diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2017-12-31 18:27:55 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2017-12-31 18:27:55 -0200 |
commit | 276f7954afcc68d517b6e2fc22dcc7c642cf4794 (patch) | |
tree | 90a30d2e9421cc0f8d914e1fb0972a0cabdfceaf | |
parent | 0be0b348edc5fa6e5e5742c335db158ad5b42a40 (diff) | |
download | beggar-276f7954afcc68d517b6e2fc22dcc7c642cf4794.tar.gz beggar-276f7954afcc68d517b6e2fc22dcc7c642cf4794.tar.bz2 |
-rw-r--r-- | README.md | 41 | ||||
-rw-r--r-- | TODO.md | 5 | ||||
-rwxr-xr-x | beggar | 57 |
3 files changed, 101 insertions, 2 deletions
@@ -1,2 +1,39 @@ -beggar -====== +Beggar Containers +================= + +A wrapper for LXC unprivileged containers. + +Example +------- + +Enforcing `PATH` to avoid issues with firejail: + + PATH=/bin:/usr/bin lxc-create --name alpine -t download -- -d alpine -r edge -a amd64 + +Development notes +----------------- + +### ACL + + getfacl . .local .local/share + sudo setfacl -m u:427680:x . .local .local/share + sudo setfacl --remove-all . .local .local/share + +### AppArmor + + lxc-start 20171227032456.513 WARN lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:218 - Incomplete AppArmor support in your kernel + lxc-start 20171227032456.516 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set + lxc-start 20171227032456.519 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1 + lxc-start 20171227032456.521 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file + lxc-start 20171227032456.527 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5) + +References +---------- + +* [LXC 1.0: Blog post series [0/10] | Stéphane Graber's website](https://stgraber.org/2013/12/20/lxc-1-0-blog-post-series/). +* [Linux Containers - LXC - Getting started](https://linuxcontainers.org/lxc/getting-started/). +* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/). +* [userns - What is an unprivileged LXC container? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/177030/what-is-an-unprivileged-lxc-container#177031). +* [Flockport - LXC using unprivileged containers](https://archives.flockport.com/lxc-using-unprivileged-containers/). +* [Flockport - Run accelerated GUI apps in LXC containers](https://archives.flockport.com/run-gui-apps-in-lxc-containers/). +* [How to create unprivileged LXC container on Ubuntu Linux 14.04 LTS – nixCraft](https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/). @@ -1,2 +1,7 @@ TODO ==== + +* Check network/bridge setup. +* Warn when `lxc.aa_allow_incomplete = 1`. +* Check if filesystem ACLs' matches those set in `~/.config/lxc/default.conf`. +* Container creation using debootstrap. @@ -0,0 +1,57 @@ +#!/usr/bin/env bash +# +# beggar containerization assistant +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# Basic parameters +VERSION="0.1.0" +BASENAME="`basename $0`" +DIRNAME="`dirname $0`" +ACTION="$1" +VM="$2" +GLOBAL_USER_CONFIG_FOLDER="$HOME/.config/beggar" +GLOBAL_USER_CONFIG_FILE="$HOME/.config/beggarconfig" + +function beggar_startup { + mkdir -p $HOME/.config/lxc + #mkdir -p $HOME/.local/share/{lxc,lxcsnaps} + #mkdir -p $HOME/.cache/lxc + #touch $HOME/.config/lxc/{lxc,default}.conf + + if [ ! -e "$HOME/.config/lxc/default.conf" ]; then + echo \ +"# Include system-wide settings +lxc.include = /etc/lxc/default.conf + +# Subuids and subgids mapping +$(cat /etc/subuid | grep $USER | sed -e "s/^$USER:/lxc.id_map = u 0 /" -e 's/:/ /') +$(cat /etc/subgid | grep $USER | sed -e "s/^$USER:/lxc.id_map = g 0 /" -e 's/:/ /') + +# "Secure" mounting +lxc.mount.auto = proc:mixed sys:ro cgroup:mixed + +# Network configuration +lxc.network.type = veth +lxc.network.link = lxcbr0 +lxc.network.flags = up +lxc.network.hwaddr = 00:FF:xx:xx:xx:xx" > $HOME/.config/lxc/default.conf + fi +} + +# Main +beggar_startup |