Last active
August 29, 2015 14:15
-
-
Save khaije1/feeddc58a6d8c4990ff8 to your computer and use it in GitHub Desktop.
the Quest for Unpriviledged LXC on Debian (personal notes, some understood portions omitted)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## unpriviledged LXC on Debian ## | |
#refs: http://www.cyberciti.biz/faq/howto-linux-configuring-default-route-with-ipcommand/ https://wiki.debian.org/BridgeNetworkConnections https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ | |
## one-time pre-reqs | |
# install software packages | |
aptitude install lxc newuidmap | |
#(opt.) for network access: aptitude install bridge-utils | |
# setup sub-ids | |
sudo usermod -v $(awk -F: '//{print $2 + $3}' /etc/subuid | sort -nr | head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subuid | sort -nr | head -1) + 65536 )) ${USER} | |
sudo usermod -w $(awk -F: '//{print $2 + $3}' /etc/subgid | sort -nr | head -1)-$(($(awk -F: '//{print $2 + $3}' /etc/subgid | sort -nr | head -1) + 65536 )) ${USER} | |
# provide veth access | |
echo "${USER} veth lxcbr0 10" | sudo tee -a /etc/lxc/lxc-usernet | |
## needed for each boot (if not setup permenantly) | |
# set kernel and cgroups params | |
echo 1 | sudo tee /sys/fs/cgroup/cpuset/cgroup.clone_children | |
echo 1 | sudo tee /proc/sys/kernel/unprivileged_userns_clone | |
# create personal cgroups partition, own personal cgroups partition, add shell PID to personal cgroups partition | |
for i in /sys/fs/cgroup/* ;do sudo mkdir -p ${i}/${USER} ; sudo chown -R ${USER} ${i}/${USER} ; echo $$ >> ${i}/${USER}/tasks ;done | |
# create local bridge to allow external access, bring it "up" to enable forwarding | |
sudo brctl addbr lxcbr0 | |
sudo brctl setfd lxcbr0 0 | |
sudo ifconfig lxcbr0 up | |
sudo brctl addif lxcbr0 eth0 | |
# setup NAT'ing | |
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward | |
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
sudo iptables -A FORWARD -i eth0 -o lxcbr0 -m state --state RELATED,ESTABLISH -j ACCEPT | |
sudo iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT | |
# maybe: sudo iptables -A FORWARD -d 255.255.255.255 -j ACCEPT | |
# nb, the CX inherits environment variables from the invoking shell, which could be awkward | |
# nb, make sure to configure (from w/i the CX) the dev IP/CIDR, to activate the device and to create a default route | |
# expect to set the CX's /etc/resolv.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment