Docker with Ubuntu LXC 20.04 template

[FuzzyMistborn]

Been trying to run Docker inside of an Ubuntu 20.04 LXC and I keep getting this error:

ERROR: for CONTAINER_NAME  Cannot start service CONTAINER_NAME: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default149283076` failed with output: apparmor_parser:Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243

I have nesting turned on. If I remove AppArmor (sudo apt remove apparmor) the container runs just fine. Docker also works fine with the Ubuntu 18.04 container template and Debian without removing apparmor. It also works if I upgrade a 18.04 image to 20.04. There seems to be an issue with the 20.04 template only.

 

[Moayad]

see here

 

[FuzzyMistborn]

I saw that thread but it doesn't appear to be the same issue. I can start the docker service just fine, it's only when i try to run a container, like `docker run hello-world` that I get that error. I can move over to that topic if you want but didn't want to hijack it.

 

[oguz]

I saw that thread but it doesn't appear to be the same issue. I can start the docker service just fine, it's only when i try to run a container, like `docker run hello-world` that I get that error. I can move over to that topic if you want but didn't want to hijack it.

works here please check if you have lxc-pve with version 4.0.6-2 installed

 

[FuzzyMistborn]

I didn't have 4.0.6-2 installed but now do. Still getting the same error 243 on a brand new spun up LXC container using the 20.04 template.

 

[oguz]

I didn't have 4.0.6-2 installed but now do. Still getting the same error 243 on a brand new spun up LXC container using the 20.04 template.

have you restarted the container after installing this version?

 

[FuzzyMistborn]

Yes. And I've created fresh containers since updating, still same issue.

And it's interesting. Now I can't even get docker to work on a 18.04 template like I could before I upgraded to 4.0.6-2. Get the same exit status 243 error.

 

[oguz]

* are you using our container templates?

* could you post the container configuration?

* are the rest of the packages also updated to the latest versions?

 

[FuzzyMistborn]

1) Yes, using the containers from Proxmox.

2) config:

arch: amd64
cores: 1
features: nesting=1
hostname: ubuntutest
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=12:A7:93:CA:04:E2,ip=dhcp,ip6=dhcp,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-100-disk-0,size=8G
swap: 512

3) Yes, I run apt update and apt upgrade when I start up the container. And the host is up to date too.

And I just tried a fresh Debian 10.7 LXC and docker works just fine.

 

[oguz]

have you tried with an unprivileged ubuntu container? (your container seems privileged according to the config)

i have this config here, and it works like i described:

arch: amd64
cores: 2
features: nesting=1
hostname: docker-lxc
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=12:16:35:41:12:C5,ip=dhcp,type=veth
ostype: ubuntu
rootfs: guests:subvol-141-disk-0,size=8G
swap: 0
unprivileged: 1

 

[FuzzyMistborn]

Ok seems to work on an unprivileged container but not privileged.

 

[FuzzyMistborn]

So is this a bug where its i shouldn't expect docker to work in a privileged container?

 

[oguz]

So is this a bug where its i shouldn't expect docker to work in a privileged container?

well, if the apparmor is configured properly it should work.
but if you use an unrestricted apparmor profile it will be possible to break out of lxc as well.

our recommendation is to use unprivileged containers in general unless you have a very good reason

 

[FuzzyMistborn]

I understand the security implications of privileged/unprivileged. I just didn't want to have to deal with UID/GID mapping for storage with unprivileged. Since Docker has it's own set of security/containerization I was OK with that. I just don't understand why Debian works both privileged and unprivileged but Ubuntu does not.

 

[mcattle]

I've got this issue as well. I'm running a privileged Ubuntu container because I need it to be able to mount NFS shares from my NAS within the container. However, this means I can't start my Docker containers because of the above issue.

I suspect my solution might have to be to rebuild my container to use a Debian image instead of Ubuntu, but I don't relish the idea of having to recreate all the work I've already done.

 

[BobhWasatch]

Proxmox developers recommend using a VM to run Docker. That would also support your NFS requirement. Why are people so obstinate about this? There's some small performance gain, sure, but also lots of troubles.

 

[mcattle]

If I'm going to rebuild my Docker OS anyway, I might as well do it as a VM. I was wanting the lighter-weight LXC container not only because of the fewer resources used, but also so that I don't have to dedicate the RAM to the VM.

It also doesn't help that there are tutorials online demonstrating how to run Docker in an LXC container, albeit with Debian (Ubuntu was my choice).
WunderTech | How to Set Up Docker Containers in Proxmox