Working install of Docker-CE in LXC unprivileged container in Proxmox
Like many others it took me some time to figure out how to have a working Docker-CE installation inside an unprivileged LXC container created on my Proxmox server. I currently run Proxmox v.5.3-6.
I considered that it might be interresting to summarize my thoughts with others in search of a similar config. So here is how Docker-CE was successfully installed for me on Ubuntu 16.04, Ubuntu 18.04 and Debian 9.6.
create an unprivileged LXC container in Proxmox based on the the template of your choice
apt-get update & apt-get upgrade (eventually 2x if you get an « unable to fetch some archives… » message in the end)
install curl if it was not provided by the distribution
curl -fsSL https://download.docker.com/linux/ 20
edit /etc/apt/sources.list and add the appropriate repository from docker :
deb [arch=amd64] https://download.docker.com/linux/debian 8 stretch stable
deb [arch=amd64] https://download.docker.com/linux/ubuntu 6 xenial stable
apt-cache policy docker-ce to ensure that a package for docker-ce is available
apt-get install docker-ce
systemctl status docker
should return « Active (running) »
In case not (trick #1), work around the systemd bug by adding an “ExecStartPre=” to containerd service.
This link 13 has a clear explanation of the steps:
a) mkdir -p /etc/systemd/system/containerd.service.d
b) echo -e “[Service]\nExecStartPre=\n” > /etc/systemd/system/containerd.service.d/override.conf
c) systemctl daemon-reload
d) systemctl start docker
e) systemctl enable docker
Now the docker daemon should be OK ; it’s time for the second error:
docker run hello-world returns an error « mounting proc to rootfs…permission denied »
Fix it (trick #2) by inserting manually a line containing the following :
in the config file of your LXC as documented in this Proxmox doc 61.
In Proxmox you find the LXC config here: /etc/pve/local/lxc/
So you have to do it via an SSH connection directly into your Proxmox host.
stop/start the LXC container
docker run hello-world gives you « Hello from Docker ! » now.
However I can hardly appreciate whether “keyctl=1,nesting=1” could be regarded as a security concern of not. Maybe Stéphane can provide some light on this question.