Running pure LXC with unprivileged containers on Debian

Coming from FreeBSD Jails I spent quite a long time researching and build a “simple” pure LXC setup for my hosting needs. I like to share my experience and would appreciate it very much if you guys could validate my current approach.

  • I started with an restricted user using the information from LXC - Debian Wiki
  • I had a some troubles getting everthing to work. I could not not find an easy solution to start a container at boot in a user context (I used cron at the end, which kinda works but then the containers will not be shut down cleanly). The systemd services do not work with unprivileged containers.
  • Also I had a problem to get stable IPv4 addresses on first boot. For some reason the Debian bullseye containers do not always take up the ipv4 parameter from the config files.
  • I ended up configuring dnsmasq with mac addresses and IPs, which works fine for me now.
  • Now I learned (Privileged and unprivileged containers) that a valid way is to use root to create and manage unprivileged containers.

My current Ansible setup is now:

  • I create a restricted user lxc
  • In /etc/subuid and /etc/subguid I add entries for root that match the IDs of the lxc user.
  • my /etc/lxc/default.conf is = 1 = veth = br0 = up
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536

With the idmap IDs matching the lxc user.

  • Now I can create and run containers as root that show in lxc-ls as “unprivileged”. All the autostarts work fine. Yay.

Is this the way to go or did I miss something? Would I even need the user “lxc” now or can I just make up the ids myself?

This whole subject is hardly documented. I wonder why nobody came across all these problems. Is everybody running privileged containers?

Thanks for the great work everybody.


Ok, most of my questions are answered here: Linux Containers - LXC - Getting started :see_no_evil:

I finally got rid of the lxc user and just configured the suuid and subgid for root. works :).