Create a new LXC Container

In Proxmox VE create a unprivileged LXC container with fuse=1,keyctl=1,mknod=1,nesting=1 (I’m not sure if all are needed). In this case I use a Ubuntu 18.04 container.

Installation of fuse-overlayfs

fuse-overlayfs is a similar to overlayfs runs in userspace and can be used without root permissions1. Unlike overlayfs, fuse-overlayfs can be also used when the backing filesystem is ZFS, like on Proxmox VE.

Then inside the container, install a static version of fuse-overlayfs. and place it in /usr/local/bin so it’s named /usr/local/bin/fuse-overlayfs.

Installation of docker.io

docker.io is the Debian specific build of the Moby container engine. Unlike noted in the Docker documentation this isn’t an old version but rather a version packaged by the Debian Go team.

apt-get install docker.io

In my case this installed the version 20.10.2

# docker info
Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 1
 Server Version: 20.10.2
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
(...)

To my surprise, it auto-detected that I have fuse-overlayfs installed and uses it. And this although I’m not using rootless Docker!

Now I can use Docker nested in LXC on Proxmox VE without the efficiency problems of VFS.

Future Work

It would be also interesting to use Podman in LXC on Proxmox PVE but I couldn’t get it working so far. I know it’s possible to use rootless Podman in unprivileged LXD container using the security.nesting flag. However LXC on PVE is a bit different from LXD.

  1. Debian 10 and similar systems also support overlayfs without root but this isn’t working on a ZFS filesystem and it’s not directly usable inside a container. In newer kernel versions unprivileged overlay mount is possible by default. This could mean that unprivileged overlay will also be supported in Fedora-like distributions in the future. ↩︎