You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
6 years ago | |
---|---|---|
doc | 6 years ago | |
INSTALL | 6 years ago | |
LICENSE | 6 years ago | |
README.md | 6 years ago | |
lxc_create_unprivileged.sh | 6 years ago |
README.md
A simple dash script for debian stretch to create an unprivileged LXContainer together with one unprivileged user per container.
Functionality overview
- only works for debian stretch; also see below for mandatory preparation
- we do not use lxc-net, no DHCP
- each container can run under a different user (isolation advantage)
- create an unprivileged user
lxcDDD
whereDDD
is a 3-digit container-ID in the raneg 100..999; the user will have uid=1DDD anf gid 1DDD, i.e., 1000 added - assign subordinate uids and gids to this user of the form
IIIUUUUU
whereIII
is a 3-digit container id (in the range 100..999) andUUUUU
ranges from 0..65535; an analogous pattern holds for groupids - create a container below
/srv/lxc/lxcDDD
wherelxcDDD
is the linux username; the container will be in a subdirectory equal to the container name and haveconfig
androotfs
there - the container has a network interface
eth0
which is connected asveth
tobr0
- the container will be started and ssh will be installed
- a cronjob of user
lxcDDD
will start the user's container(s)@reboot
- instructions for doing this manually are in
doc/howto_lxc_unprivileged_in_stretch.md
Preparation
Install packages:
aptitude install lxc xz-utils libvirt0 libpam-cgroup libpam-cgfs bridge-utils
Configure a bridge named br0
in /etc/network/interfaces
(the bridge includes the external interface enp63s0
in this case):
auto br0
iface br0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
broadcast 192.168.0.255
bridge_ports enp63s0
bridge_ports regex veth.*
bridge_stp off
bridge_maxwait 20
bridge_fd 0
iface br0 inet6 static
address 2a01:1234:567::3:2
netmask 112
gateway 2a01:1234:567::3:1
Note that the container IPv6 addresses for the full range of container-IDs will consume at least the lowest 11 bits, so avoid a prefix length >116.
Enable forwarding for IPv4 and IPv6 in sysctl.conf
.
Also make this persistent:
echo 0 > /proc/sys/net/ipv6/conf/br0/accept_dad || true
Disable lxc-net, which would run a DHCP server and modify iptables, and clear default.conf
:
service lxc-net stop || true
echo "USE_LXC_BRIDGE=\"false\"" > /etc/default/lxc-net
echo -n >/etc/lxc/default.conf
Reboot.
After reboot
lxc-checkconfig
and check that everthing is green.
Usage
Call as root
lxc_create_unpriv.sh -i 123 -n myname -4 192.168.0.123/24 -5 192.168.0.1 -6 2a01:1234:567::3:123/112 -7 2a01:1234:567::3:1
Here
123
is the container id (DDD
); it must be in the range 100..999myname
is the container name192.168.0.123/24
is the IPv4 address the container will obtain together with the netmask192.168.0.1
is the IPv4 gateway address the container will be using2a01:1234:567::3:123/112
is the IPv6 address the container will obtain together with the prefix size2a01:1234:567::3:1
is the IPv6 gateway address the container will be using
All arguments (-i, -n, -4, -5, -6 , -7
) must be given.
Alternatively, -h
shows usage information.