User Namespaces

Enable user namespaces

Requirements

First enable the sysctl:

echo 'sysctl kernel.unprivileged_userns_clone = 1' | tee /etc/sysctl.d/20-unprivileged_userns.conf

Reload sysctl's with sysctl --system

User (G/U)IDs

Setup LXC mappings in /etc/lxc/default.conf.

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

Edit shadow files for g/uids

cat /etc/subuid /etc/subgid
root:100000:65536
john:165536:231072

root:100000:65536
john:165536:231072

Now add changed mapping to userns containers.

User Setup

Setup directories. Similar paths:

  • /etc/lxc/lxc.conf => ~/.config/lxc/lxc.conf

  • /etc/lxc/default.conf => ~/.config/lxc/default.conf

  • /var/lib/lxc => ~/.local/share/lxc

  • /var/lib/lxcsnaps => ~/.local/share/lxcsnaps

  • /var/cache/lxc => ~/.cache/lxc

Create zfs dataset for containers:

mkdir ~/.local/share/lxc
zfs create -o mountpoint=legacy vault/sys/wooly/home/john/local/share/lxc
mount -t zfs vault/sys/wooly/home/john/local/share/lxc /home/john/.local/share/lxc
chown -R john:john /home/john/.local/share/lxc

Add to fstab (double check it).

genfstab -U / | grep /home/john/.local/share/lxc | tee --append /etc/fstab

Let user create up to 10 bridges.

echo 'john veth lxcbr0 10' | tee --append /etc/lxc/lxc-usernet

NOTE: May need to enable haveged.service (I got gpg errors without it).

Create Container

lxc-create --template=download --name=tiger

References

  • https://wiki.archlinux.org/index.php/Linux_Containers#Enable_support_to_run_unprivileged_containers_.28optional.29

  • https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/

  • https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

PreviousUser Configuration ManagementNextGaming with Wine

Last updated