This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unprivileged containers under debian 8 jessie | |
| --------------------------------------------- | |
| tl;dr: horrible, but works | |
| 1. Install sysvinit | |
| # apt-get install sysvinit-core sysvinit sysvinit-utils | |
| # reboot | |
| 2. Remove systemd | |
| # apt-get remove --purge --auto-remove systemd | |
| # echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd | |
| 3. Install needed tools | |
| # apt-get install bridge-utils uidmap cgroup-tools | |
| 4. Configure bridge | |
| # cat >> /etc/network/interfaces << __EOF__ | |
| auto lxcbr0 | |
| iface lxcbr0 inet static | |
| bridge_fd 0 | |
| address 10.0.1.1 | |
| netmask 255.255.255.0 | |
| bridge_stp off | |
| bridge_waitport 0 | |
| bridge_ports none | |
| __EOF__ | |
| # ifup lxcbr0 | |
| 5. Configure user's lxc defaults | |
| $ id thresh | |
| uid=1012(thresh) gid=50(staff) groups=50(staff),51(syseng) | |
| $ fgrep thresh /etc/subuid | |
| thresh:689824:65536 | |
| $ fgrep thresh /etc/subgid | |
| thresh:689824:65536 | |
| ^^^ means I can use 65536 sub uids/gids starting with 689824, so.. | |
| $ mkdir -p ~/.config/lxc | |
| $ cat >> ~/.config/lxc/default.conf << __EOF__ | |
| lxc.include = /etc/lxc/default.conf | |
| lxc.id_map = u 0 689824 65536 | |
| lxc.id_map = g 0 689824 65536 | |
| lxc.network.type = veth | |
| lxc.network.link = lxcbr0 | |
| lxc.network.flags = up | |
| lxc.network.hwaddr = 52:54:00:AB:01:01 | |
| __EOF__ | |
| # echo "thresh veth lxcbr0 10" > /etc/lxc/lxc-usernet | |
| 6. Set needed kernel parameter | |
| # echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.conf && sysctl -p | |
| 7. Create a cgroup for user and move all the stuff to that cgroup: | |
| # cat > /etc/cgconfig.conf << __EOF__ | |
| mount { | |
| cpu = /sys/fs/cgroup; | |
| cpuset = /sys/fs/cgroup; | |
| cpuacct = /sys/fs/cgroup; | |
| #memory = /sys/fs/cgroup; | |
| devices = /sys/fs/cgroup; | |
| freezer = /sys/fs/cgroup; | |
| net_cls = /sys/fs/cgroup; | |
| blkio = /sys/fs/cgroup; | |
| perf_event = /sys/fs/cgroup; | |
| } | |
| group thresh { | |
| perm { | |
| task { | |
| uid = thresh; | |
| } | |
| admin { | |
| uid = thresh; | |
| } | |
| } | |
| cpu { | |
| } | |
| cpuset { | |
| cpuset.cpus = 0-1; | |
| cpuset.mems = 0; | |
| } | |
| } | |
| __EOF__ | |
| # cat > /etc/cgrules.conf << __EOF__ | |
| thresh * thresh | |
| __EOF__ | |
| # cat >>/etc/rc.local << __EOF__ | |
| /usr/sbin/cgconfigparser -l /etc/cgconfig.conf | |
| /usr/sbin/cgrulesengd | |
| __EOF__ | |
| # reboot | |
| 8. Launch containers marked as auto-start on system boot: | |
| # cat >> /etc/rc.local << __EOF__ | |
| /bin/su -c /usr/bin/lxc-autostart thresh | |
| __EOF__ | |
| 9. Create a container. For some reason jessie is not available so create wheezy instead: | |
| $ lxc-create -t download -n p2 -- -d debian -r wheezy -a amd64 | |
| $ lxc-start -n p2 -d | |
| yay! | |
| $ lxc-ls --fancy | |
| NAME STATE IPV4 IPV6 AUTOSTART | |
| ------------------------------------ | |
| p2 RUNNING - - NO | |
| 10. Autostart the container: | |
| $ echo "lxc.start.auto = 1" >> .local/share/lxc/p2/config | |
| -- | |
| thresh 13/08/2015 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there.
First of all thanks for that quick how-to. Really helped me. All seems to working well except that I see this warning (with -l info on lxc-start) when the container is stopped:
lxc-start 20170218110642.185 WARN lxc_conf - conf.c:lxc_delete_network:3028 - Failed to remove interface "veth14PEUE" from host: Operation not permitted.
Doesn't affect the operation though as the interface does get removed. Do you see this too?