Docker/Portainer in privileged LXC not able to run privileged container?


I have a proxmox server with two fresh Debian 11 LXC container:

Bildschirm­foto 2023-01-28 um 11.52.37

103/docker2 → is an unprivileged LXC container
104/docker3 → is a privileged LXC container

Now the problem when I try to run a test container in portainer (e.g, ubuntu with console / TTY) and set the “Privileged mode” under runtime and resources the container starts in the 103/docker2 but in the 104/docker3 it throws an error “Request failed with status code 500”?

Both docker and portainer installs done following the official resources, run as root without errors:
Docker Install

Portainer Install

Ideally I need a privileged LXC container because I want to bind NFS shares to the containers in portainer …

I am not an lxc expert, as such I am hesitant to say anything about it.

How do you intend to do that? I am asking because I have seen people trying to mount nfs shares from inside the container, which makes them use --privliged or add capabilities using --cap-add to achieve that. Running containers as privileged should be avoided, if they run internet facing application, as they only provide a weak isolation from the host. Running container with cap-add grants them specific capabilities the application inside such a container can use to do it’s job. If you want to know which capabilities the mount command need, you’ll have to google it.

Though, the intended way ist to use a volume backed by the nfs remote share and then use that volume with the container.

In a privileged LXC container I can just specify the NFS volume in portainer and add it to the docker container - no special privileged mode or settings necessary to the docker container itself. The docker container can run unprivileged.

I need a privileged docker container in a privileged LXC container for a different use case. Currently I just try to understand why I get an error 500 thrown by portainer trying to deploy a privileged docker container in a privileged LXC container.

Again deploying a privileged docker container in an unprivileged LXC container works … ?!?

Thant’s to answer from someone that actually walked down that road.
I have the feeling that your chances to get an answer to that question are higher on a Proxmox forum.

Yes … also posted the question there.

Though, there is one thing I forgot to mention. When docker volumes are used, the nfs share is mounted on the host and then bound into the container, thus making it irrelevant if the container would be able to mount nfs itself.

If you can mount it in the lxc container, a docker volume on the same lxc container should be able to mount it as well.

I can mount a NFS share in proxmox and then mount that share in the LXC container. Problem there the mount from the LXC container creates a disk image. So I can not read the files directly on the source NFS share.

Probably for now … I will switch back to Debian in a VM. Much less headaches …

If I got you right: you mounted the nfs share on the proxmox host as storage pool, then created a drive using that storage pool. I am not sure how this approach aligns with what I wrote.

The translation of what I suggest would be this:

Let’s assume you have a nfsv4 server with the ip and exported /test.
If mounting the nfs share works inside the lxc container:

mkdir /tmp/nfs_mount_test
sudo mount -t nfs -o nfsvers=4 /tmp/nfs_mount_test

Then it should work like this as a docker volume

docker volume create --driver local \
    --opt type=nfs \
    --opt o=addr=,nfsvers=4
    --opt device=:/test \

As you know, the mount target is specified during volume mapping -v test-volume:/tmp_nfs_mount_test

Should not work … because unprivileged LXC do not support NFS outside connection.