sorry ol’ chap… my containers are ZFS (default LXC) and connecting the Nextcloud snap to NAS using local SSHFS, so I’m not much help with NFS can’t know everything right?

see my personal notes for LXD/LXC: https://github.com/scubamuc/wiki-md/blob/scubamuc-wiki/LXD-LXC.Docker_in_LXC.md and wiki-md/LXD-LXC.Wiki.md at scubamuc-wiki · scubamuc/wiki-md · GitHub

also Deutsch if required…

the below personal entry might be important for you, but i’m unsure if Proxmox handles Docker containers differently → Proxmox vs. LXD

LXD – Run Docker inside LXC container

Be aware that this setup is basically running a container inside a container. While this has some advantages (i.e. LXC snapshots etc), it requires careful configuration. See https://ubuntu.com/tutorials/how-to-run-docker-inside-lxd-containers. The default volume format for LXC is ZFS and Docker natively uses BTRFS, thus it will be necessary to create a BTRFS volume in LXC for Docker containers. In addition security nesting must be enabled to allow Docker to “run as root” on the LXC host.

ZFS vs. BTRFS

the default volume format for LXC containers is ZFS

⚠️ Docker will not run well with the default zfs file system

Running Docker inside an LXC on a ZFS volume will prohibit persistent data storage. Thus a BTRFS volume is required for persistant storage for Docker on LXC.

Create a new btrfs storage pool

lxc storage create DCKRPOOL btrfs

Security nesting

the LXC container hosting a Docker container must have security nesting enabled so that the Docker container can “run as root” on the LXC host.

security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"

these options may be set per container if required:

lxc config set <CONTAINERNAME> security.syscalls.intercept.mknod=true security.syscalls.intercept.setxattr=true

Security modules

https://ubuntu.com/tutorials/how-to-run-docker-inside-lxd-containers#2-create-lxd-container

lxc config set <CONTAINERNAME> security.syscalls.intercept.mknod=true security.syscalls.intercept.setxattr=true

Profiles

The easiest way to do this is to copy the default profile to create a default-docker profile with these options defined and simply assign the profile to LXC containers running Docker. See https://documentation.ubuntu.com/lxd/en/stable-5.0/profiles/

copy profile:

lxc profile copy 'default' 'default-docker'

edit profile:

lxc profile edit 'default-docker'

profile example

name: default-docker
description: Default Docker profile
config:
  boot.autostart: "true"
  security.nesting: "true"
  security.syscalls.intercept.mknod: "true"
  security.syscalls.intercept.setxattr: "true"
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: DCKRPOOL
    type: disk

assign/apply profile to instance

lxc profile add <instance_name> 'default-docker'

delete profile from instance

lxc profile remove <instance_name> 'default-docker'

Issue upgrading LXD host to 24.04 breaks LXC with Docker

• https://bugs.launchpad.net/apparmor/+bug/2067900
• Ubuntu 24.04 AppArmor breaks pivot_root inside LXD containers · Issue #13389 · canonical/lxd · GitHub

due to some SOLVED Apprmor issues in 24.04, Docker may not start inside LXC. As a workaround remove the file /etc/apparmor.d/runc in the container and in the host.

sudo rm /etc/apparmor.d/runc

finally reinstall apparmor

sudo reinstall apparmor

restart the container