running docker inside LXC

dipe

Active Member
Mar 21, 2013
39
0
26
our developers and researchers need docker (they collaborate using images from dockerhub). We can configure proxmox to allow for deployment of self service KVM images which works well ....but it still seems silly because the performance of containers is much better and they use fewer resources.

this issue was described earlier and it is still there
http://forum.proxmox.com/threads/23...-running-in-a-LXC-container-under-Proxmox-4b2


you can make it work:http://ashish1099.github.io/blog/2015/05/23/docker-inside-lxc/

and here they claim it does work with LXD :
http://thevarguy.com/open-source-ap...tainers-ubuntu-revolutionize-open-source-virt

again docker is there to stay, developers love it but why should they be constrained to run it on a hypervisor?
 
It removes the security profile (lxc.aa_profile = unconfined), allows access to all devices (lxc.cgroup.devices.allow = a) and prevents capabilities from being dropped effectively keeping super-user privileges (lxc.cap.drop=).
They're effectively reduced to a chroot with a PID and a network namespace with full access to the host system.
Note that you can write all those settings into a container config file in PVE as well. You might have to remove the lxcfs mounts and replace some with the "real" counterparts, though.
 
  • Like
Reactions: mdream
Is it still a security risk to run a docker container inside of an LXC container in Proxmox 4.2-11?

If so, this surprises me. I thought LXC containers, well, "contained" the things installed onto them.

It therefore surprises me that something installed into a LXC container could so easily gain access to the entire Proxmox host system.
 
containers per se provide less isolation than "real" virtual machines because host and container share one kernel instance. furthermore, if you turn off all the security and isolation features provided by the kernel and LXC, you end up with a glorified chroot, like wolfgang described. so if you want to run something contained that "needs" full access to devices, all kernel interfaces, etc - you either have to accept the risk and run it in a container that is practically not isolated from the host system (which is only acceptable in very rare circumstances), or you run it in a VM (which gives you more isolation, but of course also higher overhead).
 
Thanks all for hints, I was running into some other issue last year and gave up. After upgrading to 4.3 I tried again and as it turns out it works. The only thing I needed to add to the LXC profile was

lxc.aa_profile = unconfined

the other settings were not required for the stuff that I was doing (nginx etc)

Now these are test/dev systems so security is not too relevant. Can we add this as a configuration option in the GUI and REST API so I would not have to hack it globally into /usr/share/lxc/config/ubuntu.common.conf
 
Thanks all for hints, I was running into some other issue last year and gave up. After upgrading to 4.3 I tried again and as it turns out it works. The only thing I needed to add to the LXC profile was

lxc.aa_profile = unconfined

the other settings were not required for the stuff that I was doing (nginx etc)

Now these are test/dev systems so security is not too relevant. Can we add this as a configuration option in the GUI and REST API so I would not have to hack it globally into /usr/share/lxc/config/ubuntu.common.conf

you don't need to add it into /usr/share/lxc/config/ubuntu.common.conf - just add it to the container configs in /etc/pve/lxc/
 
  • Like
Reactions: chrone
Hello,
For proxmox 4.4-12, it's the same security risk or we can install docker without problem with other solution?
Thanks.
 
Please install Docker inside a QEmu-based VM, not on the Proxmox VE Host. Proxmox VE is IaaS and Docker is PaaS, so it should go one layer higher.
 
  • Like
Reactions: Medvenda

Manually patching Docker to get it to work? I don't think so.

The ordinary way with e.g. Debian Stretch as base works but is still insecure and it's not going to change (tested with pve 5-2).

Please consider running Docker as their makers want it to be run ... on a IaaS instance to scale properly and an orchestrator like Docker Swarm or K8s
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!