Table of contents

How to setup an LXC installation for unprivileged users

%3 cluster_62763be5_b4af_45b3_bb3f_0cc6ede25319 How to setup an LXC installation for unprivileged users cluster_328e3921_eaa8_4d02_9c2e_cd36ed007b22 Potential errors _7a5b0de2_90d0_4ffd_8e13_cf4c314e1d5a Unshare: operation not permited _447fe1e9_93d8_41b2_af25_e256ba3e8f6a Failed to create directory /run/user/0/lxc/ _0d7af1fa_1a36_44d2_a134_db8d22f51100 Internal container cannot reach internet _17d6a9be_5994_4a57_827f_b33fbe886d4e As the user creating the unprivileged _b6e03f42_bc74_4587_af88_7e19f151eb0b As root _0bcb8291_6021_4870_a54b_6de8ad1a02f7 References _9f13172f_1801_4b85_a97e_c08b42b75919 LXC __0:cluster_62763be5_b4af_45b3_bb3f_0cc6ede25319->_9f13172f_1801_4b85_a97e_c08b42b75919

This shows how to allow a user gitit to create and run lxc containers without root privileges.

As root

  • Install LXC tools (for normal LXC) and uidmap (for unprivileged operation)

apt install lxc-dev uidmap bridge-utils

  • Create an user to be allowed unprivileged containers

adduser gitit

  • Assign the user a set of uids and gids:

usermod --add-subuids 100000-165536 gitit
usermod --add-subgids 100000-165536 gitit

  • Create a bridge interface

brctl addbr lxcbr0
ifconfig  lxcbr0 10.0.3.1

  • Forward packages

echo 1 > /proc/sys/net/ipv4/ip_forward

  • Configure LXC networking for the user

echo 'gitit veth lxcbr0 10' >> /etc/lxc/lxc-usernet

  • Write in /etc/lxc/default.conf:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

  • Write in /etc/default/lxc-net:

USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DOMAIN=""

As the user creating the unprivileged

(After su gitit)

  • Configure the lxc template: in /.config/lxc/default.conf~ write:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 6553

  • Now the user should be able to create a container without root privileges:

lxc-create -t download -n gitit-container -- -d debian -r sid -a amd64

Potential errors

Failed to create directory /run/user/0/lxc/

  • Error

lxc-create: utils.c: mkdir_p: 253 Permission denied - failed to create directory '/run/user/0/lxc/'

  • Solution

    As the user To solve this unset the variables starting with XDG:

env|grep XDG
# XDG_SESSION_ID=3943
# XDG_RUNTIME_DIR=/run/user/0
unset XDG_SESSION_ID
unset XDG_RUNTIME_DIR
env|grep XDG
# <No result>

Unshare: operation not permited

  • Error

unshare: Operation not permitted
read pipe: Permission denied
lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir
  • Solution

    As root

echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
echo 1 > /proc/sys/kernel/unprivileged_userns_clone