admit that.

as it is stated everywhere ...

Where is that? When I quickly check pct [1] it absolutely says it supports nesting:

--features [force_rw_sys=<1|0>] [,fuse=<1|0>] [,keyctl=<1|0>] [,mknod=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]
Allow containers access to advanced features.

Why else would it support nesting, if it was not meant to nest?

or at least don't come crawling in this forum.

Because we two lack the expertise to answer the question off the bat?

[1] https://pve.proxmox.com/pve-docs/pct.1.html

 

[VecH]

Docker runs also without this limit.

Alpine Linux in LCX with limit

alpine-test:~# ulimit -a
core file size (blocks)         (-c) unlimited
data seg size (kb)              (-d) unlimited
scheduling priority             (-e) 0
file size (blocks)              (-f) unlimited
pending signals                 (-i) 62690
max locked memory (kb)          (-l) 8192
max memory size (kb)            (-m) unlimited
open files                      (-n) 65536
POSIX message queues (bytes)    (-q) 819200
real-time priority              (-r) 0
stack size (kb)                 (-s) 8192
cpu time (seconds)              (-t) unlimited
max user processes              (-u) 62690
virtual memory (kb)             (-v) unlimited
file locks                      (-x) unlimited

 

[esi_y]

I wrote that this option is enabled

Unprivileged container = Yes
Features: nesting=1

What else does it need to run?

I do not know where it is in GUI, but I would wonder what keyctl param is - mentioned in pct [1]:

--features [force_rw_sys=<1|0>] [,fuse=<1|0>] [,keyctl=<1|0>] [,mknod=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]

[1] https://pve.proxmox.com/pve-docs/pct.1.html

 

[VecH]

# pct config 102
arch: amd64
cores: 2
features: nesting=1
hostname: alpine-test
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:25:02:32,ip=dhcp,ip6=dhcp,type=veth
ostype: alpine
rootfs: local-lvm:vm-102-disk-0,size=10G
swap: 2048
unprivileged: 1

 

[esi_y]

# pct config 102
arch: amd64
cores: 2
features: nesting=1
hostname: alpine-test
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:25:02:32,ip=dhcp,ip6=dhcp,type=veth
ostype: alpine
rootfs: local-lvm:vm-102-disk-0,size=10G
swap: 2048
unprivileged: 1

I think you need to create the container with keyctl=1 - it looks like it should go to the features part.

 

[shanreich]

Where is that?

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pct
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_frequently_asked_questions_2 (#13)

 

[esi_y]

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pct
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_frequently_asked_questions_2 (#13)

This is good links for the LXC/LXD/pct/Docker and one note with a "recommendation". What I reacted on was however:

DON'T RUN DOCKER IN LX(C) CONTAINERS as it is stated everywhere

I might be a bit slow today, but I do not see anything of that effect there, in fact it suggests pct might have sharp edges when it comes to working well with Docker (subject to change, that I understand). What I can read there is that one should not run Docker on the host and that it is "best" to run them inside a Proxmox QEMU VM.

I am used to read RFCs, I know what "should" means. I do understand what a best practice might be. But this is neither statement (quoted above) nor it is "everywhere".

 

[VecH]

root@host:~# pct config 102
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: alpine-test
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:25:02:32,ip=dhcp,ip6=dhcp,type=veth
ostype: alpine
rootfs: local-lvm:vm-102-disk-0,size=10G
swap: 2048
unprivileged: 1

alpine-test:~# ulimit -c unlimited -n 1048576 -u unlimited
ash: error setting limit: Operation not permitted

 

[esi_y]

features: keyctl=1,nesting=1

@shanreich Is it sufficient he changes it in an existing config to take effect?

 

[LnxBil]

Alpine Linux in LCX with limit

So Docker works? Wasn't that the main goal?

Because we two lack the expertise to answer the question off the bat?

Maybe you ...

Warnings and errors are - as already said - common with running Docker in LX(C) in PVE.
If you don't want to see the error, override the used defaults in /etc/conf.d/docker. This is just a mismatch of the settings in the LX(C) container and the settings from the outside.

Check you settings in LXC:

root@d3 /etc > ulimit -a | egrep '(-n|-u|-c)'
core file size (blocks)         (-c) unlimited
open files                      (-n) 1024
max user processes              (-u) 256337

and set them in the file with the defaults:

DOCKER_ULIMIT="-c unlimited -n 1023 -u 256336"

and the error is gone:

root@d3 /etc > service docker restart
 * Caching service dependencies ...                                                  [ ok ]
 * Stopping Docker Daemon ...                                                        [ ok ]
 * Starting Docker Daemon ...                                                        [ ok ]

So, another non-PVE-related issue has been solved

I stand by this as seen above.

 

[LnxBil]

But this is neither statement (quoted above) nor it is "everywhere".

Just search the forum for docker posts with lxc and it them, there is at least one person saying that and referencing to the reference documentation.