khaije1/gist:feeddc58a6d8c4990ff8

## gistfile1.txt
## unpriviledged LXC on Debian ##

#refs: http://www.cyberciti.biz/faq/howto-linux-configuring-default-route-with-ipcommand/ https://wiki.debian.org/BridgeNetworkConnections https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
## one-time pre-reqs

# install software packages
aptitude install lxc newuidmap
#(opt.) for network access: aptitude install bridge-utils


# setup sub-ids
sudo usermod -v $(awk -F: '//{print $2 + $3}' /etc/subuid | sort -nr | head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subuid | sort -nr | head -1) + 65536 )) ${USER}
sudo usermod -w $(awk -F: '//{print $2 + $3}' /etc/subgid | sort -nr | head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subgid | sort -nr | head -1) + 65536 )) ${USER}


# provide veth access
echo "${USER} veth lxcbr0 10" | sudo tee -a /etc/lxc/lxc-usernet


## needed for each boot (if not setup permenantly)

# set kernel and cgroups params
echo 1 | sudo tee /sys/fs/cgroup/cpuset/cgroup.clone_children
echo 1 | sudo tee /proc/sys/kernel/unprivileged_userns_clone


# create personal cgroups partition, own personal cgroups partition, add shell PID to personal cgroups partition
for i in /sys/fs/cgroup/* ;do sudo mkdir -p ${i}/${USER} ; sudo chown -R ${USER} ${i}/${USER} ; echo $$ >> ${i}/${USER}/tasks ;done


# create local bridge to allow external access, bring it "up" to enable forwarding
sudo brctl addbr lxcbr0
sudo brctl setfd lxcbr0 0
sudo ifconfig lxcbr0 up
sudo brctl addif lxcbr0 eth0

# setup NAT'ing
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o lxcbr0 -m state --state RELATED,ESTABLISH -j ACCEPT
sudo iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
# maybe: sudo iptables -A FORWARD -d 255.255.255.255 -j ACCEPT


# nb, the CX inherits environment variables from the invoking shell, which could be awkward

# nb, make sure to configure (from w/i the CX) the dev IP/CIDR, to activate the device and to create a default route

# expect to set the CX's /etc/resolv.conf
	## unpriviledged LXC on Debian ##

	#refs: http://www.cyberciti.biz/faq/howto-linux-configuring-default-route-with-ipcommand/ https://wiki.debian.org/BridgeNetworkConnections https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
	## one-time pre-reqs

	# install software packages
	aptitude install lxc newuidmap
	#(opt.) for network access: aptitude install bridge-utils


	# setup sub-ids
	sudo usermod -v $(awk -F: '//{print $2 + $3}' /etc/subuid \| sort -nr \| head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subuid \| sort -nr \| head -1) + 65536 )) ${USER}
	sudo usermod -w $(awk -F: '//{print $2 + $3}' /etc/subgid \| sort -nr \| head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subgid \| sort -nr \| head -1) + 65536 )) ${USER}


	# provide veth access
	echo "${USER} veth lxcbr0 10" \| sudo tee -a /etc/lxc/lxc-usernet


	## needed for each boot (if not setup permenantly)

	# set kernel and cgroups params
	echo 1 \| sudo tee /sys/fs/cgroup/cpuset/cgroup.clone_children
	echo 1 \| sudo tee /proc/sys/kernel/unprivileged_userns_clone


	# create personal cgroups partition, own personal cgroups partition, add shell PID to personal cgroups partition
	for i in /sys/fs/cgroup/* ;do sudo mkdir -p ${i}/${USER} ; sudo chown -R ${USER} ${i}/${USER} ; echo $$ >> ${i}/${USER}/tasks ;done


	# create local bridge to allow external access, bring it "up" to enable forwarding
	sudo brctl addbr lxcbr0
	sudo brctl setfd lxcbr0 0
	sudo ifconfig lxcbr0 up
	sudo brctl addif lxcbr0 eth0

	# setup NAT'ing
	echo 1 \| sudo tee /proc/sys/net/ipv4/ip_forward
	sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	sudo iptables -A FORWARD -i eth0 -o lxcbr0 -m state --state RELATED,ESTABLISH -j ACCEPT
	sudo iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
	# maybe: sudo iptables -A FORWARD -d 255.255.255.255 -j ACCEPT


	# nb, the CX inherits environment variables from the invoking shell, which could be awkward

	# nb, make sure to configure (from w/i the CX) the dev IP/CIDR, to activate the device and to create a default route

	# expect to set the CX's /etc/resolv.conf