I have a NixOS container with some services wired up and namespaced in its own network. I was hoping to extend this container to run oci-containers with either docker or podman (either is fine) although none of those is able to start due to permissions.
Specifically, docker stops with:
dockerd: failed to start daemon: Devices cgroup isn't mounted
while podman similarly with:
Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded. Error: create keyring `<>`: Operation not permitted: OCI permission denied
The containers are for software that’s not yet available in nixpkgs and also as an experiment to see if this kind of nesting would work.
Has anyone tried this before?