Running docker containers in proxmox containers

droidus

Member
Apr 5, 2020
94
2
13
32
I am sure that this doesn't make a lot of sense, but I am trying to install software that is recommended to be installed using Docker. I've tried this twice now, and I seem to run into the same issue, which makes me think I can't run Docker containers within the proxmox native containers. Here is the error message that I encounter:
Code:
docker run -d -p 80:8080 miniflux/miniflux:latest
3fc1662492a8447c43cb2a6761fdeccc306003cffc70c08d0c8c4c42771abbe6
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/var/lib/docker/overlay2/f9b1c95f723519652c87162a208e7fcb8817d68e13f9e082fbeaf8370e6b79c9/merged\\\" at \\\"/proc\\\" caused \\\"permission denied\\\"\"": unknown.
I assume this is because the proxmox container does not have all of the necessary FS hierarchy/structure required to run docker containers?
 

Dunuin

Famous Member
Jun 30, 2020
6,031
1,399
144
Germany
Unprivileged LXC is fine for docker but you need to enable the "nesting" and "keyctl" features first.
 
  • Like
Reactions: mir

droidus

Member
Apr 5, 2020
94
2
13
32
I know of the nesting option, but have not heard of the keyctl one. What is that, or what does it mean/do?
 
  • Like
Reactions: majorgear

mir

Famous Member
Apr 14, 2012
3,559
120
83
Copenhagen, Denmark
I know of the nesting option, but have not heard of the keyctl one. What is that, or what does it mean/do?
From https://[your_pve_host]/pve-docs/chapter-pct.html#pct_options:
keyctl=<boolean> (default = 0)
For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker.

keyctl: https://linux.die.net/man/1/keyctl
 

droidus

Member
Apr 5, 2020
94
2
13
32
Thank you for sharing that link. Interestingly, reading from the beginning to try and understand all of this, I came upon this:
"
If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox Qemu VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers.
"
So they are essentially saying, don't use containers, and VMs are more secure than a container? Aren't containers isolated as well, if you use them in unprivileged mode?
 

mir

Famous Member
Apr 14, 2012
3,559
120
83
Copenhagen, Denmark
Thank you for sharing that link. Interestingly, reading from the beginning to try and understand all of this, I came upon this:
"
If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox Qemu VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers.
"
So they are essentially saying, don't use containers, and VMs are more secure than a container? Aren't containers isolated as well, if you use them in unprivileged mode?
I think that part is from a time where unprivileged containers was not production ready and default was to run using a privileged container. A privileged containers root is mapped to the host root so breaking out of the container means that you get root privileges on the host while breaking out of an unprivileged container means you are only gaining privileges of a normal user but with a set of very strict and harmless privileges. See https://linuxcontainers.org/lxc/security/
 
  • Like
Reactions: bobmc and droidus

Dunuin

Famous Member
Jun 30, 2020
6,031
1,399
144
Germany
So they are essentially saying, don't use containers, and VMs are more secure than a container? Aren't containers isolated as well, if you use them in unprivileged mode?
VMs are completely isolated and unprivileged containers are still only half isolated. So if you want maximum security I would always use VMs and not LXCs. But unprivileged LXCs are good enough if you are running low end hardware and need to do compromises.
 
  • Like
Reactions: droidus

mir

Famous Member
Apr 14, 2012
3,559
120
83
Copenhagen, Denmark
But unprivileged LXCs are good enough if you are running low end hardware and need to do compromises.
Not only that but if you run micro services or docker based services spooling a complete operating system is a waste of ressorces. Only if your micro services or docker based services must have a 100% uptime then go for a VM since LXC containers cannot live migrate still.
 

majorgear

New Member
Mar 3, 2022
8
1
3
32
For anybody coming here later and seeing this, if the container is unprivileged just goto Options from the container menu (main UI), click on Features then select keyctl and nesting, save, voila!
This is so easy, it should be illegal.

Thanks for sharing this info. I have been running docker inside vm’s because I thought that was the only way to do it.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!