0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Proxmox: Run Docker on Linux Containers (LXC)

In this post, I show you how to run Docker in your Linux Containers (LXC), allowing you to save on resource requirements typically required by a VM.
0xBEN
5 min read
Proxmox: Run Docker on Linux Containers (LXC)
In: Proxmox, Home Lab

Why Docker on a Linux Container?

Simply put – saving resources.

  • Each VM in your environment has its own kernel and emulates its own hardware — CPU, RAM, disk, etc — to the guest operating system.
    • If you install multiple Dockerized web applications in a VM, then you'll have to use a reverse proxy or a custom TCP port for each service.
    • You may eventually require multiple VMs to host a large stack of Docker containers, which will come with slower boot speeds and more consumption of resources.

  • LXC — on the other hand — do not have their own kernel, nor emulate hardware in any capacity. They share the host's kernel, using cgroups and namespaces for isolation.
    • Due to the lower performance and resource overhead of LXC, you could feasibly run 1 LXC : 1 Dockerized Environment.
    • This could reduce the need for complex proxy setups, since each LXC would have a unique IP address.
🚨
One major caveat to this is that Proxmox VE developers strongly recommend running Docker in VMs, as it provides greater isolation from the host and greater stability in the event of upgrades.

More on that at this Proxmox forum post and this forum post.

With all that out of the way, and you want to give Docker in LXC a try, let's proceed. Any time you want to run Docker on a Linux Container, simply repeat the steps as documented here.

Using ZFS?

These steps were tested on a Proxmox node configured with ZFS and no observable issues could be detected.





Preparing Proxmox

FUSE OverlayFS for ZFS Storage

ℹ️
fuse-overlayfs is really only required if your Proxmox node's storage backend is ZFS, as my research indicates that this is a requirement for keeping Docker volume sizes from blowing up
apt clean && apt update && apt install -y fuse-overlayfs





Create a Linux Container and Test Functionality

Create the Linux Container

Right click your node and click 'Create CT'
Ensure the container is unprivileged and nesting is enabled
Choose your container template
Add a disk, size according to your needs
Allocate cores according to your needs
Allocate RAM according to your needs
Set your NIC parameters according to your environment
⚠️
Note that I have set the IPv6 setting to Static with an empty configuration to indicate that I am not using IPv6 on my container.

If you set IPv6 to DHCP and do not have a DHCPv6 server to allocate addresses, this will cause the container to stall while it tries to obtain a DHCP lease for IPv6.
I am using my internal domain and DNS server for this VLAN
Click finish to create the container



Change a Few Container Options

Click on your container
Click 'Options'
Double-click 'Features'
ℹ️
As mentioned earlier, you only need to enable FUSE if your Proxmox storage backend is ZFS
Enable 'keyctl', 'Nesting', and 'FUSE'
You may now start the container





Configure and Test Docker

FUSE OverlayFS for ZFS Storage on Host

ℹ️
Repeating here, once again, that you only require fuse-overlayfs if your Proxmox node storage backend if ZFS
apt clean && apt update && apt upgrade && apt install -y fuse-overlayfs

Install "fuse-overlayfs" inside LXC if host storage backend is ZFS

ln -s /usr/bin/fuse-overlayfs /usr/local/bin/fuse-overlayfs

Create symbolic link to fuse-overlayfs binary based on previous observations



Install Docker Engine on the Linux Container

Since the image I am using is Debian 11, we can follow the official Docker Engine installation instructions for Debian.

Install Docker Engine on Debian
Instructions for installing Docker Engine on Debian
Docker Documentation
apt install -y ca-certificates curl gnupg lsb-release

Install prerequisite packages

mkdir -p /etc/apt/keyrings

Make a directory to house the Docker GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg

Download and store the GPG key

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null

Add the Docker apt repository to sources

apt update && apt install -y docker-ce docker-ce-cli containerd.io docker-compose docker-compose-plugin

Install Docker packages

docker run hello-world

Test for successful installation

systemctl enable docker

Enable Docker engine to start at boot





References

Docker LXC Unprivileged container on Proxmox 7 with ZFS
I’m using Proxmox 7.0-11 on ZFS filesystem and I’m trying to use Dokku (which uses Docker) on a Ubuntu 20.04 LXC Unprivileged container. On the container, I enabled the nesting and keyctl features right after created using the Ubuntu 20.04 template. Here the config: root@srv001:~# pct config…
Proxmox Support Forumkamzata
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Infrastructure-as-Code with Proxmox
Proxmox

Infrastructure-as-Code with Proxmox

In this project, broken up into multiple modules, you will gain hands-on, interactive practice with defining and managing Infrastructure-as-Code using industry-standard DevSecOps tooling and zero-trust security principles.
0xBEN
10 min read
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.