Docker in nested/keyctl lxc container doesn't work anymore in Proxmox 7 ?

[Rudy]

Hi,

After upgrading a node (for testing purpose) from proxmox 6.4 to 7, container running a docker (or several ones) doesn't seem to work anymore (unprivileged debian 10 lxc with nested and keyctl activated).

I have this message when I try to start a new or old docker container inside my lxc container. Maybe something is missing after the upgrade (?).

Error response from daemon: OCI runtime create failed: container with id exists: 48dc62ad3bea612f43cea886b129e75c9f98dd8fcf205c5180359267f32a3dd8: unknown
Error: failed to start containers: influxdb

I didn't try with other container.

Kind regards,
Rudy

 

[progl]

same here - I tried unprivileged and privileged containers - works fine, after host upgrade and restart - Docker AppArmor error

docker: Error response from daemon: Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permission denied.

In priveleged container it tries to move docker-default profile, but no luck

but remove AppArmor from lxc container makes Docker run...
Is it a bug?

root@portainer:~# apt remove apparmor --purge -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  apparmor*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 2164 kB disk space will be freed.
(Reading database ... 21782 files and directories currently installed.)
Removing apparmor (3.0.0-0ubuntu7.1) ...
Processing triggers for man-db (2.9.4-2) ...
(Reading database ... 21749 files and directories currently installed.)
Purging configuration files for apparmor (3.0.0-0ubuntu7.1) ...
root@portainer:~# rm -rf /etc/apparmor*
root@portainer:~# docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

root@portainer:~#

 

[Rudy]

Hi,


FYI, when I try to run the container, the volume was on a shared nfs. I first updated docker-ce to the last version but it stil didn't work and when I move it to the local-lvm, the docker container manages to start without the error. I think docker sees other information on the storage (e.g. duplicate uid ??? - maybe also because all lxc container running docker was a clone from a docker installation on a lxc container).
I have done the same procedure with another docker container without updating docker but it didn't work. I move back to the nfs shared, have done the docker upgrade and move it back to the local-lvm and it works fine.

So, in my case, to make it work again
1. Move the container volume somewhere else (e;g. from local-lvm to shared nfs)
2. Update docker to the last version (I use the docker repository for debian 10 in my container see here) "apt upgrade docker-ce"
3. Move back the volume to the local-lvm (it should even work if you move back the volume to the shared nfs after that)

I think the shared nfs could be replaced by ceph. I never managed to make docker in a lxc container where storage was on a zfs partition.

Hope it will help some people.