Coming from FreeBSD Jails I spent quite a long time researching and build a “simple” pure LXC setup for my hosting needs. I like to share my experience and would appreciate it very much if you guys could validate my current approach.
- I started with an restricted user using the information from LXC - Debian Wiki
- I had a some troubles getting everthing to work. I could not not find an easy solution to start a container at boot in a user context (I used cron at the end, which kinda works but then the containers will not be shut down cleanly). The systemd services do not work with unprivileged containers.
- Also I had a problem to get stable IPv4 addresses on first boot. For some reason the Debian bullseye containers do not always take up the ipv4 parameter from the config files.
- I ended up configuring dnsmasq with mac addresses and IPs, which works fine for me now.
- Now I learned (Privileged and unprivileged containers) that a valid way is to use root to create and manage unprivileged containers.
My current Ansible setup is now:
- I create a restricted user lxc
- In /etc/subuid and /etc/subguid I add entries for root that match the IDs of the lxc user.
- my /etc/lxc/default.conf is
lxc.start.auto = 1
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
With the idmap IDs matching the lxc user.
- Now I can create and run containers as root that show in lxc-ls as “unprivileged”. All the autostarts work fine. Yay.
Is this the way to go or did I miss something? Would I even need the user “lxc” now or can I just make up the ids myself?
This whole subject is hardly documented. I wonder why nobody came across all these problems. Is everybody running privileged containers?
Thanks for the great work everybody.