A simple dash script for debian stretch to create an unprivileged LXContainer together with one unprivileged user per container.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
ibu radempa 3784cadbdd improve and add documentation 3 years ago
doc improve and add documentation 3 years ago
INSTALL add basic functionality, documented in README.md and tested manually 3 years ago
LICENSE add basic functionality, documented in README.md and tested manually 3 years ago
README.md improve and add documentation 3 years ago
lxc_create_unprivileged.sh add basic functionality, documented in README.md and tested manually 3 years ago

README.md

A simple dash script for debian stretch to create an unprivileged LXContainer together with one unprivileged user per container.

Functionality overview

  • only works for debian stretch; also see below for mandatory preparation
  • we do not use lxc-net, no DHCP
  • each container can run under a different user (isolation advantage)
  • create an unprivileged user lxcDDD where DDD is a 3-digit container-ID in the raneg 100..999; the user will have uid=1DDD anf gid 1DDD, i.e., 1000 added
  • assign subordinate uids and gids to this user of the form IIIUUUUU where III is a 3-digit container id (in the range 100..999) and UUUUU ranges from 0..65535; an analogous pattern holds for groupids
  • create a container below /srv/lxc/lxcDDD where lxcDDD is the linux username; the container will be in a subdirectory equal to the container name and have configand rootfs there
  • the container has a network interface eth0 which is connected as vethto br0
  • the container will be started and ssh will be installed
  • a cronjob of user lxcDDD will start the user's container(s) @reboot
  • instructions for doing this manually are in doc/howto_lxc_unprivileged_in_stretch.md

Preparation

Install packages:

aptitude install lxc xz-utils libvirt0 libpam-cgroup libpam-cgfs bridge-utils

Configure a bridge named br0 in /etc/network/interfaces (the bridge includes the external interface enp63s0 in this case):

auto br0
iface br0 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    gateway 192.168.0.1
    broadcast 192.168.0.255
    bridge_ports enp63s0
    bridge_ports regex veth.*
    bridge_stp off
    bridge_maxwait 20
    bridge_fd 0
iface br0 inet6 static
    address 2a01:1234:567::3:2
    netmask 112
    gateway 2a01:1234:567::3:1

Note that the container IPv6 addresses for the full range of container-IDs will consume at least the lowest 11 bits, so avoid a prefix length >116.

Enable forwarding for IPv4 and IPv6 in sysctl.conf.

Also make this persistent:

echo 0 > /proc/sys/net/ipv6/conf/br0/accept_dad || true

Disable lxc-net, which would run a DHCP server and modify iptables, and clear default.conf:

service lxc-net stop || true
echo "USE_LXC_BRIDGE=\"false\"" > /etc/default/lxc-net
echo -n >/etc/lxc/default.conf

Reboot.

After reboot

lxc-checkconfig

and check that everthing is green.

Usage

Call as root

lxc_create_unpriv.sh -i 123 -n myname -4 192.168.0.123/24 -5 192.168.0.1 -6 2a01:1234:567::3:123/112 -7 2a01:1234:567::3:1

Here

  • 123 is the container id (DDD); it must be in the range 100..999
  • myname is the container name
  • 192.168.0.123/24 is the IPv4 address the container will obtain together with the netmask
  • 192.168.0.1 is the IPv4 gateway address the container will be using
  • 2a01:1234:567::3:123/112 is the IPv6 address the container will obtain together with the prefix size
  • 2a01:1234:567::3:1 is the IPv6 gateway address the container will be using

All arguments (-i, -n, -4, -5, -6 , -7) must be given.

Alternatively, -h shows usage information.