In relation to http://www.solaris-cookbook.eu/linux/debian-proxmox-install-docker-with-rancher-and-dockerui-webgui/
I thought that it actually may make more sense to run Rancher and my Docker inside an LXC container rather than on the initial host itself.
The container provides me still with near to physical host performance but I am able to start and stop on demand and allocate resources for more docker apps as needed without impacting other guests.
A default LXC does not allow docker to run inside. In order to do so, once the container has been created (for example CT100) I had to:
cd /etc/pve/lxc
where I see my lxc container configurations. Stop the container in question, and vi the config file
vi 100.conf
it will look a bit like this where all I did was to add the part after “#insert docker part below”
arch: amd64 cores: 1 hostname: RancherServer memory: 3088 net0: name=eth0,bridge=vmbr0,gw=xxx.xxx.xx.x,hwaddr=xx:xx:xx:xx:xx:xx,ip=xxx.xxx.xx.xx/24,type=veth onboot: 0 ostype: ubuntu rootfs: local-zfs:subvol-100-disk-1,size=30G swap: 512 #insert docker part below lxc.apparmor.profile: unconfined lxc.cgroup.devices.allow: a lxc.cap.drop:
Update 2018-04-10
replaced the old
lxc.aa_profile: unconfined with the new lxc.apparmor.profile: unconfined
Save and then start the container.
You can now login to the container and install docker and or Rancher as per guide here
Thanks for the guide, unfortunately its not working for me. On an ubuntu 14.04 container I get the following:
sudo docker run –rm hello-world
FATA[0001] Error response from daemon: Cannot start container f633a6f01535b4776be46690c04bb6a71ebd6ca065ebe56f26ad5d655d177917: [8] System error: mountpoint for cpu not found
Any advice or other tricks to get it to work? Cheers
I’m still looking into this.
It doesn’t work with a new CT I created but works with my existing CT.
Ok it works flawless with Ubuntu 16.04 CT. Something is broken with 14.04 Docker. I suggest you try install Docker from their website.
But what about security?
This is strictly a “why? Because I can” scenario and has any sort of security excluded.
This solution is only as secure as docker is in particular under LXC.
I use docker as a test platform and would never put it into production public web as i think security in docker is assumed.
2 controversial statements below, have a look and consider for yourself.
https://security.stackexchange.com/questions/106860/can-a-root-user-inside-a-docker-lxc-break-the-security-of-the-whole-system
https://www.slideshare.net/jpetazzo/is-it-safe-to-run-applications-in-linux-containers
on my proxmox frontend CT appears as stopped (greyed out) even when started.
this only happens when I modify conf file with your proposed settings.
have you faced this problem?
No I cant really confirm that behavior.
including latest update from tonight it works well.
Rancher100 is my modified container
https://uploads.disquscdn.com/images/48a124f6edb3cb57120fc56f58231b4cca233e853dc262aec3e5918e3c03b41c.png
https://uploads.disquscdn.com/images/48a124f6edb3cb57120fc56f58231b4cca233e853dc262aec3e5918e3c03b41c.png
No I cant really confirm that behavior.
including latest update from tonight it works well.
Rancher100 is my modified container
Hi,
the footprint of LXC base Debian/Ubuntu is relativ large compared to Alpine Linux. Therefore I would prefer to install Docker / Rancher in a LXC based on Alpine.
What do you think?
In theory yes I agree. You could also go straight into RacherOS which is supposed to be also very low in footprint.
I use Ubuntu/Debian as base mostly cause those are my preferred flavors and I know in and out how to manage them.
never mind ^^^^ silly comment. there is no rancherOS for LXC. So you would be right that Alpine may be the best / most performant solution.
[…] https://www.solaris-cookbook.eu/virtualisation/proxmox/proxmox-lxc-running-docker-inside-container/ […]
[…] Proxmox / LXC – Running docker inside a container […]
[…] Da wir das ganze in einem LXC installieren möchten, gibt es vor dem ersten Start eines Containers jedoch eine zusätzliche Maßnahme zu treffen. Dazu einfach in die Konfigurationsdatei des LXC (z.B.: 100.conf) folgende Zeilen hinzufügen (nachzulesen unter https://www.solaris-cookbook.eu/virtualisation/proxmox/proxmox-lxc-running-docker-inside-container): […]
[…] Da wir das ganze in einem LXC installieren möchten, gibt es vor dem ersten Start eines Containers jedoch eine zusätzliche Maßnahme zu treffen. Dazu einfach in die Konfigurationsdatei des LXC (z.B.: 100.conf) folgende Zeilen hinzufügen (nachzulesen unter https://www.solaris-cookbook.eu/virtualisation/proxmox/proxmox-lxc-running-docker-inside-container): […]