Add docker in LXC

ZihaoZhou · ZihaoZhou · commit ee195d198d6b · 2025-05-26T19:10:52.000-07:00
diff --git a/docs/.vitepress/config.mts b/docs/.vitepress/config.mts
@@ -89,6 +89,10 @@ export default defineConfig({
               text: 'Remote Desktop',
               link: '/guide/rdp',
             },
+            {
+              text: 'Docker in LXC',
+              link: '/guide/docker',
+            },
             {
               text: 'Password and Security',
               link: '/guide/security',
diff --git a/docs/guide/docker.md b/docs/guide/docker.md
@@ -0,0 +1,232 @@
+# Running Docker in LXC Containers
+
+This guide explains how to run Docker inside LXC containers using the fuse-overlayfs storage driver. This is necessary because LXC containers cannot use Docker's default overlay2 storage driver due to kernel limitations.
+
+::: warning Prerequisites
+- LXC container with FUSE support enabled
+- Root or sudo access inside the container
+- Basic understanding of Docker and systemctl
+:::
+
+## Background: Why fuse-overlayfs?
+
+Docker's default `overlay2` storage driver requires kernel-level permissions that LXC containers don't have. When you try to use overlay2 inside an LXC container, Docker fails because:
+
+1. LXC mounts its filesystem using overlay, and the kernel doesn't allow overlay-on-overlay mounting
+2. The container lacks permissions to create kernel-level overlay filesystems
+
+Without proper configuration, Docker falls back to the `vfs` driver, which creates full copies of each filesystem layer instead of using efficient copy-on-write. This can consume massive amounts of disk space.
+
+## Prerequisites Check
+
+### 1. Verify FUSE Support
+
+First, check if your container has FUSE support:
+
+```bash
+ls -la /dev/fuse
+```
+
+If `/dev/fuse` doesn't exist, contact your system administrator to enable FUSE support for your container.
+
+::: tip Enabling FUSE in Proxmox
+If using Proxmox, set `features: fuse=1` in the LXC config or check "FUSE" under Options in the web interface. Restart the container after making this change.
+:::
+
+### 2. Install Required Packages
+
+First, install Docker following the official installation guide:
+
+::: tip Docker Installation
+Follow the official [Docker Engine installation guide for Ubuntu](https://docs.docker.com/engine/install/ubuntu/) to install Docker from the official repository. This ensures you get the latest stable version with proper support.
+:::
+
+After installing Docker, install fuse-overlayfs:
+
+```bash
+sudo apt update
+sudo apt install fuse-overlayfs
+```
+
+## Configuration Steps
+
+### 1. Configure Docker Storage Driver
+
+Create or edit the Docker daemon configuration:
+
+```bash
+sudo vim /etc/docker/daemon.json
+```
+
+Add the following configuration:
+
+```json
+{
+    "storage-driver": "fuse-overlayfs"
+}
+```
+
+::: warning NVIDIA Runtime
+If you have NVIDIA container runtime installed, preserve it in the configuration:
+```json
+{
+    "storage-driver": "fuse-overlayfs",
+    "runtimes": {
+        "nvidia": {
+            "args": [],
+            "path": "nvidia-container-runtime"
+        }
+    }
+}
+```
+:::
+
+### 2. Stop Existing Docker Service
+
+Before applying changes, stop any running Docker service:
+
+```bash
+sudo systemctl stop docker
+sudo systemctl stop docker.socket
+```
+
+### 3. Test Configuration
+
+Test the Docker daemon with the new storage driver:
+
+```bash
+sudo dockerd --debug
+```
+
+Look for messages confirming fuse-overlayfs is being used. Press `Ctrl+C` to stop once verified.
+
+::: tip Troubleshooting Startup
+If you see an error about conflicting directives:
+```
+unable to configure the Docker daemon with file /etc/docker/daemon.json: 
+the following directives are specified both as a flag and in the configuration file: 
+storage-driver: (from flag: fuse-overlayfs, from file: overlay2)
+```
+This means there's a conflict in your configuration. Check `/etc/default/docker` or systemd service files for conflicting storage driver settings.
+:::
+
+### 4. Enable and Start Docker Service
+
+Once configuration is verified:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable docker
+sudo systemctl start docker
+```
+
+## Common Issues and Solutions
+
+### Permission Denied on Docker Socket
+
+If you encounter:
+```
+permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
+```
+
+**Solution**: Run Docker commands with `sudo` or add your user to the docker group:
+```bash
+sudo usermod -aG docker $USER
+# Log out and back in for changes to take effect
+```
+
+### Service Failed to Start
+
+To debug Docker service issues:
+
+```bash
+# Check service status
+sudo systemctl status docker
+
+# View detailed logs
+sudo journalctl -xeu docker.service
+
+# Check Docker daemon directly
+sudo dockerd --debug
+```
+
+Common causes:
+- Syntax errors in `/etc/docker/daemon.json`
+- Missing fuse-overlayfs package
+- FUSE not enabled in container
+
+### Storage Driver Conflicts
+
+If Docker complains about conflicting storage drivers:
+
+1. Check all configuration sources:
+   ```bash
+   cat /etc/docker/daemon.json
+   cat /etc/default/docker
+   systemctl cat docker.service
+   ```
+
+2. Remove any `--storage-driver` flags from systemd service files
+3. Ensure only one storage driver is specified in `daemon.json`
+
+## Performance Considerations
+
+::: warning Performance Impact
+fuse-overlayfs operates in userspace and has performance overhead compared to kernel-based overlay2. However, it's significantly more efficient than the vfs fallback:
+- **vfs**: Creates full copies of filesystem layers (can use 3-4x more space)
+- **fuse-overlayfs**: Uses copy-on-write like overlay2 but with ~10-20% performance overhead
+- **overlay2**: Native kernel driver (not available in LXC)
+:::
+
+## Verification
+
+Verify Docker is using the correct storage driver:
+
+```bash
+sudo docker info | grep "Storage Driver"
+# Should output: Storage Driver: fuse-overlayfs
+```
+
+Test with a simple container:
+
+```bash
+sudo docker run hello-world
+```
+
+## Advanced Configuration
+
+### Systemd Service Debugging
+
+For persistent issues, create a systemd override:
+
+```bash
+sudo mkdir -p /etc/systemd/system/docker.service.d
+sudo vim /etc/systemd/system/docker.service.d/override.conf
+```
+
+Add debugging options:
+```ini
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd --debug
+```
+
+### Alternative: Recent Kernel Support
+
+::: tip Kernel 6.1.10+ Users
+Recent kernels (6.1.10+) may support overlay2 in LXC containers natively, especially on ZFS. Test with:
+```bash
+sudo dockerd --storage-driver=overlay2
+```
+If this works, you may not need fuse-overlayfs.
+:::
+
+## Related Documentation
+
+- [Container Limitations](./limit.md#nested-container) - General limitations of nested containers
+- [Troubleshooting Guide](./troubleshooting.md#docker-in-container) - Additional Docker troubleshooting steps
+- [Security Considerations](./security.md) - Security implications of running Docker in LXC
+
+## Summary
+
+Running Docker inside LXC containers requires using fuse-overlayfs as a storage driver due to kernel limitations. While this adds some performance overhead, it's a reliable solution that avoids the disk space issues of the vfs driver. Always ensure FUSE support is enabled in your container and carefully manage the Docker daemon configuration to avoid conflicts.
diff --git a/docs/guide/index.md b/docs/guide/index.md
@@ -233,6 +233,7 @@ Congratulations on setting up your RoseLab container! Here are some next steps:
 2. Review the [differences](./limit) between containers and dedicated servers.
 3. Enhance your [security](./security) by updating passwords and keys.
 4. If you encounter performance issues, consult the [Troubleshooting](./troubleshooting) section.
+5. If you need to run Docker inside your container, see our [Docker in LXC guide](./docker).
 
