Ubuntu
docker.io package

Privileged Docker container in privileged LXD container

Bug #1599121 reported by blockmurder
54
This bug affects 10 people
Affects Status Importance Assigned to Milestone
lxd
Fix Released
Unknown
docker.io (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Issue description:

Trying to run privileged docker container in a privileged LXD container. Goal would be to run a rancher/agent:v1.0.2 container, but it does not work with ubuntu:latest either.

Steps to reproduce:

Run a container (ubuntu:16.04, privileged) with instructions found here: https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712/

Apply lxc profile device add docker tuntap unix-char path=/dev/net/tun to fix issue discussed here:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1593301/comments/2

Run docker run -d --name test --privileged ubuntu:latest which produces the following output:
3d6a5d25c7c9390aeb7a447b86e8cf79b33f5b68948bd0238e58c858c2e57c06
docker: Error response from daemon: Container command not found or does not exist..

Tested with docker.io 1.10.3 and docker.io 1.11.2(proposed), unprivileged Docker containers running fine...

This bug has been filed on LXD github repository as well:
https://github.com/lxc/lxd/issues/2172

LXD Host:
DistroRelease: Ubuntu 14.04 LTS 4.4.0-28-generic
Package: lxd 2.0.2-0ubuntu1~16.04.1

Docker container:
DistroRelease: Ubuntu 14.04 LTS 4.4.0-28-generic
Package: docker.io 1.10.3-0ubuntu6

Revision history for this message
blockmurder (5-gnfo-m) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in docker.io (Ubuntu):
status: New → Confirmed
Revision history for this message
Anibal Rivero (anibalrivero) wrote :

LXD Host:
DistroRelease: Ubuntu 16.04 LTS 4.4.0-22-generic
Package: lxd
Version: 2.0.0-0ubuntu4

Docker:
Package: docker.io
Version: 1.10.3-0ubuntu6

Revision history for this message
Velkan (velkan-s) wrote :

Similar with docker.io 1.12.6-0ubuntu1~16.04.1.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Linked back the LXD issue that was filed as a bug task to get auto-tracking.
But FYI - the status there is to currently wait on docker packaging expertise from here.

Bug Watch Updater (bug-watch-updater)
Changed in lxd:
status: Unknown → Fix Released
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This seems to be fixed since bionic.

From a jammy host, I was able to run a jammy privileged lxc container and within it, run a privileged docker container.

From a jammy host, I was able to run a bionic privileged lxc container and within it, run a privileged docker container.

From a bionic host, I was able to run a bionic privileged lxc container and within it, run a privileged docker container.

For instance:

# lxc launch ubuntu-daily:bionic docker-b-priv -c security.nesting=true

Run the container, install docker, and from within it, run

# docker run --name test --privileged ubuntu:latest echo hello privileges

Which should print
"hello privileges"

Changed in docker.io (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.