Docker in LXD

Docker in LXD Wouldn't you end up launching a lot of Docker Engine after using Docker a lot? At least I do.

There are many ways to do this, but Docker in LXD is easier to build than it used to be, so nowadays when I install Docker Engine I build it on top of the LXD container.

LXD setup

Ubuntu 20.04 LTS has LXD installed with Snap at the time of installation. But you need to initialize it with lxd init to be able to use LXD.

$ lxd init

Would you like to use LXD clustering? (yes/no) [default=no]:

...

I'm asked a lot. Basically the default is fine, but always choose btrfs for the storage backend. (It seems that the default is often zfs, please explicitly set it to btrfs)

...

Name of the storage backend to use (ceph, btrfs, dir, lvm) [default=btrfs]: btrfs

...

To check the operation, create an LXD container, start it, and exit it.

$ lxc launch ubuntu:20.04 ubuntu
Creating ubuntu
Starting ubuntu

$ lxc exec ubuntu bash
root@ubuntu:~# exit

Since the operation check is completed, delete the container.

$ lxc rm -f ubuntu

Docker in LXD You may be able to install Docker Engine in a plain LXD container, but it won't start the Docker container.

According to the LXD documentation, Can I run docker inside an LXD container? (https://lxd-ja.readthedocs.io/ja/latest/#lxd-docker), it seems that security.nesting should be true.

$ lxc launch -c security.nesting=true ubuntu:20.04 docker
Creating docker
Starting docker

Just in case, check if it is set.

$ lxc config show docker
config:
...

  security.nesting: "true"

...

There is no problem, so install Docker Engine.

$ lxc exec docker bash
root@docker:~# curl https://get.docker.com | sh

Now that the installation is complete, start the Docker container.

root@docker:~# docker run --rm hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

It worked!

Selection of storage driver

For LXD and Docker Engine, you can choose a storage driver. However, it seems that there are few combinations to start. Both LXD and Docker Engine are running on btrfs when built with this procedure.

According to the table in Replaceable Storage Driver Structure (http://docs.docker.jp/v17.06/engine/userguide/storagedriver/selectadriver.html#a-pluggable-storage-driver-architecture), the commonly used Docker Engine storage driver overlay2 requires the host-side storage to be ext4 or xfs.

The combinations that are likely to work are as follows.

LXD storage driver Docker Engine storage driver
btrfs btrfs
zfs zfs
lvm devicemapper

Only btrfs worked at hand. zfs failed to install zfsutils-linux on the LXD container. I haven't tried lvm because it's a hassle.

The Docker Engine btrfs storage driver doesn't seem to perform that well, but I'm grateful that it just works.

There is also a Docker Engine storage driver called vfs, which seems to work regardless of the LXD storage driver, but it seems to be the worst performance for development.

security.privileged=true When I google, I also see that security.privileged is set to true in the LXD container settings.

It seems that it is necessary depending on the Docker container to be started, but if this is enabled, various things can be done from the container to the host side, so it seems better not to do it if it is unnecessary.

Security of security.nesting = true

I couldn't find any mention in the official LXD documentation about whether security.nesting = true is safe (whether the container can't access the host side).

I did not understand because there was no information even when I searched by google. If anyone is familiar with this area, please let me know.

Recommended Posts

Docker in LXD
Install yarn in docker image
npm error in docker tutorial
docker
Let's summarize Docker in an atmosphere
Run LibreOffice Basic macros in Docker
Install laravel/Dusk in docker environment (laravel6)
Hit the Docker API in Rust
Check MySQL logs in Docker environment
docker memo
Alert slack with alert manager in Docker environment
Put Kanban in Docker of Raspberry Pi 3
kubernetes + docker
spring × docker
About Docker
[Docker] Use environment variables in Nginx conf
Kind @ Mac in Docker and vctl container
Docker Intellij
Build Spring Boot + Docker image in Gradle
Docker basics
Support for gdb errors in Docker containers
Scraping with puppeteer in Nuxt on Docker.
Edit Mysql with commands in Docker environment
MySQL container does not start in Docker
Directly operate mariadb running in Docker container
How to use Docker in VSCode DevContainer
Docker installation
About Docker
Docker command
Docker memorandum
[Docker] Start container, start bash in container, delete image
Show Better Errors in Rails + Docker environment
Understand Docker
Docker memorandum
Try putting Docker in ubuntu on WSL
Japanese setting of mysql in Docker container
Commands that helped resolve errors in Docker
Understand in 5 minutes !! How to use Docker
Dealing with composer installation errors in Docker
How to check the logs in the Docker container
Self-hosting with Docker of AuteMuteUs in Windows environment
Just install Laravel8 on docker in PHP8 environment
(Basic authentication) environment variables in rails and Docker
Data management using volume in Docker (personal memorandum)
How to update pre-built files in docker container
Implemented in Nuxt.js & Django using Docker [CRUD in Axios]
Edit Docker Container in VSCode multi-stage SSH Vagrant
Setting up Docker Engine in a non-internet connection
WSL, Zsh, VSCode, Docker, NodeJS setup summary in 2020
Support out of support in docker environment using centos6
Docker × Laravel HTTPS (SSL) communication in local environment
How Docker works ~ Implement the container in 60 lines