LXC with nested Docker => "overlayfs: upper fs missing required features."

N

nicedevil

Member
Aug 5, 2021
112
11
23
Hey guys,

I have a LXC up and running with a nested docker environment.
This is the config of my docker lxc:

Code: 
root@gateway:~# cat /etc/pve/lxc/106.conf
arch: amd64
cores: 4
features: keyctl=1,nesting=1
hostname: docker-01
memory: 12288
mp0: gate-storage:subvol-106-disk-1,mp=/var/lib/docker,backup=1,mountoptions=noatime,size=512G
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=16:EE:A4:1D:DF:71,ip=dhcp,ip6=auto,type=veth
onboot: 1
ostype: alpine
rootfs: gate-storage:subvol-106-disk-0,mountoptions=noatime,size=8G
swap: 1024
unprivileged: 1

The rootfs is on my zfs pool => gate-storage.
Everytime my docker lxc starts or I restart the docker service inside the LXC the error message appears on the host.
How can I fix this?

1641125454177.png
 
nicedevil said:
How can I fix this?
Click to expand...
Not using LX(C) containers will solve this (and potentially other problems). Running OverlayFS on top of ZFS is also kinda besides the purpose. Docker is able to use ZFS directly, so you can use its features like CoW for Docker aswell and do not need to have another filesystem in between.

IMHO, there are only two solutions to this with ZFS:
* wait until the ZFS inheritance interface for using it in LX(C) containers is ready, I really look forward to that and it will solve a lot of problems concerning ZFS on the host and using LXC with Docker including yours
* use ZFS inside of a KVM/QEMU VM
 
nicedevil said:
Hey guys,

I have a LXC up and running with a nested docker environment.
This is the config of my docker lxc:

Code: 
root@gateway:~# cat /etc/pve/lxc/106.conf
arch: amd64
cores: 4
features: keyctl=1,nesting=1
hostname: docker-01
memory: 12288
mp0: gate-storage:subvol-106-disk-1,mp=/var/lib/docker,backup=1,mountoptions=noatime,size=512G
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=16:EE:A4:1D:DF:71,ip=dhcp,ip6=auto,type=veth
onboot: 1
ostype: alpine
rootfs: gate-storage:subvol-106-disk-0,mountoptions=noatime,size=8G
swap: 1024
unprivileged: 1

The rootfs is on my zfs pool => gate-storage.
Everytime my docker lxc starts or I restart the docker service inside the LXC the error message appears on the host.
How can I fix this?

View attachment 32869
Click to expand...
try with fuse-overlayfs:
https://c-goes.github.io/posts/proxmox-lxc-docker-fuse-overlayfs/
 
May I ask what the main disadvantage is right now for me with the warning showing up?
I just want to be able to have lower resource cost on my lxc (in comparison to VM) and be able to back it up to proxmox backup.

And ofc ty both for the hints :)
 
LnxBil said:
Security and speed.
Click to expand...
Are there particular vulnerabilities that are associated with this configuration? Or just insecure in the sense that any recurring errors/unsupported configurations are never a good idea security/stability wise.
 
This has been discussed a thousandfold on the forums and boils down to weaker isolation, more involved filesystem layers, lower speed and it broke a lot on guest or hypervisor updates. Although security gets better and getter, but this setup is not why Docker or the technology behind it was invented in the first place. Best setup is with a container OS and used for orchestration with at least one, but most of the time many VMs running as CaaS platform on top of an IaaS like Proxmox VE. The machines the containerization runs on are meant to be dynamically provisioned.
 
With docker behind, it isn't that hard to migrate back to good old VM. I will do so today with alpine linux as the docker hosts OS.
 
Indirectelex said:
Hey there, do you know how to install fuse-overlayfs. I mean I downloaded the .tar.gz and there is no way to unziped it in fact I got :
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now

I downloaded the file there : https://github.com/containers/fuse-overlayfs/releases
Click to expand...

Download the "fuse-overlayfs-x86_64" file, move to "/usr/local/bin/fuse-overlayfs" and make it executable.
 
Last edited:
Ok I checked Nesting and FUSE on my proxmox docker container
The screenshot show what happened when I typed : docker info | grep Storage
 

Attachments

  • firefox_2mja4mR70w.png
    firefox_2mja4mR70w.png
    71.2 KB · Views: 30
Last edited:
Indirectelex said:
Hey there, do you know how to install fuse-overlayfs. I mean I downloaded the .tar.gz and there is no way to unziped it in fact I got :
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now

I downloaded the file there : https://github.com/containers/fuse-overlayfs/releases
Click to expand...
I used (on Ubuntu 20.04 LXC):
Code: 
apt install fuse-overlayfs
I then installed docker:
Code: 
apt install docker.io
Docker found it and used it without any additional changes on my part.
 
  • Like
Reactions: furmek
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back