I have a proxmox server with two fresh Debian 11 LXC container:
103/docker2 → is an unprivileged LXC container
104/docker3 → is a privileged LXC container
Now the problem when I try to run a test container in portainer (e.g, ubuntu with console / TTY) and set the “Privileged mode” under runtime and resources the container starts in the 103/docker2 but in the 104/docker3 it throws an error “Request failed with status code 500”?
Both docker and portainer installs done following the official resources, run as root without errors: Docker Install
Ideally I need a privileged LXC container because I want to bind NFS shares to the containers in portainer …
I am not an lxc expert, as such I am hesitant to say anything about it.
How do you intend to do that? I am asking because I have seen people trying to mount nfs shares from inside the container, which makes them use --privliged or add capabilities using --cap-add to achieve that. Running containers as privileged should be avoided, if they run internet facing application, as they only provide a weak isolation from the host. Running container with cap-add grants them specific capabilities the application inside such a container can use to do it’s job. If you want to know which capabilities the mount command need, you’ll have to google it.
Though, the intended way ist to use a volume backed by the nfs remote share and then use that volume with the container.
In a privileged LXC container I can just specify the NFS volume in portainer and add it to the docker container - no special privileged mode or settings necessary to the docker container itself. The docker container can run unprivileged.
I need a privileged docker container in a privileged LXC container for a different use case. Currently I just try to understand why I get an error 500 thrown by portainer trying to deploy a privileged docker container in a privileged LXC container.
Again deploying a privileged docker container in an unprivileged LXC container works … ?!?
Though, there is one thing I forgot to mention. When docker volumes are used, the nfs share is mounted on the host and then bound into the container, thus making it irrelevant if the container would be able to mount nfs itself.
If you can mount it in the lxc container, a docker volume on the same lxc container should be able to mount it as well.
I can mount a NFS share in proxmox and then mount that share in the LXC container. Problem there the mount from the LXC container creates a disk image. So I can not read the files directly on the source NFS share.