"apply caps: operation not permitted" trying to run wireguard docker CT

[rcd]

Trying to run ghcr.io/linuxserver/wireguard in docker in a CT, I get the error "apply caps: operation not permitted".

Seems to have something to do with CAP_MKNOD capability in CT. I found a couple of refences to it in LXC, but nothing specific for Proxmox.

Anyone know how to fix?

 

[tom]

Trying to run ghcr.io/linuxserver/wireguard in docker in a CT

We do NOT recommend running docker inside a LXC container as you are faced with multiple problems due to the limited permissions inside LXC.

If you need docker, use qemu (VM).

 

[rcd]

I used to run docker in a VM, but was tempted to move it to a CT after seeing a number of Youtube videos about it. Actually the saving in resources are incredible: I run 15 containers and docker in 1 GB RAM whereas in a VM I'd use more than 2 GB. I understand there are some small security implications in doing this, but given this is a homelab with only me on it I can live with that. It seems this issue can be resolved in LXC so I'd imagine it could be resolved in Proxmox too, the question is just how.

 

[StackIOI]

Also interested on this solution. Facing the same issues while running docker in a LXC.

 

[pharpe]

I got it to work. I had to add the following lines to the LXC conf file. /etc/pve/lxc/xxx.conf

lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: a
lxc.cap.drop:

 

[LnxBil]

I got it to work. I had to add the following lines to the LXC conf file. /etc/pve/lxc/xxx.conf

lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: a
lxc.cap.drop:

That's what @tom already wrote ... you just removed ALL SECURITY from your LX(C) container.

 

[pharpe]

That's what @tom already wrote ... you just removed ALL SECURITY from your LX(C) container.

Just saw this. I'm not really understanding what security is actually removed. The ubuntu server in the lxc still has it's security and firewall correct? II also still have my router firewall and network security. Are you referring to security between proxmox containers? I'm trying to understand the real world implications of this. This is a homelab setup and I am the only user.

 

[LnxBil]

Just saw this. I'm not really understanding what security is actually removed. The ubuntu server in the lxc still has it's security and firewall correct? II also still have my router firewall and network security. Are you referring to security between proxmox containers? I'm trying to understand the real world implications of this. This is a homelab setup and I am the only user.

You can access all resources of your host and therefore all other containers if your ubuntu container without this security is compromised. There is no worse case I can think of.

 

[pharpe]

So it's either run an unnecessarily resource heavy VM or have compromised security. Hopefully someone will come up with a better option

 

[LnxBil]

So it's either run an unnecessarily resource heavy VM or have compromised security. Hopefully someone will come up with a better option

IMHO there is none and will never be. A system with a shared kernel is per default not separated enough, so security will ALWAYS be a concern.

Yes, a VM needs more resources, but is has features a LX(C) container does not have (yet):
- zero-downtime live migration
- own kernel with e.g. features the PVE kernel lacks ... or is not optimized for, especially for resource restrictions with respect to docker or newer kernel versions with special features
- possibility to have "real" ZFS for docker (e.g. container layers in zfs datasets with snapshots, compression, etc.)
- full auto-provisioning via api for e.g. rancher to create k8s clusters
- IO limits per VM from PVE
- does not potentially break if PVE does an update to LXC, which happend a few times in the past (yet not problem, Docker in LXC is not supported)