Hi there,
I’m relatively new to unprivileged lxc containers (only setup privileged ones in the past) and was following different howto’s like that one Linux Containers - LXC - Getting started so far.
I’m on …
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
lxc-checkconfig …
LXC version 4.0.6
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-5.10.0-27-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
Cgroup v2 mount points:
/sys/fs/cgroup
Cgroup v1 systemd controller: missing
Cgroup v1 freezer controller: missing
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
/etc/lxc/default.conf looking like that …
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
/etc/sub{g,u}id
root:100000:65536
But when I create an unprivileged container from the “download” template with something like the following command (inspired by tutorial above) …
sudo lxc-create -n test2 -P /path/test2 --template download -- --dist debian --release bookworm --arch amd64
… it won’t get an IP after starting the container.
When I create a container from the debian template with sudo lxc-create -t debian -n test3
and start this one, it’ll obtain an IP without any other action taken and on lxc-ls --fancy
it will appear as UNPRIVILEGED - Which seems like exactly what I want: having an IP assigned in an unprivileged debian container.
But … I then checked the debian template (/usr/share/lxc/templates/lxc-debian) and this comes up.
# Detect use under userns (unsupported)
for arg in "$@"; do
[ "$arg" = "--" ] && break
if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
echo "You can also use mmdebstrap --mode=unshare, and an example is found at" 1>&2
echo "https://wiki.debian.org/LXC#Unprivileged_Debian_container_by_mmdebstrap_--mode.3Dunshare " 1>&2
echo "or in /usr/share/doc/lxc-templates/README.Debian." 1>&2
exit 1
fi
done
I’m confused now. Can I use that template to create my unprivileged container? Or isn’t it really unprivileged when I use that template?
Thanks in advance