|
|
|
|
@ -595,7 +595,7 @@ Now exit root shell (just with `exit`), and try `lxc-console -n CONTAINERNAME`. |
|
|
|
|
You should be able to log in using the new username and password. |
|
|
|
|
(To exit lxc console, use Ctrl+A, Q). |
|
|
|
|
|
|
|
|
|
### Alternatively: unprivileged LXC using LXD (ran as privileged service on host) |
|
|
|
|
### Alternatively: unprivileged LXC using LXD / Incus (ran as privileged service on host) |
|
|
|
|
|
|
|
|
|
#### Security notes |
|
|
|
|
|
|
|
|
|
@ -618,48 +618,48 @@ and connect to the container using ssh. |
|
|
|
|
|
|
|
|
|
As simple as |
|
|
|
|
``` |
|
|
|
|
apk add lxd lxd-client lxcfs dbus |
|
|
|
|
rc-update add lxc |
|
|
|
|
rc-update add lxd |
|
|
|
|
rc-update add lxcfs |
|
|
|
|
rc-update add dbus |
|
|
|
|
doas reboot |
|
|
|
|
doas apk add incus incus-client |
|
|
|
|
doas rc-update add incusd |
|
|
|
|
doas rc-service start incusd |
|
|
|
|
doas incus admin init |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
Networking with routing should work automatically. |
|
|
|
|
|
|
|
|
|
#### SSH support |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
doas apk add openssh-client |
|
|
|
|
ssh-keygen -t ed25519 |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
(Also make sure that `echo $SSH_AUTH_SOCK` is not empty; it shouldn't be if gnome-keyring-daemon is configured properly.) |
|
|
|
|
|
|
|
|
|
#### Creating container |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
doas lxc launch images:alpine/edge -c security.nesting=true -c security.privileged=false -c security.idmap.isolated=true -c security.idmap.size=6553600 test-alpine-container |
|
|
|
|
doas lxc exec test-alpine-container -- /bin/ash |
|
|
|
|
doas incus launch images:alpine/edge -c security.nesting=true -c security.privileged=false -c security.idmap.isolated=true -c security.idmap.size=6553600 test-alpine-container |
|
|
|
|
doas incus exec test-alpine-container -- /bin/ash |
|
|
|
|
``` |
|
|
|
|
Networking should work inside of container. |
|
|
|
|
|
|
|
|
|
### OpenSSH |
|
|
|
|
|
|
|
|
|
With password-based auth (not recommended): in container (from root, `lxc-attach`/`lxc exec`) |
|
|
|
|
Then, in target container (from root, `lxc-attach`/`lxc exec`) |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
apk add openssh |
|
|
|
|
apk add openssh doas |
|
|
|
|
rc-update add sshd |
|
|
|
|
rc-service sshd start |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
Check IP of container with `ifconfig`, and then on host, |
|
|
|
|
``` |
|
|
|
|
doas apk add openssh-client |
|
|
|
|
ssh CONTAINER_IP |
|
|
|
|
adduser -g YOUR_USER YOUR_USER |
|
|
|
|
adduser YOUR_USER wheel |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
With keys-based auth: |
|
|
|
|
Check IP of container with `ifconfig`, and then on host, |
|
|
|
|
``` |
|
|
|
|
ssh-keygen -t ed25519 |
|
|
|
|
ssh-copy-id CONTAINER_IP |
|
|
|
|
ssh CONTAINER_IP |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
(Also make sure that `echo $SSH_AUTH_SOCK` is not empty; it shouldn't be if gnome-keyring-daemon is configured properly.) |
|
|
|
|
|
|
|
|
|
### Webdev |
|
|
|
|
|
|
|
|
|
#### Accessing dev sites running inside container |
|
|
|
|
|
