Docker Container with CAP_NET_ADMIN error running inside LXC

pixelwave

New Member
Jan 26, 2023
18
2
3
Hi,

I have the following setup:

  • Proxmox VE (8.0.3)
  • Debian (12) as LXC container
    • Privileged
    • Nesting = 1
    • Running Docker / Portainer (2.18.4)
When I now try to deploy for example Jellyfin (jellyfin/jellyfin) I get the following error:

Bildschirmfoto 2023-07-28 um 09.24.15.png

... I already tried to run the jellyfin container in privileged mode, host network but that did not work either.

In my Debian 12 VM it works without issues .. but I wanted to migrate that from VM to LXC ...
 
Last edited:
There is one discussion on github (https://github.com/portainer/portainer/issues/8478) that recommends to:

Code:
...add the following line to your /etc/pve/nodes/pve/lxc/xxx.conf  "lxc.cap.drop:"

This will clear the cap drops. Seems not the best solution for me but it works and Docker now gets what it needs.

I added this in my LXC and now it works. But is there a more permanent / update proof solution. Or is this "safe" to use ...
 
Or is this "safe" to use ...
Removing all restrictions safe? Just don't run Docker inside of LX(C) containers if you want your system to be safe. It has been said a thousand times before, KVM is the most secure option there is.

If you're fine with the possibility that each PVE upgrade will break your Docker-in-LXC and you don't care about security at all, you can use it in LXC.
 
  • Like
Reactions: pixelwave
I am not 100% sure what I am looking at in your config but on "Advanced container settings" the capability "MAC_ADMIN" is not set. Have you tried setting it?
 
... tried setting NET_ADMIN, MAC_ADMIN as well as privileged. No success.

What worked in the end was adding "lxc.cap.drop:" at the end of the lxc config (/etc/pve/nodes/pve/lxc/xxx.conf).

But for now I am sticking with the VM approach due to concerns as raised above. But LXC would work as well now...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!