6.2.4. Nesting

In order to run containers inside containers - referred to as nested containers - two lines must be present in the parent container configuration file:

lxc.mount.auto = cgroup

lxc.aa_profile = lxc-container-default-with-nesting

The first will cause the cgroup manager socket to be bound into the container, so that lxc inside the container is able to administer cgroups for its nested containers. The second causes the container to run in a looser Apparmor policy which allows the container to do the mounting required for starting containers. Note that this policy, when used with a privileged container, is much less safe than the regular policy or an unprivileged container. See Section 6.9, “Apparmor” [p. 368] for more information.

