|
|
@ -410,6 +410,115 @@ riverctl float-filter-add title 'Firefox — Sharing Indicator' |
|
|
|
|
|
|
|
|
|
|
|
(TODO: check which kind of quotes works) |
|
|
|
(TODO: check which kind of quotes works) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Development (containers) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Unprivileged LXC with routing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(based on https://linuxcontainers.org/lxc/getting-started and https://wiki.alpinelinux.org/wiki/LXC) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Networking (host) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(assuming that your internet-connected interface is eth0, |
|
|
|
|
|
|
|
and that you want to use 10.157.1.0/24 subnet for the container) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
doas apk add bridge |
|
|
|
|
|
|
|
doas modprobe dummy |
|
|
|
|
|
|
|
doas brctl addbr br0 |
|
|
|
|
|
|
|
doas brctl setfd br0 0 |
|
|
|
|
|
|
|
doas brctl addif br0 dummy0 |
|
|
|
|
|
|
|
doas ifconfig br0 10.157.1.1 netmask 255.255.255.0 up |
|
|
|
|
|
|
|
echo 1 | doas tee -a /proc/sys/net/ipv4/ip_forward |
|
|
|
|
|
|
|
doas apk add iptables |
|
|
|
|
|
|
|
doas rc-update add iptables |
|
|
|
|
|
|
|
doas iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE |
|
|
|
|
|
|
|
doas iptables --append FORWARD --in-interface br0 -j ACCEPT |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
to persist: |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
echo dummy | doas tee -a /etc/modules |
|
|
|
|
|
|
|
doas /etc/init.d/iptables save |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Containers support |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
doas apk add lxc lxcfs lxc-download xz gnupg |
|
|
|
|
|
|
|
echo "$(id -un):2000000:65536" | doas tee -a /etc/subuid |
|
|
|
|
|
|
|
echo "$(id -un):2000000:65536 | doas tee -a /etc/subgid |
|
|
|
|
|
|
|
echo "$(id -un) veth br0 10" | doas tee -a /etc/lxc/lxc-usernet |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Creating container |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Create `~/.config/lxc/CONTAINERNAME.conf" with the following content: |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
lxc.net.0.type = veth |
|
|
|
|
|
|
|
lxc.net.0.flags = up |
|
|
|
|
|
|
|
lxc.net.0.link = br0 |
|
|
|
|
|
|
|
lxc.net.0.ipv4.address = 10.157.1.2/24 10.157.1.255 |
|
|
|
|
|
|
|
lxc.net.0.ipv4.gateway = 10.157.1.1 |
|
|
|
|
|
|
|
lxc.net.0.veth.pair = veth-if-0 |
|
|
|
|
|
|
|
lxc.idmap = u 0 2000000 65536 |
|
|
|
|
|
|
|
lxc.idmap = g 0 2000000 65536 |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Then: |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
lxc-create -n CONTAINERNAME -f .config/lxc/CONTAINERNAME.conf -t download |
|
|
|
|
|
|
|
# pick OS (alpine/edge/amd64 in my case) |
|
|
|
|
|
|
|
lxc-start -n CONTAINERNAME # make sure it does not produce any errors |
|
|
|
|
|
|
|
lxc-attach -n CONTAINERNAME |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You'll get into a container root console. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Networking (container) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In container root console, check if network is up with `ifconfig`. |
|
|
|
|
|
|
|
If there are no IPv4 address for eth0, you'll have to configure it manually, |
|
|
|
|
|
|
|
by editing `/etc/network/interfaces` either with VI or with cat/echo. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the end it should look like |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
auto eth0 |
|
|
|
|
|
|
|
iface eth0 inet static |
|
|
|
|
|
|
|
address 10.157.1.2 |
|
|
|
|
|
|
|
netmask 255.255.255.0 |
|
|
|
|
|
|
|
gateway 10.157.1.1 |
|
|
|
|
|
|
|
hostname ........ |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Then `rc-service networking restart`, and check `ifconfig`. |
|
|
|
|
|
|
|
If everything is right, there should be an ipv4 address in `ifconfig`, |
|
|
|
|
|
|
|
and `ping 10.157.1.1` inside container and `ping 10.157.1.2` inside host should work. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`ping 8.8.8.8` inside container should work too, thanks for routing. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now, if `ping google.com` does not work, configure DNS in container: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
echo nameserver 8.8.8.8 >> /etc/resolv.conf |
|
|
|
|
|
|
|
echo nameserver 8.8.4.4 >> /etc/resolv.conf |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Make sure `ping 8.8.8.8` works. |
|
|
|
|
|
|
|
APK should work too: `apd add nano neofetch` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Creating an user inside container |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In container root shell: |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
adduser -g USERNAME USERNAME |
|
|
|
|
|
|
|
adduser USERNAME wheel |
|
|
|
|
|
|
|
echo "permit persist :wheel" > /etc/doas.d/doas.conf |
|
|
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`. |
|
|
|
|
|
|
|
You should be able to log in using the new username and password. |
|
|
|
|
|
|
|
(To exit lxc console, use Ctrl+A, Q) |
|
|
|
|
|
|
|
|
|
|
|
## TODO |
|
|
|
## TODO |
|
|
|
|
|
|
|
|
|
|
|
* Fix internal mic |
|
|
|
* Fix internal mic |
|
|
|