LXC chapter

Inga 🏳‍🌈 9 months ago
parent 3b2286ae6d
commit 7156c6d0f0
  1. 109
  2. 9

@ -410,6 +410,115 @@ riverctl float-filter-add title 'Firefox — Sharing Indicator'
(TODO: check which kind of quotes works)
## Development (containers)
### Unprivileged LXC with routing
(based on https://linuxcontainers.org/lxc/getting-started and https://wiki.alpinelinux.org/wiki/LXC)
#### Networking (host)
(assuming that your internet-connected interface is eth0,
and that you want to use subnet for the container)
doas apk add bridge
doas modprobe dummy
doas brctl addbr br0
doas brctl setfd br0 0
doas brctl addif br0 dummy0
doas ifconfig br0 netmask up
echo 1 | doas tee -a /proc/sys/net/ipv4/ip_forward
doas apk add iptables
doas rc-update add iptables
doas iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
doas iptables --append FORWARD --in-interface br0 -j ACCEPT
to persist:
echo dummy | doas tee -a /etc/modules
doas /etc/init.d/iptables save
#### Containers support
doas apk add lxc lxcfs lxc-download xz gnupg
echo "$(id -un):2000000:65536" | doas tee -a /etc/subuid
echo "$(id -un):2000000:65536 | doas tee -a /etc/subgid
echo "$(id -un) veth br0 10" | doas tee -a /etc/lxc/lxc-usernet
#### Creating container
Create `~/.config/lxc/CONTAINERNAME.conf" with the following content:
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.ipv4.address =
lxc.net.0.ipv4.gateway =
lxc.net.0.veth.pair = veth-if-0
lxc.idmap = u 0 2000000 65536
lxc.idmap = g 0 2000000 65536
lxc-create -n CONTAINERNAME -f .config/lxc/CONTAINERNAME.conf -t download
# pick OS (alpine/edge/amd64 in my case)
lxc-start -n CONTAINERNAME # make sure it does not produce any errors
lxc-attach -n CONTAINERNAME
You'll get into a container root console.
#### Networking (container)
In container root console, check if network is up with `ifconfig`.
If there are no IPv4 address for eth0, you'll have to configure it manually,
by editing `/etc/network/interfaces` either with VI or with cat/echo.
In the end it should look like
auto eth0
iface eth0 inet static
hostname ........
Then `rc-service networking restart`, and check `ifconfig`.
If everything is right, there should be an ipv4 address in `ifconfig`,
and `ping` inside container and `ping` inside host should work.
`ping` inside container should work too, thanks for routing.
Now, if `ping google.com` does not work, configure DNS in container:
echo nameserver >> /etc/resolv.conf
echo nameserver >> /etc/resolv.conf
Make sure `ping` works.
APK should work too: `apd add nano neofetch`
#### Creating an user inside container
In container root shell:
adduser USERNAME wheel
echo "permit persist :wheel" > /etc/doas.d/doas.conf
Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`.
You should be able to log in using the new username and password.
(To exit lxc console, use Ctrl+A, Q)
* Fix internal mic

@ -0,0 +1,9 @@
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
# lxc.net.0.name = eth1
lxc.net.0.ipv4.address =
lxc.net.0.ipv4.gateway =
lxc.net.0.veth.pair = veth-if-0
lxc.idmap = u 0 1100000 65536
lxc.idmap = g 0 1100000 65536