Running Docker in LXC With Proxmox 7.1

If you need to run Docker on your Proxmox installation under LXC instead of in a VM, it’s possible, but there are some extra steps, especially where ZFS in concerned as the host file system. I feel, however, like it’s worth it due to the reduced overhead vs a VM.

First, create an unprivileged LXC container. In my case, I chose Ubuntu 20.04.

Create an LXC container.
  • Select the Ubuntu 20.04 template.
  • Select your local Proxmox storage, usually either local-lvm or local-zfs. If you choose ZFS, we’ll get into that headache later.
  • Start and enter the shell of your created container.
#apt update && apt upgrade -y

Install fuse-overlayfs if you’re using ZFS as your host filesystem. The default “overlay2” doesn’t work and docker will refuse to start. It will also work on lvm-based partition schemes, so use fuse-overlayfs if you think you might ever move your container to a ZFS partition down the line.

#apt install fuse-overlayfs docker.io

At this point, docker will attempt to start itself. If you’re using ZFS, it will attempt to use “overlay2” and fail, then fall back to fuse-overlayfs since it’s installed.

To ensure that docker always uses the fuse-overlayfs storage driver instead of VFS (which happened to me and my filesystem ballooned to 16GB from 3GB by doing a simple pull request), create /etc/docker/daemon.json and add the following:

{
  "storage-driver": "fuse-overlayfs"
}

Shut your container down and edit /etc/pve/lxc/<containernumber>.conf. Add the following line at the bottom:

lxc.mount.entry: /dev/fuse dev/fuse none bind,create=file,rw,uid=165536,gid=165536 0 0

This will allow the fuse device on the host to pass through into the container. Start it back up.

Let’s install Portainer as a test, as well as a good orchestration environment:

docker run -d -p 8000:8000 -p 9443:9443 --name portainer \
    --restart=always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    portainer/portainer-ce:2.9.3

If everything was configured properly, it should download and start immediately.

Troubleshooting

Q: I get an error that complains I might need to run “modprobe fuse”

A: You need to add the /dev/fuse line to the container configuration.

Q: Docker refuses to run with an error “attempted to load a profile while confined?”

A: You’ve created a privileged container. Back up your container, then restore it was an unprivileged container. Otherwise, the only way I’ve found to fix this is to uninstall apparmor.