[SOLVED] Trying to install docker on a LXC container but I get error when try to start a docker container

Almog2929

New Member
Mar 24, 2021
6
2
3
20
Hii, I am trying to install docker on a LXC container with an ubuntu server template, the docker installation was successful but when trying to run a container I get this error.

root@Docker:~# docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: rootfs_linux.go:60: mounting "proc" to rootfs at "/proc" caused: permission denied: unknown.
ERRO[0001] error waiting for container: context canceled

I am not sure if this a problem with proxmox or with Docker, I think that its something proxmox related.
thanks for anyone that can help.
 
I run docker in a Debian LXC container. That runs fine. I had to set options -> features -> nesting on for it to work though, but I also used bind mounts so not sure if that is related to your problem.
 
  • Like
Reactions: pcuci and majorgear
I run docker in a Debian LXC container. That runs fine. I had to set options -> features -> nesting on for it to work though, but I also used bind mounts so not sure if that is related to your problem.
You are right. Nesting and keyctl should be enabled: Datacenter -> YourNode -> YourLXC -> Option -> Features
 
  • Like
Reactions: Whitterquick
Yes, keyctl if it's unprivileged. IIRC, USERID remapping became too complicated with unprivileged containers and bind mounts so I skipped that. It's only a homelab with me as the only login user anyway.
 
  • Like
Reactions: majorgear
Yes, keyctl if it's unprivileged. IIRC, USERID remapping became too complicated with unprivileged containers and bind mounts so I skipped that. It's only a homelab with me as the only login user anyway.
Yeah, that remapping is really a pain. Maybe I should create some kind of online calculator for that.
If all of your containers aren't accessable from the internet privileged LXCs are fine but otherwise I personally would only use unprivileged LXC or better VMs for even more isolation. I wasn't sure if I would later need to add some web service docker containers so I created a unprivileged one for my homelab.
 
I run docker in a Debian LXC container. That runs fine. I had to set options -> features -> nesting on for it to work though, but I also used bind mounts so not sure if that is related to your problem.
thank you all for the feedback, it appears that enabling nesting just immediately fixed the problem, thank you so so much!
 
  • Like
Reactions: majorgear and rcd
I run docker in a Debian LXC container. That runs fine. I had to set options -> features -> nesting on for it to work though, but I also used bind mounts so not sure if that is related to your problem.
This fixed mine as well. My container is privileged, when I unchecked "unprivileged", it greyed out "nesting" so that I could not check it.

After the container is created, the nesting option checkbox is no longer greyed out, and can be selected.

I'm not sure if that behavior is by design or if it's a bug.
 
I'm not sure if that behavior is by design or if it's a bug.
This is actually intended behaviour in the sense that it is trying to tell you that this is something that you really should not be doing.
While running a privileged containers puts your host system at risk, this risk is worsened by making the container nested. Enabling nesting, like you stated, can still be done in the Options of the container. However, this is only possible as root.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!