From 7156c6d0f0a2005e9b3095b1bd274b72dd349308 Mon Sep 17 00:00:00 2001 From: Inga Date: Fri, 2 Sep 2022 14:55:13 +0200 Subject: [PATCH] LXC chapter --- README.md | 109 ++++++++++++++++++ .../.config/lxc/datawrapper-dev-alpine.conf | 9 ++ 2 files changed, 118 insertions(+) create mode 100644 dotfiles/.config/lxc/datawrapper-dev-alpine.conf diff --git a/README.md b/README.md index 02aa7f0..e1e2845 100644 --- a/README.md +++ b/README.md @@ -410,6 +410,115 @@ riverctl float-filter-add title 'Firefox — Sharing Indicator' (TODO: check which kind of quotes works) +## Development (containers) + +### Unprivileged LXC with routing + +(based on https://linuxcontainers.org/lxc/getting-started and https://wiki.alpinelinux.org/wiki/LXC) + +#### Networking (host) + +(assuming that your internet-connected interface is eth0, +and that you want to use 10.157.1.0/24 subnet for the container) + +``` +doas apk add bridge +doas modprobe dummy +doas brctl addbr br0 +doas brctl setfd br0 0 +doas brctl addif br0 dummy0 +doas ifconfig br0 10.157.1.1 netmask 255.255.255.0 up +echo 1 | doas tee -a /proc/sys/net/ipv4/ip_forward +doas apk add iptables +doas rc-update add iptables +doas iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE +doas iptables --append FORWARD --in-interface br0 -j ACCEPT +``` + +to persist: +``` +echo dummy | doas tee -a /etc/modules +doas /etc/init.d/iptables save +``` + +#### Containers support + +``` +doas apk add lxc lxcfs lxc-download xz gnupg +echo "$(id -un):2000000:65536" | doas tee -a /etc/subuid +echo "$(id -un):2000000:65536 | doas tee -a /etc/subgid +echo "$(id -un) veth br0 10" | doas tee -a /etc/lxc/lxc-usernet +``` + +#### Creating container + +Create `~/.config/lxc/CONTAINERNAME.conf" with the following content: +``` +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = br0 +lxc.net.0.ipv4.address = 10.157.1.2/24 10.157.1.255 +lxc.net.0.ipv4.gateway = 10.157.1.1 +lxc.net.0.veth.pair = veth-if-0 +lxc.idmap = u 0 2000000 65536 +lxc.idmap = g 0 2000000 65536 +``` + +Then: +``` +lxc-create -n CONTAINERNAME -f .config/lxc/CONTAINERNAME.conf -t download +# pick OS (alpine/edge/amd64 in my case) +lxc-start -n CONTAINERNAME # make sure it does not produce any errors +lxc-attach -n CONTAINERNAME +``` + +You'll get into a container root console. + +#### Networking (container) + +In container root console, check if network is up with `ifconfig`. +If there are no IPv4 address for eth0, you'll have to configure it manually, +by editing `/etc/network/interfaces` either with VI or with cat/echo. + +In the end it should look like +``` +auto eth0 +iface eth0 inet static + address 10.157.1.2 + netmask 255.255.255.0 + gateway 10.157.1.1 +hostname ........ +``` + +Then `rc-service networking restart`, and check `ifconfig`. +If everything is right, there should be an ipv4 address in `ifconfig`, +and `ping 10.157.1.1` inside container and `ping 10.157.1.2` inside host should work. + +`ping 8.8.8.8` inside container should work too, thanks for routing. + +Now, if `ping google.com` does not work, configure DNS in container: + +``` +echo nameserver 8.8.8.8 >> /etc/resolv.conf +echo nameserver 8.8.4.4 >> /etc/resolv.conf +``` + +Make sure `ping 8.8.8.8` works. +APK should work too: `apd add nano neofetch` + +#### Creating an user inside container + +In container root shell: +``` +adduser -g USERNAME USERNAME +adduser USERNAME wheel +echo "permit persist :wheel" > /etc/doas.d/doas.conf +``` + +Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`. +You should be able to log in using the new username and password. +(To exit lxc console, use Ctrl+A, Q) + ## TODO * Fix internal mic diff --git a/dotfiles/.config/lxc/datawrapper-dev-alpine.conf b/dotfiles/.config/lxc/datawrapper-dev-alpine.conf new file mode 100644 index 0000000..5fd804a --- /dev/null +++ b/dotfiles/.config/lxc/datawrapper-dev-alpine.conf @@ -0,0 +1,9 @@ +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = br0 +# lxc.net.0.name = eth1 +lxc.net.0.ipv4.address = 10.157.1.2/24 10.157.1.255 +lxc.net.0.ipv4.gateway = 10.157.1.1 +lxc.net.0.veth.pair = veth-if-0 +lxc.idmap = u 0 1100000 65536 +lxc.idmap = g 0 1100000 65536