Docker Snap Doesn't Work in LXD Container

zicklag · December 22, 2019, 9:57pm

Continuing my previous forum topic in the Juju forum.

I am trying to use the Docker snap inside of an LXD container, but I am getting an error:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"rootfs_linux.go:109: jailing process inside rootfs caused \\\"permission denied\\\"\"": unknown.

I have added the security.nested=true and security.privileged=true config to the LXD profile.

The docker.io Apt package does work inside of the same LXD container.

ijohnson · January 6, 2020, 6:07pm

I’m gonna guess that the reason this doesn’t work is that when the docker snap runs inside the lxd container, it is running under the lxd child profile, and that is denying the dockerd daemon from doing something. Do you see any denials or other suspicious message in the system journal either inside the lxd container or on the host?

zicklag · January 6, 2020, 9:57pm

It looks like just a couple lines:

Jan 06 21:55:39 first docker.dockerd[2635]: time="2020-01-06T21:55:39.075482785Z" level=error msg="stream copy error: reading from a closed fifo"
Jan 06 21:55:39 first docker.dockerd[2635]: time="2020-01-06T21:55:39.286016285Z" level=error msg="cc56640421adba74753190df922c446a226e28c7e083f7193782a5c0a0f25282 cleanup: failed to delete container from containerd: no such container"