Docker inside LXC starting container process caused "apply caps: operation not permitted"

Question

I'm trying to run a Docker container inside an LXC container. However doing so causes me to get the following error: [root@DH-DockerLXC01 alex]# docker run fedora bash docker: Error response from daemon: OCI runtime create failed: container_linux.go:337: starting container process caused "apply caps: operation not permitted": unknown. ERRO[0001] error waiting for container: context canceled I presume I need to set some configuration to be more permissive, but since I've created the LXC container with virt-manager I'm not sure where to start.

Note that the LXC container is using a chroot for storage, which AFAIK should allow docker to use full AUFS without any problems, but if I'm wrong please correct me.

Answer 1

For privileged LXC managed by Proxmox this solution helps:

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Take care about security! Source: Running Docker on Proxmox

Answer 2

J.F.Y.I.

• tl;dr: Check the "Virtualization" settings in the BIOS.

On my Proxmox machine, after upgrading the RAM, it turned out that this error occurred because the "Virtualization" setting in the BIOS had been "disabled" for some reason.

I turned it to "Enable" and started to work again. Dah.

• OS: Proxmox VE 7.4-4 (Debian GNU/Linux 11, bullseye)
• Motherboard: GA-880GM-USB3 Rev. 1.1

Answer 3

As it turns out, LXC, by default, will not allow containers to have the CAP_MKNOD capability, as it could theoretically allow a container to take over a host. This can be overridden, but it's not very well documented. Based on a pull request from 2015 in a mailing list, I've been able to piece together a bit of XML that does it. You just have to edit the container definition, which is located in /etc/libvirt/lxc/[container name]/

<features>
  <capabilities policy='allow'>
    <mknod state='on'/>
  </capabilities>
</features>

Note that the file may already contain a definition, in that case, paste the section inside that section. You may have to restart libvirt before it takes effect with systemctl restart libvirtd.service (this will not restart existing containers or VMs, only the service).