Can You Run Docker Images on LXD Cloud Hosts?

Is there any way to configure the local LXD cloud so that you can run Docker containers on it?

I am getting an error when running a container:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"rootfs_linux.go:109: jailing process inside rootfs caused \\\"permission denied\\\"\"": unknown.

Hey @zicklag, do you mean running docker containers in a charm deployed on lxd? If so, that should work fine.

Could you share a bit about your setup such as the Juju version and what you’re trying to deploy?

I’m using Juju 2.7.0-bionic-amd64. I have a Bionic Vagrant VM that I am doing development in. I have Juju installed in that VM and I am using the localhost LXD cloud.

I’m attempting to deploy a charm that installs the Docker snap and then runs docker containers. Docker installs fine, but containers fail to run with the message above.

LXD is installed with the snap, too.


To test, I created a new LXD container with lxc launch ubuntu:18.04 test, I exec'ed into it and install the docker.io Apt package and I had a similar permission denied error message when running containers.

Ah, looks like this post has the answer:

https://discuss.linuxcontainers.org/t/having-trouble-using-docker/383

The question then is can you tell Juju to spin up LXD containers with nesting enabled?

Thanks for the details! I am out of office so don’t have any solutions but I just want to confirm that I am running the same setup with Juju inside Vagrant, only difference is my Vagrant box is 16.04 and I install LXD via apt from xenial backports. I don’t have to tweak anything so I think you might be on the right track with LXD.

1 Like

OK, I’ve verified that you can set the security.nesting=true ( and the security.privileged=true, but I don’t think that one is required ) and Docker can be used inside of LXD, but it only works with the Apt docker package and not the Docker snap.

I don’t know what the problem the snap has is coming from. I’ll probably open a topic on the snapcraft forum for that.

Also, you can set the LXD profile for a charm in lxd-profile.yaml in the charm directory ( reference ) so doing this should work ( not fully tested by me yet ):

lxd-profile.yaml:

config:
  security.nesting: "true"
  # Shouldn't be need but I haven't tested without yet
  security.privileged: "true"

Yes, you can set the lxd-profile. One note is that Juju encourages best practices and so you might find some settings cause Juju to not allow it without a --force flag on deploy.

1 Like

Juju sets

config:
  security.nesting: "true" 

for juju lxd machines by default.

1 Like

Ah, my problem must have been the Docker snap in the first place then, so I probably don’t need any extra config.