In this article, we will see how to run Docker inside an unprivileged container in Proxmox. At Bobcares, with our Proxmox Support Services, we can handle your Proxmox issues.

How to run Docker inside an unprivileged container in Proxmox?

The process of running Docker inside an unprivileged container in Proxmox includes the following steps:

• Configuring Proxmox
• Making an unprivileged LXC container
• Installing Docker in LXC
• Testing Docker

Let’s see each step in detail.

Configuring Proxmox

1. We have to enable the overlay and aufs* in Proxmox. This is done to support Docker-LXC-Nesting.

echo -e "overlay\naufs" >> /etc/modules-load.d/modules.conf

2. In order to verify the modules are active, we have to reboot the Proxmox using the below code:

lsmod | grep -E 'overlay|aufs'

Making an unprivileged LXC container

We can use web UI or shell script to make an unprivileged LXC container. (Follow the Proxmox docs to create an unprivileged LXC container)

1. This LXC container configuration will be kept at:

/etc/pve/lxc/100.conf

2. Add the below code after opening the configuration (To enable these features, we can also use the Proxmox GUI):

features: keyctl=1,nesting=1

3. Following that, the 100.conf will look like this:

arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: docker
memory: 4096
nameserver: 192.168.40.1
net0: name=eth0,bridge=vmbr1,firewall=1,gw=192.168.40.1,ip=192.168.40.9/24,tag=40,type=veth
ostype: debian
rootfs: storagedocker:100/vm-100-disk-0.raw,size=60G
searchdomain: local.mytld.com
startup: order=1
swap: 4096
unprivileged: 1

Installing Docker in LXC

1. Log into the new LXC container via ssh.

2. Install sudo if needed:

apt install sudo

3. Set the time zone using the code:

dpkg-reconfigure tzdata

4. Now update the other packages:

apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get autoremove

5. Finally, install Docker. Before copying and pasting, always check the official instructions from the manuals for obsolete code.

sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

6. Change the storage driver to overlay2.

echo -e '{\n "storage-driver": "overlay2"\n}' >> /etc/docker/daemon.json

7. Adjust Docker subnets

8. Install docker-compose, if desired.

Testing Docker

Restart the LXC container and test the Docker configuration.

systemctl status docker docker run hello-world

Output:

Hello from Docker!

With these steps, we were able to run Docker inside an unprivileged container in Proxmox.

Docker is explicitly encouraged to run inside full VMs rather than unprivileged containers. One of the primary differences is that VMs are fully virtualized, whereas LXC containers merely run all processes on the host machine (the hypervisor). Unprivileged containers employ a combination of app-armor rules and uid-mapping to prevent dangerous access to the host, but if we are conducting important production work or suspect that the Docker tools are unsafe, use a VM rather than LXC.

[Need assistance with another Proxmox query? We’re here to assist.]

Conclusion

The article provides a 4-step method from our Tech team to run Docker inside an unprivileged container in Proxmox.