Created
July 21, 2025 12:49
-
-
Save Gurpartap/f84d87a0f0df9457dc16423d26603a15 to your computer and use it in GitHub Desktop.
Docker in LXC Capabilities Check
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Docker in LXC Capabilities Check | |
| # Run this inside an LXC container to verify Docker configuration compatibility | |
| echo "=== DOCKER IN LXC CAPABILITIES REPORT ===" | |
| echo "Container: $(hostname)" | |
| echo "Date: $(date)" | |
| echo "Kernel: $(uname -r)" | |
| echo | |
| # Test 1: iptables NAT functionality (for userland-proxy: false) | |
| echo "1. IPTABLES/NAT CAPABILITIES:" | |
| if iptables -t nat -L >/dev/null 2>&1; then | |
| echo " ✓ NAT table accessible" | |
| # Test rule creation | |
| if iptables -A INPUT -j ACCEPT -m comment --comment "lxc-test" >/dev/null 2>&1; then | |
| iptables -D INPUT -j ACCEPT -m comment --comment "lxc-test" >/dev/null 2>&1 | |
| echo " ✓ Rule creation/deletion works" | |
| echo " → RECOMMENDATION: userland-proxy: false (better performance)" | |
| else | |
| echo " ✗ Rule creation failed" | |
| echo " → RECOMMENDATION: userland-proxy: true (required)" | |
| fi | |
| else | |
| echo " ✗ NAT table inaccessible" | |
| echo " → RECOMMENDATION: userland-proxy: true (required)" | |
| fi | |
| echo | |
| # Test 2: Overlay filesystem support | |
| echo "2. OVERLAY2 STORAGE DRIVER:" | |
| if [ -d /var/lib/docker ]; then | |
| CURRENT_DRIVER=$(docker info 2>/dev/null | grep "Storage Driver" | cut -d: -f2 | xargs) | |
| echo " Current driver: ${CURRENT_DRIVER:-unknown}" | |
| fi | |
| # Test overlay mount directly | |
| TEST_DIR="/tmp/overlay-capability-test" | |
| mkdir -p "$TEST_DIR"/{lower,upper,work,merged} 2>/dev/null | |
| echo "test-content" > "$TEST_DIR/lower/testfile" | |
| if mount -t overlay overlay -o "lowerdir=$TEST_DIR/lower,upperdir=$TEST_DIR/upper,workdir=$TEST_DIR/work" "$TEST_DIR/merged" 2>/dev/null; then | |
| if [ -f "$TEST_DIR/merged/testfile" ]; then | |
| echo " ✓ Overlay mount successful" | |
| echo " ✓ File access works" | |
| echo " → RECOMMENDATION: storage-driver: overlay2 (optimal)" | |
| else | |
| echo " ✗ Overlay mount but file access failed" | |
| echo " → RECOMMENDATION: storage-driver: vfs (fallback)" | |
| fi | |
| umount "$TEST_DIR/merged" 2>/dev/null | |
| else | |
| echo " ✗ Overlay mount failed" | |
| echo " → RECOMMENDATION: storage-driver: vfs (fallback)" | |
| fi | |
| rm -rf "$TEST_DIR" 2>/dev/null | |
| echo | |
| # Test 3: Systemd cgroup hierarchy | |
| echo "3. SYSTEMD CGROUP SUPPORT:" | |
| CGROUP_VERSION="unknown" | |
| if [ -f /sys/fs/cgroup/cgroup.controllers ]; then | |
| CGROUP_VERSION="v2" | |
| CONTROLLERS=$(cat /sys/fs/cgroup/cgroup.controllers 2>/dev/null) | |
| echo " Cgroup version: v2" | |
| echo " Available controllers: ${CONTROLLERS:-none}" | |
| elif [ -d /sys/fs/cgroup/systemd ]; then | |
| CGROUP_VERSION="v1" | |
| echo " Cgroup version: v1" | |
| echo " Systemd cgroup: $(ls /sys/fs/cgroup/systemd/ 2>/dev/null | wc -l) entries" | |
| fi | |
| # Test systemd scope creation | |
| if systemd-run --scope --slice=docker-test.slice echo "test" >/dev/null 2>&1; then | |
| echo " ✓ Systemd scope creation works" | |
| echo " → RECOMMENDATION: exec-opts: [native.cgroupdriver=systemd]" | |
| else | |
| echo " ✗ Systemd scope creation failed" | |
| echo " → RECOMMENDATION: exec-opts: [native.cgroupdriver=cgroupfs]" | |
| fi | |
| echo | |
| # Test 4: Docker service functionality | |
| echo "4. DOCKER SERVICE STATUS:" | |
| if systemctl is-active docker >/dev/null 2>&1; then | |
| echo " ✓ Docker service is active" | |
| # Test port mapping (tests userland-proxy effectiveness) | |
| echo " Testing port mapping..." | |
| if docker run -d --name lxc-test-nginx -p 18080:80 nginx:alpine >/dev/null 2>&1; then | |
| sleep 2 | |
| if curl -s http://localhost:18080 >/dev/null 2>&1; then | |
| echo " ✓ Port mapping works" | |
| else | |
| echo " ✗ Port mapping accessible but connection failed" | |
| fi | |
| docker rm -f lxc-test-nginx >/dev/null 2>&1 | |
| else | |
| echo " ✗ Container port mapping failed" | |
| fi | |
| # Check for Docker errors | |
| ERRORS=$(journalctl -u docker --since="5 minutes ago" -p err --no-pager -q | wc -l) | |
| if [ "$ERRORS" -eq 0 ]; then | |
| echo " ✓ No recent Docker errors" | |
| else | |
| echo " ! Found $ERRORS recent Docker errors" | |
| fi | |
| else | |
| echo " ✗ Docker service not active" | |
| fi | |
| echo | |
| # Generate final recommendations | |
| echo "=== RECOMMENDED DOCKER DAEMON CONFIGURATION ===" | |
| echo "docker_daemon_config:" | |
| echo " log-driver: \"journald\"" | |
| echo " log-opts:" | |
| echo " max-size: \"10m\"" | |
| echo " max-file: \"3\"" | |
| # Storage driver recommendation | |
| if mount -t overlay overlay -o "lowerdir=/tmp,upperdir=/tmp,workdir=/tmp" /tmp 2>/dev/null; then | |
| umount /tmp 2>/dev/null | |
| echo " storage-driver: \"overlay2\"" | |
| else | |
| echo " storage-driver: \"vfs\" # overlay2 not supported" | |
| fi | |
| # Cgroup driver recommendation | |
| if systemd-run --scope echo "test" >/dev/null 2>&1; then | |
| echo " exec-opts:" | |
| echo " - \"native.cgroupdriver=systemd\"" | |
| else | |
| echo " exec-opts:" | |
| echo " - \"native.cgroupdriver=cgroupfs\"" | |
| fi | |
| echo " live-restore: true" | |
| # Userland proxy recommendation | |
| if iptables -t nat -L >/dev/null 2>&1 && iptables -A INPUT -j ACCEPT >/dev/null 2>&1; then | |
| iptables -D INPUT -j ACCEPT >/dev/null 2>&1 | |
| echo " userland-proxy: false # iptables works - better performance" | |
| else | |
| echo " userland-proxy: true # iptables restricted - required for port mapping" | |
| fi | |
| echo | |
| echo "=== END REPORT ===" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment