1
votes

I get this to work work Ubuntu using security.privileged and security.nesting just fine. However with centos7, the docker daemon fails when trying to pull the images. It can't even run hello-world. There is a cgroup violation that some folder doesn't exist. Anyways, are there any successful examples of doing this? I'm ultimately trying to run Kubernetes and use lxc/lxd containers for master and workers, but I need it to work in centos. Exact error message :

docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:279: applying cgroup configuration for process caused \"open /sys/fs/cgroup/systemd/lxc/docker-test/docker/cpuset.cpus: no such file or directory\"": unknown. ERRO[0000] error waiting for container: context canceled

Exact setup is a centos7 Digital Ocean Droplet with lxd installed and built from go. Using lxc I created a centos7 container. In that machine container, I am trying to run docker. I realize this is like container inception, but it definitely works in ubuntu, so I imagine it should work on centos.

2
What was exact error message? Is there some verbose option to add to failed command?osgx
Added to the description. Thank you for your response.Hcabnettek

2 Answers

0
votes

I had this exact issue running a CentOS-7.6 Linux/LXC container (GUEST) within my Fedora-28 (LXC) HOST; when trying to use Docker within that CentOS-7.6 LXC container. I did some research and cobbled together a solution from these web resources:


Solution:

jdoe@HOST$ sudo echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid
# The above is performed once on the LXC HOST! (the outermost server).

# ---------------------------------------------------------------------------------
# Next, add these entries to the config file of the Linux/LXC container giving
# you the exception, (noting that blank 'lxc.cap.drop =' is not a mistake).
# ---------------------------------------------------------------------------------
security.nesting = true
security.privileged = true
lxc.aa_profile = unconfined
lxc.cgroup.devices.allow = a
lxc.mount.auto=proc:rw sys:rw
lxc.cap.drop =
# ---------------------------------------------------------------------------------

This eliminated a very similar error to yours and got things working. I hope it helps.

0
votes

In my case CentOS-7 LXC container (GUEST) in CentOS-7 (LXC) HOST, the only config required was:

  • lxc.cgroup.devices.allow = a
  • lxc.mount.auto=sys
  • lxc.cap.drop =

The following were NOT necessary or modified compared to NYCeyes post:

  • lxc.mount.auto=proc:rw sys:rw (removed proc, docker error only referred to a directory in /sys; used sys instead sys:rw since it is safer, if curious google "man lxc.mount.auto"

  • (removed completely) security.nesting = true

  • (removed completely) security.privileged = true

  • (removed completely) lxc.aa_profile = unconfined (aa_profile refers to App Armor, CentOS-7 uses SELinux not AA)

  • (NOT executed) sudo echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid