proxmox:guests_vms_and_containers:docker:methods_for_running_docker_containers_in_proxmox:docker_in_lxc_unprivileged_container
Table of Contents
Proxmox - Guests (VMs and Containers) - Docker - Methods for running Docker containers in Proxmox - Docker in LXC unprivileged container
ALERT: This method should not be used in a production environment.
WARNING: More secure than a privileged container.
- Processes running inside the container appear to run as root, but in reality on the host they are not appearing as root but as userid 100000 from the host.
- An unprivileged container masks the userid from the host.
- With unprivileged containers, non root users can create containers and will have and appear in the container as root but will appear as userid 10000 for example on the host.
- Container uid 0 is mapped to an unprivileged user on the host.
- A container breakout is still serious, but not as damaging as it is for a privileged container.
- The use of SELinux, AppArmor, Seccomp and capabilities is not necessary for security.
- LXC will still use those to add an extra layer of security which may be handy in the event of a kernel security issue but the security model is not enforced by them.
- Can give compatibility problems, permissions challenges. Issues can include:
- Mounting for example nfs shares due to uids.
- You can mount the share in Proxmox and create a mount point for the unprivileged container but you lose migration then.
- Using the host network and binding to a port < 1024.
- Using any network-accessible service such as DNS, NTP, etc?
- Writing to part of host file system that needs root privileges.
- Using a VPN client in the LXC container.
- Enabling the nesting option and keyctl option on an unprivileged container (Under Options → Features) can fix many of these issues.
- This method should not be used in production.
Add Kernel Modules
On the Proxmox host, edit /etc/modules-load.d/modules.conf.
Add the aufs and overlay kernel modules.
- /etc/modules-load.d/modules.conf
# /etc/modules: kernel modules to load at boot time. # # This file contains the names of kernel modules that should be loaded # at boot time, one per line. Lines beginning with "#" are ignored. aufs overlay
Restart the Proxmox host.
Create an LXC container
NOTE: Use whatever settings and OS you want.
- Ensure that unprivileged container is checked.
- Do not start the container yet.
In Proxmox, edit the /etc/pve/lxc/{id}.conf file
- where {id} is the ID given to your container:
- /etc/pve/lxc/{id}.conf
lxc.apparmor.profile: unconfined lxc.cgroup.devices.allow: a lxc.cap.drop: lxc.mount.auto:
Start the container.
In the container, create /etc/docker/daemon.json and make the contents:
- /etc/docker/daemon.json
{ "storage-driver": "overlay2" }
Install Docker
apt update apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" apt-get update apt-get install -y docker-ce docker-ce-cli containerd.io
References
proxmox/guests_vms_and_containers/docker/methods_for_running_docker_containers_in_proxmox/docker_in_lxc_unprivileged_container.txt · Last modified: 2021/07/05 01:16 by peter