Beggar Containers
A wrapper for LXC unprivileged containers.
Example
Enforcing PATH to avoid issues with firejail:
PATH=/bin:/usr/bin lxc-create --name alpine -t download -- -d alpine -r edge -a amd64
Development notes
ACL
getfacl . .local .local/share
sudo setfacl -m u:427680:x . .local .local/share
sudo setfacl --remove-all . .local .local/share
AppArmor
lxc-start 20171227032456.513 WARN lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:218 - Incomplete AppArmor support in your kernel
lxc-start 20171227032456.516 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
lxc-start 20171227032456.519 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
lxc-start 20171227032456.521 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
lxc-start 20171227032456.527 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
References
- LXC 1.0: Blog post series [0/10] | Stéphane Graber's website.
- Linux Containers - LXC - Getting started.
- Configuring Unprivileged LXC containers in Debian Jessie.
- userns - What is an unprivileged LXC container? - Unix & Linux Stack Exchange.
- Flockport - LXC using unprivileged containers.
- Flockport - Run accelerated GUI apps in LXC containers.
- How to create unprivileged LXC container on Ubuntu Linux 14.04 LTS – nixCraft.