Docker not working on Alpine Linux LXC

[Nico94]

Hello,

I would like to manage docker work on an alpine LXC container. I can not launch any image.

docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/100.65533/vfs/dir/ff1506e90a08d727c241ee77f21d9f5dc51803c814351276a832be49a3f8d548\\\" at \\\"/proc\\\" caused \\\"operation not permitted\\\"\"": unknown.

I did not encounter this problem with the Ubuntu or Debian containers. Someone has a solution?
Nico

 

[LnxBil]

Someone has a solution?

Unfortunately I don't. I also tried to debug the issue with Docker and Alpine Linux a few month back and decided for myself just to go with the Debian solution and never went back.

 

[Nico94]

Unfortunately I don't. I also tried to debug the issue with Docker and Alpine Linux a few month back and decided for myself just to go with the Debian solution and never went back.

Hi LnxBil, thank you for your feedback. It's a damage, I understand that Alpine Linux has become or will be the default Docker environment.

 

[LnxBil]

I understand that Alpine Linux has become or will be the default Docker environment.

Internally, they use LinuxKit (based on Alpine Linux). Have you tried that?

 

[Nico94]

Internally, they use LinuxKit (based on Alpine Linux). Have you tried that?

No, I do not know LinuxKit, I will learn.

 

[LnxBil]

Just for the sake of completeness. I still don't recommend running Docker in anything else than a VM, but if you really need to, this one way to get it to work.

I just found a solution that works with Alpine Linux. In addition to the well known changes to the configuration like

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

you also have to add this script according to this blog post:

cat > /etc/init.d/cgroups-patch <<EOF
#!/sbin/openrc-run
 
description="Mount the control groups for Docker"
 
depend()
{
    keyword -docker
    need sysfs cgroups
}
 
start()
{
    if [ -d /sys/fs/cgroup ]; then
        mkdir -p /sys/fs/cgroup/cpu,cpuacct
        mkdir -p /sys/fs/cgroup/net_cls,net_prio
 
        mount -n -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct -o rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
        mount -n -t cgroup cgroup /sys/fs/cgroup/net_cls,net_prio -o rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
 
        if ! mountinfo -q /sys/fs/cgroup/openrc; then
            local agent="${RC_LIBEXECDIR}/sh/cgroup-release-agent.sh"
            mkdir -p /sys/fs/cgroup/openrc
            mount -n -t cgroup -o none,nodev,noexec,nosuid,name=systemd,release_agent="$agent" openrc /sys/fs/cgroup/openrc
        fi
    fi
 
    return 0
}
EOF

chmod +x /etc/init.d/cgroups-patch
rc-update add cgroups-patch boot