LXC chapter

main
Inga 🏳‍🌈 2 years ago
parent 3b2286ae6d
commit 7156c6d0f0
  1. 109
      README.md
  2. 9
      dotfiles/.config/lxc/datawrapper-dev-alpine.conf

@ -410,6 +410,115 @@ riverctl float-filter-add title 'Firefox — Sharing Indicator'
(TODO: check which kind of quotes works) (TODO: check which kind of quotes works)
## Development (containers)
### Unprivileged LXC with routing
(based on https://linuxcontainers.org/lxc/getting-started and https://wiki.alpinelinux.org/wiki/LXC)
#### Networking (host)
(assuming that your internet-connected interface is eth0,
and that you want to use 10.157.1.0/24 subnet for the container)
```
doas apk add bridge
doas modprobe dummy
doas brctl addbr br0
doas brctl setfd br0 0
doas brctl addif br0 dummy0
doas ifconfig br0 10.157.1.1 netmask 255.255.255.0 up
echo 1 | doas tee -a /proc/sys/net/ipv4/ip_forward
doas apk add iptables
doas rc-update add iptables
doas iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
doas iptables --append FORWARD --in-interface br0 -j ACCEPT
```
to persist:
```
echo dummy | doas tee -a /etc/modules
doas /etc/init.d/iptables save
```
#### Containers support
```
doas apk add lxc lxcfs lxc-download xz gnupg
echo "$(id -un):2000000:65536" | doas tee -a /etc/subuid
echo "$(id -un):2000000:65536 | doas tee -a /etc/subgid
echo "$(id -un) veth br0 10" | doas tee -a /etc/lxc/lxc-usernet
```
#### Creating container
Create `~/.config/lxc/CONTAINERNAME.conf" with the following content:
```
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.ipv4.address = 10.157.1.2/24 10.157.1.255
lxc.net.0.ipv4.gateway = 10.157.1.1
lxc.net.0.veth.pair = veth-if-0
lxc.idmap = u 0 2000000 65536
lxc.idmap = g 0 2000000 65536
```
Then:
```
lxc-create -n CONTAINERNAME -f .config/lxc/CONTAINERNAME.conf -t download
# pick OS (alpine/edge/amd64 in my case)
lxc-start -n CONTAINERNAME # make sure it does not produce any errors
lxc-attach -n CONTAINERNAME
```
You'll get into a container root console.
#### Networking (container)
In container root console, check if network is up with `ifconfig`.
If there are no IPv4 address for eth0, you'll have to configure it manually,
by editing `/etc/network/interfaces` either with VI or with cat/echo.
In the end it should look like
```
auto eth0
iface eth0 inet static
address 10.157.1.2
netmask 255.255.255.0
gateway 10.157.1.1
hostname ........
```
Then `rc-service networking restart`, and check `ifconfig`.
If everything is right, there should be an ipv4 address in `ifconfig`,
and `ping 10.157.1.1` inside container and `ping 10.157.1.2` inside host should work.
`ping 8.8.8.8` inside container should work too, thanks for routing.
Now, if `ping google.com` does not work, configure DNS in container:
```
echo nameserver 8.8.8.8 >> /etc/resolv.conf
echo nameserver 8.8.4.4 >> /etc/resolv.conf
```
Make sure `ping 8.8.8.8` works.
APK should work too: `apd add nano neofetch`
#### Creating an user inside container
In container root shell:
```
adduser -g USERNAME USERNAME
adduser USERNAME wheel
echo "permit persist :wheel" > /etc/doas.d/doas.conf
```
Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`.
You should be able to log in using the new username and password.
(To exit lxc console, use Ctrl+A, Q)
## TODO ## TODO
* Fix internal mic * Fix internal mic

@ -0,0 +1,9 @@
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
# lxc.net.0.name = eth1
lxc.net.0.ipv4.address = 10.157.1.2/24 10.157.1.255
lxc.net.0.ipv4.gateway = 10.157.1.1
lxc.net.0.veth.pair = veth-if-0
lxc.idmap = u 0 1100000 65536
lxc.idmap = g 0 1100000 65536
Loading…
Cancel
Save