thresheek/unprivileged containers under debian 8 jessie

## unprivileged containers under debian 8 jessie
unprivileged containers under debian 8 jessie
---------------------------------------------

tl;dr:   horrible, but works


1. Install sysvinit

  # apt-get install sysvinit-core sysvinit sysvinit-utils
  # reboot

2. Remove systemd

  # apt-get remove --purge --auto-remove systemd
  # echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd

3. Install needed tools

  # apt-get install bridge-utils uidmap cgroup-tools

4. Configure bridge

  # cat >> /etc/network/interfaces << __EOF__
auto lxcbr0
iface lxcbr0 inet static
        bridge_fd 0
        address 10.0.1.1
        netmask 255.255.255.0
        bridge_stp off
        bridge_waitport 0
        bridge_ports none
__EOF__

  # ifup lxcbr0

5. Configure user's lxc defaults

  $ id thresh
uid=1012(thresh) gid=50(staff) groups=50(staff),51(syseng)

  $ fgrep thresh /etc/subuid
thresh:689824:65536
  $ fgrep thresh /etc/subgid
thresh:689824:65536

^^^ means I can use 65536 sub uids/gids starting with 689824, so..

  $ mkdir -p ~/.config/lxc
  $ cat >> ~/.config/lxc/default.conf << __EOF__
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 689824 65536
lxc.id_map = g 0 689824 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 52:54:00:AB:01:01
__EOF__

  # echo "thresh veth lxcbr0 10" > /etc/lxc/lxc-usernet

6. Set needed kernel parameter

  # echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.conf && sysctl -p

7. Create a cgroup for user and move all the stuff to that cgroup:
  # cat > /etc/cgconfig.conf << __EOF__
mount {
        cpu = /sys/fs/cgroup;
        cpuset = /sys/fs/cgroup;
        cpuacct = /sys/fs/cgroup;
        #memory  = /sys/fs/cgroup;
        devices = /sys/fs/cgroup;
        freezer = /sys/fs/cgroup;
        net_cls = /sys/fs/cgroup;
        blkio   = /sys/fs/cgroup;
        perf_event = /sys/fs/cgroup;
}

group thresh {
    perm {
        task {
            uid = thresh;
        }
        admin {
            uid = thresh;
        }
    }
    cpu {
    }
    cpuset {
        cpuset.cpus = 0-1;
        cpuset.mems = 0;
    }
}
__EOF__

  # cat > /etc/cgrules.conf << __EOF__
thresh * thresh
__EOF__

  # cat >>/etc/rc.local << __EOF__
/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
/usr/sbin/cgrulesengd
__EOF__

  # reboot

8. Launch containers marked as auto-start on system boot:
  # cat >> /etc/rc.local << __EOF__
/bin/su -c /usr/bin/lxc-autostart thresh
__EOF__

9. Create a container. For some reason jessie is not available so create wheezy instead:

  $ lxc-create -t download -n p2 -- -d debian -r wheezy -a amd64
  $ lxc-start -n p2 -d

   yay!

  $ lxc-ls --fancy
NAME  STATE    IPV4  IPV6  AUTOSTART
------------------------------------
p2    RUNNING  -     -     NO

10. Autostart the container:
  $ echo "lxc.start.auto = 1" >> .local/share/lxc/p2/config


--
thresh 13/08/2015
	unprivileged containers under debian 8 jessie
	---------------------------------------------

	tl;dr: horrible, but works



	1. Install sysvinit

	# apt-get install sysvinit-core sysvinit sysvinit-utils
	# reboot

	2. Remove systemd

	# apt-get remove --purge --auto-remove systemd
	# echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd

	3. Install needed tools

	# apt-get install bridge-utils uidmap cgroup-tools

	4. Configure bridge

	# cat >> /etc/network/interfaces << __EOF__
	auto lxcbr0
	iface lxcbr0 inet static
	bridge_fd 0
	address 10.0.1.1
	netmask 255.255.255.0
	bridge_stp off
	bridge_waitport 0
	bridge_ports none
	__EOF__

	# ifup lxcbr0

	5. Configure user's lxc defaults

	$ id thresh
	uid=1012(thresh) gid=50(staff) groups=50(staff),51(syseng)

	$ fgrep thresh /etc/subuid
	thresh:689824:65536
	$ fgrep thresh /etc/subgid
	thresh:689824:65536

	^^^ means I can use 65536 sub uids/gids starting with 689824, so..

	$ mkdir -p ~/.config/lxc
	$ cat >> ~/.config/lxc/default.conf << __EOF__
	lxc.include = /etc/lxc/default.conf
	lxc.id_map = u 0 689824 65536
	lxc.id_map = g 0 689824 65536
	lxc.network.type = veth
	lxc.network.link = lxcbr0
	lxc.network.flags = up
	lxc.network.hwaddr = 52:54:00:AB:01:01
	__EOF__

	# echo "thresh veth lxcbr0 10" > /etc/lxc/lxc-usernet

	6. Set needed kernel parameter

	# echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.conf && sysctl -p

	7. Create a cgroup for user and move all the stuff to that cgroup:
	# cat > /etc/cgconfig.conf << __EOF__
	mount {
	cpu = /sys/fs/cgroup;
	cpuset = /sys/fs/cgroup;
	cpuacct = /sys/fs/cgroup;
	#memory = /sys/fs/cgroup;
	devices = /sys/fs/cgroup;
	freezer = /sys/fs/cgroup;
	net_cls = /sys/fs/cgroup;
	blkio = /sys/fs/cgroup;
	perf_event = /sys/fs/cgroup;
	}

	group thresh {
	perm {
	task {
	uid = thresh;
	}
	admin {
	uid = thresh;
	}
	}
	cpu {
	}
	cpuset {
	cpuset.cpus = 0-1;
	cpuset.mems = 0;
	}
	}
	__EOF__

	# cat > /etc/cgrules.conf << __EOF__
	thresh * thresh
	__EOF__

	# cat >>/etc/rc.local << __EOF__
	/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
	/usr/sbin/cgrulesengd
	__EOF__

	# reboot

	8. Launch containers marked as auto-start on system boot:
	# cat >> /etc/rc.local << __EOF__
	/bin/su -c /usr/bin/lxc-autostart thresh
	__EOF__

	9. Create a container. For some reason jessie is not available so create wheezy instead:

	$ lxc-create -t download -n p2 -- -d debian -r wheezy -a amd64
	$ lxc-start -n p2 -d

	yay!

	$ lxc-ls --fancy
	NAME STATE IPV4 IPV6 AUTOSTART
	------------------------------------
	p2 RUNNING - - NO

	10. Autostart the container:
	$ echo "lxc.start.auto = 1" >> .local/share/lxc/p2/config



	--
	thresh 13/08/2015