Toying with gvisor to run Docker inside an LXC container in a safe? way

K

koalillo

Active Member
Nov 1, 2018
36
0
26
44
Hi,

The other day I stumbled upon gvisor, which is a Google container driver which can be used with Docker that apparently uses an approach which is "mostly user-mode"; it emulates a Linux kernel in usermode, so it might be a way to run Docker containers inside an LXC container without nesting cgroups stuff and all that.

However, I stopped at:

https://github.com/google/gvisor/issues/1499

. Maybe someone more knowledgeable can give it a shot? There's quite a few promising container drivers out there which might allow a way to run Docker inside LXC without compromising security (e.g. there's some interesting progress in other areas at https://forum.proxmox.com/threads/docker-in-lxc-problem-after-pve-kernel-update.56948/ , I'm pinging T.Herrmann there...).

Cheers,

Álex
 
No experiences with gvisor.

I think on the long run there will be two ways for HA with Docker Container>> Kubernetes and PVE with LXC Docker in cluster mode.

Biggest Problem with PVE and LXC with Docker is the vfs only support as file-system for docker images. No Overlay2 or ZFS is supported until now. This makes no problem for small docker images but if you use images with 0.5 million files it makes a huge differences.
 
Well, I'm thinking of a non-HA scenario- just being able to do development/CI on a container (e.g. run Jenkins on LXC and be able to do builds requiring Docker, using an LXC container as a dev workstation, etc.).
 
hi,
you're better off running jenkins in a VM if you want to do docker builds
 
I'm running it in a VM currently, but I'm running a 35€/month 48gb RAM server and LXC allows me to pack in a lot of stuff... Right now ideally I'd require 4 VMs for all the Docker stuff I want to do, which represents significant overhead on that.

Anyway, the gVisor bug I filed was idiotic- it does seem that I need to play more with storage to get things running.

This is a bit frustrating because it wouldn't be so difficult to do Docker stuff inside LXC in a reasonable way; gVisor, udocker, proot... there are lots of scattered bits and pieces of a solution, but they don't quite fit. I'm thinking right now that it wouldn't be so difficult to write a shim that emulates most of the Docker functionality I want to do with proot...
 
Just toyed a bit with Singularity in a CentOS 8 container. It seems... to work, so that's interesting. However, while it can use Docker Hub images and it's pretty similar, it's not a drop-in replacement (however, it seems Kubernetes can be configured to use it, so maybe you could run Kubernetes in an LXC container using Singularity?).

However, non-root usage doesn't seem to work.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back