Docker daemon running in Alpine container. Solved?

[msh]

I was able to setup Alpine 3.10 to run Docker daemon and run hello-world container in it. Here are the steps.

• create container based on alpine-3.10-default_20190626_amd64.tar.xz (disk of size 0.5GB is enough for this little test)
• under Options enable Features 'keyctl' and 'Nesting'
• start the container, log-in, and inside container execute
  • `apk update && apk upgrade && apk add docker`
  • `rc-service cgroups start`
    • you should see: Mounting cgroup filesystem ... [ ok ] with 5 mount errors
    • here is how I fixed the mounting of cgroups (this is based how I can see Ubuntu is doing it)

      # remove dirs for failed mounts
      rmdir /sys/fs/cgroup/cpu && rmdir /sys/fs/cgroup/cpuacct && rmdir /sys/fs/cgroup/net_cls && rmdir /sys/fs/cgroup/net_prio
      
      # mount missing cgroups (Ubuntu style)
      mkdir "/sys/fs/cgroup/cpu,cpuacct"
      mount -n -t cgroup -o "nodev,noexec,nosuid,cpu,cpuacct" "cpu,cpuacct" "/sys/fs/cgroup/cpu,cpuacct"
      ln -s "cpu,cpuacct" /sys/fs/cgroup/cpu
      ln -s "cpu,cpuacct" /sys/fs/cgroup/cpuacct
      
      mkdir "/sys/fs/cgroup/net_cls,net_prio"
      mount -n -t cgroup -o "nodev,noexec,nosuid,net_cls,net_prio" "net_cls,net_prio" "/sys/fs/cgroup/net_cls,net_prio"
      ln -s "net_cls,net_prio" /sys/fs/cgroup/net_cls
      ln -s "net_cls,net_prio" /sys/fs/cgroup/net_prio
      
      # mount systemd cgroup (Alpine mounts openrc, but Docker requires systemd...)
      # (based on hint at https://k9s.hatenablog.jp/entry/2019/06/16/075741)
      mkdir /sys/fs/cgroup/systemd
      mount -n -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd

  • `rc-service docker start`
    • you should see: Starting docker ... [ ok ] with two errors 'sh: error setting limit: Operation not permitted'

That's it. Running the hello-world container works fine for me now `docker run -it --rm hello-world`
It seems to me the errors with starting cgroups service are fixed, but there are still errors (to set limit) when starting Docker service...

I'd like to know people's opinion Is this setup good enough to use it to run docker container(s) under Proxmox?

 

[LnxBil]

I'd like to know people's opinion Is this setup good enough to use it to run docker container(s) under Proxmox?

Still no and that will maybe never change. Good isolation is only possible with a KVM-based VM.

 

[makarai]

I have been trying to create an alpine LXC container privileged with nesting enabled and i run into this problem as well, my alpine vms work perfectly fine. Is there anything i could do here ?

 

[LnxBil]

Is there anything i could do here ?

As others and I have stated numerous times: use a VM.
(or invest many, many hours trying stuff out and hoping that the next Alpine update will not screw things up again)

 

[1liminal1]

But what about if you want graphics pass though?

So whats the best CT for running docker?