PromoxVE LXC容器内跑Docker 报错解决方案

docker run fedora bash docker: Error response from daemon: OCI runtime create failed: container_linux.go:337: starting container process caused "apply caps: operation not permitted": unknown. ERRO[0001] error waiting for container: context canceled.

LXC容器内跑Docker容器，会出现如上报错。

原因是容器请求了一个CAP_MKNOD的权限，默认LXC不给予，造成权限不够，被阻止了运行。原文如下：

As it turns out, LXC, by default, will not allow containers to have the CAP_MKNOD capability, as it could theoretically allow a container to take over a host.

You just removed ALL SECURITY from your LXC container.

解决方案：

在/etc/pve/lxc/<id>.conf 找到你虚机的配置文件，在最后添加

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

注意：此配置会移除所有LXC容器的安全设置，会有被隧穿容器，影响到物理机的风险。