From 52cc54ee332b100844543b154d2b1d023478ac4c Mon Sep 17 00:00:00 2001
From: xdavidwu <xdavidwuph@gmail.com>
Date: Thu, 27 Sep 2018 09:33:59 +0800
Subject: [PATCH] posts: add docker-in-lxc

---
 _posts/2018-09-27-docker-in-lxc.md | 49 ++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 _posts/2018-09-27-docker-in-lxc.md

diff --git a/_posts/2018-09-27-docker-in-lxc.md b/_posts/2018-09-27-docker-in-lxc.md
new file mode 100644
index 0000000..62b3045
--- /dev/null
+++ b/_posts/2018-09-27-docker-in-lxc.md
@@ -0,0 +1,49 @@
+---
+title: "docker in lxc"
+categories:
+  - Misc
+tags:
+  - docker
+  - lxc
+  - k8s
+  - ubuntu
+---
+
+在 ubuntu 上的 lxc 裡再跑一層 docker (或k8s又或還是一層lxc之類的)
+
+主要會碰到的難關有兩個 _apparmor 和 cgroup_
+
+apparmor 很好解決 ubuntu lxc 的 config template 就有提到
+
+只要把以下的 config 取消註解 (或增加) 即可
+
+```
+lxc.include = /usr/share/lxc/config/nesting.conf
+```
+
+觀察這個 config 就只是切換成另一個 apparmor profile 和解決 proc 及 sysfs 的問題
+
+```
+# Use a profile which allows nesting
+lxc.apparmor.profile = lxc-container-default-with-nesting
+
+# Add uncovered mounts of proc and sys, else unprivileged users
+# cannot remount those
+
+lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
+lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0
+```
+
+再來是 cgroup
+
+如果需要存取某些 devices 但是被擋
+
+加入例如
+
+```
+lxc.cgroup.devices.allow = c 10:200 rwm
+```
+
+指定允許
+
+這裡是以 tuntap 10:200 為例
-- 
2.43.0