Linux Proxmox

LXC Rootless docker

Proxmox

Have to update the following file on all proxmox nodes inside the cluster so if HA is enabled this container will be able to run on all

All nodes have to have the following config

/etc/subgid & /etc/subuid

1

root:100000:262144

Create a new lxc unprivileged container with nested feature for docker Unrprivileged LXC container with debian 13 (tixie)

Make sure you dont start the container after creation

Need to open the shell on the node where the new container is created

/etc/pve/lxc/xxx.conf

1
2
3
4
5
6
7

features: fuse=1,keyctl=1,nesting=1
lxc.cgroup.devices.allow: c 10:229 rwm
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/fuse dev/fuse none bind,create=file 0 0
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
lxc.idmap: u 0 100000 262144
lxc.idmap: g 0 100000 262144

Container

Start the container run the following commands as root

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

apt update
apt install -y \
  fuse-overlayfs \
  uidmap \
  curl \
  iptables \
  dbus-user-session
useradd -s /bin/bash -m ec2-user
loginctl enable-linger ec2-user
su ec2-user

Following commands as ec2-user

1
2
3
4
5
6

mkdir -p /home/ec2-user/.config/docker/
echo '{ "storage-driver": "fuse-overlayfs" }' > /home/ec2-user/.config/docker/daemon.json
echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> /home/ec2-user/.bashrc
echo 'export DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus' >> /home/ec2-user/.bashrc
exit
reboot

And reboot so the user systemctl session will start which is a requirement for rootless docker

Log back in as root and change user to ec2-user

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

su ec2-user
curl -fsSL https://get.docker.com/rootless | sh
echo 'export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock' >> /home/ec2-user/.bashrc
echo 'export PATH=/home/ec2-user/bin:$PATH' >> /home/ec2-user/.bashrc
DOCKER_COMPOSE_DIR="$HOME/.docker/cli-plugins"
COMPOSE_VERSION="v2.39.4"
ARCH=$(uname -m)
mkdir -p "$DOCKER_COMPOSE_DIR"
curl -SL "https://github.com/docker/compose/releases/download/$COMPOSE_VERSION/docker-compose-linux-$ARCH" -o "$DOCKER_COMPOSE_DIR/docker-compose"
chmod +x "$DOCKER_COMPOSE_DIR/docker-compose"

Now you are ready to start any containers as a non-root user in an unprivileged lxc container

© 2012 - 2026 Bence tech
All rights reserved