← Back to Blog

How to run Docker in an Ubuntu 22.04 Unprivileged LXC Container

Running Docker in an Unprivileged LXC Container isn't that hard... supposedly.

January 2, 2026
Engineering

Table of Contents

Why Docker in Container? 

Well, I wanted to run Self Hosted Swetrix in my Oracle Cloud ARM virtual machine with Proxmox.

With LXD, even an unprivileged container shouldn't have any issues running Docker, since LXD itself handles namespace creation for each container.

However, with LXC, this wasn't the case. Even with the nesting=1 parameter in the LXC configuration, Docker repeatedly showed either

Error response from daemon: Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permission denied

or 

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied

errors. 

I could use a privileged container, but for obvious security reasons, I wasn't really willing to do this in my personal production environment.

So, how do I spin up a Docker container in LXC?

Well, it's quite simple, really. For a Proxmox VE 8 environment, you can spin up a Docker container in your unprivileged LXC container by simply following these instructions.

Required Settings in Proxmox VE 8

Simply edit your container settings in /etc/pve/lxc/[Container ID].conf

lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0

And ensure that you already have nesting enabled in your Proxmox GUI console for the LXC container. That's it for Proxmox VE 8!

Required Settings in the Ubuntu Container 

Install Docker by using these commands: 

curl -sSL https://get.docker.com/ | CHANNEL=stable sh
systemctl enable --now docker

And... downgrade containerd.io by using these commands: 

apt install containerd.io=1.7.28-1~ubuntu.22.04~jammy
apt-mark hold containerd.io
systemctl restart docker

That's it! Now you should be able to spin up Docker containers without any issues, without compromising the benefits of unprivileged LXC containers. (Note: Replace ubuntu.22.04~jammy with your Ubuntu version if different.) 

The downgrade is needed due to a known bug (CVE-2025-52881). The official recommendation to solve this issue is to use lxc.apparmor.profile: unconfined in the LXC configuration rather than downgrading containerd.io.

However, I chose the downgrade approach to retain AppArmor protection, and the decision is entirely up to you.

← Previous

How to Run an NVIDIA Tesla Architecture GPU in a QEMU Windows VM