 ## Support
 
diff --git a/docs/guide/limit.md b/docs/guide/limit.md
@@ -72,7 +72,7 @@ It is technically feasible to create a Docker container inside your container, b
 
 > LXC upstream's position is that those containers aren't and cannot be root-safe. They are still valuable in an environment where you are running trusted workloads or where no untrusted task is running as root in the container. —— [Linux Containers - LXC - Security](https://linuxcontainers.org/lxc/security/)
 
-Our position is Docker-based development should be deployed to the Nautilus cluster. However, you may request privilege on a short term basis with valid reason (e.g., to build a Docker image for your accepted paper). However, docker overlay2 storage driver [does not work well with LXC](https://discuss.linuxcontainers.org/t/problem-running-docker-inside-lxc-container/10392), so you may need to downgrade docker to 2.3.0 in order to use the removed `overlay` driver. See [Troubleshooting](./troubleshooting) for more information.
+Our position is Docker-based development should be deployed to the Nautilus cluster. However, you may request privilege on a short term basis with valid reason (e.g., to build a Docker image for your accepted paper). Note that docker overlay2 storage driver [does not work well with LXC](https://discuss.linuxcontainers.org/t/problem-running-docker-inside-lxc-container/10392) due to kernel limitations. See our [Docker in LXC guide](./docker.md) for instructions on using fuse-overlayfs with current Docker versions.
 
 
 ## Firewall
diff --git a/docs/guide/troubleshooting.md b/docs/guide/troubleshooting.md
@@ -47,53 +47,11 @@ Pulling netflow  ... extracting (100.0%)
 ERROR: failed to register layer: Error ...
 ```
 
-This is because the Docker's latest overlay2 storage driver does not work well with LXC. However, the legacy `overlay` driver has been removed from Docker 2.4.0. You can downgrade Docker to 2.3.0 to use the `overlay` driver. 
+This is because Docker's overlay2 storage driver does not work well with LXC containers due to kernel limitations.
 
-#### Solution
-
-First, remove your existing Docker installation.
-
-```bash
-sudo systemctl stop docker
-sudo apt-get remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-```
-
-Then, modifies the Docker daemon configuration file:
-
-```bash
-sudo nano /etc/docker/daemon.json
-```
-
-add or modify the "storage-driver" option in the file:
-
-```json
-{
-    ...,
-    "storage-driver": "overlay"
-}
-```
-
-install Docker 2.3.0.
-
-```bash
-sudo apt-get update
-sudo apt-get install docker-ce=5:23.0.0-1~ubuntu.22.04~jammy docker-ce-cli=5:23.0.0-1~ubuntu.22.04~jammy containerd.io docker-buildx-plugin docker-compose-plugin
-```
-
-Start the Docker service and verify the installation.
-
-```bash
-sudo systemctl start docker
-docker --version
-```
-
-Pin the package version to prevent automatic upgrades:
-
-```bash
-sudo apt-mark hold docker-ce docker-ce-cli
-```
-
-Now you can pull Docker images in your container.
+::: tip Solution
+To run Docker with current versions inside LXC containers, use the fuse-overlayfs storage driver. See our comprehensive [Docker in LXC guide](./docker.md) for detailed setup instructions.
+:::
 
 ## Machine Learning Threshold
 
