Instantly share code, notes, and snippets.

Embed
What would you like to do?
unprivileged containers under debian 8 jessie
---------------------------------------------
tl;dr: horrible, but works
1. Install sysvinit
# apt-get install sysvinit-core sysvinit sysvinit-utils
# reboot
2. Remove systemd
# apt-get remove --purge --auto-remove systemd
# echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd
3. Install needed tools
# apt-get install bridge-utils uidmap cgroup-tools
4. Configure bridge
# cat >> /etc/network/interfaces << __EOF__
auto lxcbr0
iface lxcbr0 inet static
bridge_fd 0
address 10.0.1.1
netmask 255.255.255.0
bridge_stp off
bridge_waitport 0
bridge_ports none
__EOF__
# ifup lxcbr0
5. Configure user's lxc defaults
$ id thresh
uid=1012(thresh) gid=50(staff) groups=50(staff),51(syseng)
$ fgrep thresh /etc/subuid
thresh:689824:65536
$ fgrep thresh /etc/subgid
thresh:689824:65536
^^^ means I can use 65536 sub uids/gids starting with 689824, so..
$ mkdir -p ~/.config/lxc
$ cat >> ~/.config/lxc/default.conf << __EOF__
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 689824 65536
lxc.id_map = g 0 689824 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 52:54:00:AB:01:01
__EOF__
# echo "thresh veth lxcbr0 10" > /etc/lxc/lxc-usernet
6. Set needed kernel parameter
# echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.conf && sysctl -p
7. Create a cgroup for user and move all the stuff to that cgroup:
# cat > /etc/cgconfig.conf << __EOF__
mount {
cpu = /sys/fs/cgroup;
cpuset = /sys/fs/cgroup;
cpuacct = /sys/fs/cgroup;
#memory = /sys/fs/cgroup;
devices = /sys/fs/cgroup;
freezer = /sys/fs/cgroup;
net_cls = /sys/fs/cgroup;
blkio = /sys/fs/cgroup;
perf_event = /sys/fs/cgroup;
}
group thresh {
perm {
task {
uid = thresh;
}
admin {
uid = thresh;
}
}
cpu {
}
cpuset {
cpuset.cpus = 0-1;
cpuset.mems = 0;
}
}
__EOF__
# cat > /etc/cgrules.conf << __EOF__
thresh * thresh
__EOF__
# cat >>/etc/rc.local << __EOF__
/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
/usr/sbin/cgrulesengd
__EOF__
# reboot
8. Launch containers marked as auto-start on system boot:
# cat >> /etc/rc.local << __EOF__
/bin/su -c /usr/bin/lxc-autostart thresh
__EOF__
9. Create a container. For some reason jessie is not available so create wheezy instead:
$ lxc-create -t download -n p2 -- -d debian -r wheezy -a amd64
$ lxc-start -n p2 -d
yay!
$ lxc-ls --fancy
NAME STATE IPV4 IPV6 AUTOSTART
------------------------------------
p2 RUNNING - - NO
10. Autostart the container:
$ echo "lxc.start.auto = 1" >> .local/share/lxc/p2/config
--
thresh 13/08/2015
@ss-17

This comment has been minimized.

ss-17 commented Feb 18, 2018

Hi there.

First of all thanks for that quick how-to. Really helped me. All seems to working well except that I see this warning (with -l info on lxc-start) when the container is stopped:

lxc-start 20170218110642.185 WARN lxc_conf - conf.c:lxc_delete_network:3028 - Failed to remove interface "veth14PEUE" from host: Operation not permitted.

Doesn't affect the operation though as the interface does get removed. Do you see this too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment