Running Balena engine inside a container running on balena engine

A question I’m quite sure will initially invoke comments that this is ill advised. Has anyone ever installed balena engine inside of a balena container running on a balena device? The intent being to give users of the device access to their own private balena engine instance without interfering with the base install.

Another option for me may be running Portainer to control the whole device, but use the user accounts in their to limit control of certain components. Has anyone tried portainer with Balena Engine?

Note similar steps in Docker but with a custom container: https://hub.docker.com/_/docker/

An update here to evolve my question.

I have managed to get Portainer running on the Balena OS and connected to the Balena socket.

Some things look a little off, for example the list of images that are being used by Balena are listed as Unused, presumably because of the way Balena deploys images but can’t be sure.

All in all though it seems to work quite well.

Question then, if I deploy images from Portainer on the device, will Supervisor interfere and try to stop/remove containers, or does it only monitor and act on things started by itself?

will Supervisor interfere and try to stop/remove containers, or does it only monitor and act on things started by itself?

I shouldn’t do, no.

Some things look a little off, for example the list of images that are being used by Balena are listed as Unused

Could you explain a little more about this; is this a Portainer related thing? We don’t do anything special when deploying the images, except maybe Deltas but I wouldn’t expect anything to be detectable in the way these work.

Thanks for the info.

In terms of it being ‘a little off’, that did indeed end up being a Portainer related issue. I had hidden the containers related to Balena using Portainers labels, and subsequently Portainer hadn’t handled the associated images very well. I logged it with Portainer: https://github.com/portainer/portainer/issues/3565

So far so good, things seem to be running well, and your confirmation that Supervisor won’t intervene in these created containers is reassuring.

Deploying containers through Portainer and adding a Balena label doesn’t seem to take affect, for example the Supervisor doesn’t become available with “io.balena.features.supervisor-api”: “1”. It does though if I redeploy one of the images that are on the device as part of its initial Balena Push, and repurpose them with new labels. This is actually a benefit for me, but wasn’t what I had anticipated. It seems when I do this manually without Portainer it doesn’t take affect either, not sure if that is expected? Is there something injected into the containers built with Balena Push that makes them work with the labels?

Would rather the title of this thread now be Portainer related, but unfortunately can’t seem to change it.

For those searching Portainer, here is the Docker Compose that worked for me:

version: '2.1'

services:
    portainer:
        ports:
            - '9000:9000'
        labels:
            io.balena.features.balena-socket: '1'
        volumes:
            - 'portainer:/data'
        image: portainer/portainer
        command: -H unix:///var/run/balena-engine.sock

volumes:
    portainer: