Unprivileged LXC, Docker - Nginx cannot use UNIX sockets to talk to php7.4 module inside a docker container.

[baudneo]

I use LXC mainly in my current setup to allow distribution of a GPU. This is the only snag I have hit that I cannot figure out by doing my own research. Unpriv LXC Ubuntu 20.04 with 'Nesting' and 'keyctl' options enabled. I have deployed a docker image that utilizes the passed through GPU and that all works but I cannot use a docker image that runs a web service inside of it. When I use the docker image on a bare metal host, it works as expected, so I know the image is fine and it is just some setting in the unpriv LXC.

The LXC is using Nginx to communicate with php7.4 by using a UNIX socket. I can't get any good info via the docker logs, all it says is that Nginx is trying to talk to PHP via a UNIX socket and times out. Is there something else I should be enabling? I see FUSE and Device creation but I don't think those apply to the situation?

Has anyone else come across this or is there a configuration I am missing? Sorry if this is vague it is hard to articulate the problem.

 

[baudneo]

It turned out to be a permission issue on the host. IDK if it can be handled better using subuid mapping? root in the unpriv LXC is 0, on the host it is 100000 (Follow up question about u/gid). I had to change the perms on the /dev/bus/usb/00x/00x device to allow 100000 rw access to the file node. I can make a udev rule to map the TPU to /dev/bus/usb/tpu<x> and give the proper permissions so it persists, but, is there a better way?

Bonus question: I have 2 unpriv LXC and I had tried to map the 2nd unpriv subuid and subgid to 200000+65536. This did not work, I have both unpriv LXC mapped to 100000+65536 and things work. If I try and map the 2nd LXC to 200000+65536 the container has massive issues, root PW does not work, everything is owned by nobody:nogroup. How can this be accomplished? I am assuming its something trivial I am misunderstanding?