I am running Docker containers within an LXD container and I have noticed that Docker mounts it's own copy of /proc despite the LXD container having container-aware /proc files.
For example:
root@lxdcontainer:~# grep -c processor /proc/cpuinfo
1
root@lxdcontainer:~# grep MemTotal /proc/meminfo
MemTotal: 488280 kB
root@lxdcontainer:~# docker run -it ubuntu bash
root@fcd00479a2c1:/# grep -c processor /proc/cpuinfo
56
root@fcd00479a2c1:/# grep MemTotal /proc/meminfo
MemTotal: 263758600 kB
As you can see above, the LXD container has been allocated 1 CPU core and about 500MB of memory. However, a Docker container that is run inside this LXD container seems to think it has access to all 56 cores and 256GB of memory on the bare metal host.
I have tried using LXCFS as shown below:
docker run -it \
-v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
-v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
-v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
-v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
-v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
-v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
ubuntu:18.04 \
bash
This has worked and the Docker container shows the CPU and memory resources that have been allocated to the LXD container. However, this needs to be manually specified for each Docker container that is launched and this is not feasible when Docker containers are automatically launched (for example, when creating nodes for a custom cluster in Rancher).
My goal is to get all Docker containers running in the LXD container to only see resources that have been allocated to the LXD container and nothing else. Please let me know how I can do so.
