From 276f7954afcc68d517b6e2fc22dcc7c642cf4794 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sun, 31 Dec 2017 18:27:55 -0200
Subject: Initial code and notes, but still not working

---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++--
 TODO.md   |  5 +++++
 beggar    | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100755 beggar

diff --git a/README.md b/README.md
index 1392101..32f5387 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,39 @@
-beggar
-======
+Beggar Containers
+=================
+
+A wrapper for LXC unprivileged containers.
+
+Example
+-------
+
+Enforcing `PATH` to avoid issues with firejail:
+
+    PATH=/bin:/usr/bin lxc-create --name alpine -t download -- -d alpine -r edge -a amd64
+
+Development notes
+-----------------
+
+### ACL
+
+    getfacl . .local .local/share
+    sudo setfacl -m u:427680:x . .local .local/share
+    sudo setfacl --remove-all  . .local .local/share
+
+### AppArmor
+
+      lxc-start 20171227032456.513 WARN     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:218 - Incomplete AppArmor support in your kernel
+      lxc-start 20171227032456.516 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
+      lxc-start 20171227032456.519 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
+      lxc-start 20171227032456.521 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
+      lxc-start 20171227032456.527 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
+
+References
+----------
+
+* [LXC 1.0: Blog post series [0/10] | Stéphane Graber's website](https://stgraber.org/2013/12/20/lxc-1-0-blog-post-series/).
+* [Linux Containers - LXC - Getting started](https://linuxcontainers.org/lxc/getting-started/).
+* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/).
+* [userns - What is an unprivileged LXC container? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/177030/what-is-an-unprivileged-lxc-container#177031).
+* [Flockport - LXC using unprivileged containers](https://archives.flockport.com/lxc-using-unprivileged-containers/).
+* [Flockport - Run accelerated GUI apps in LXC containers](https://archives.flockport.com/run-gui-apps-in-lxc-containers/).
+* [How to create unprivileged LXC container on Ubuntu Linux 14.04 LTS – nixCraft](https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/).
diff --git a/TODO.md b/TODO.md
index 74e5cc0..e9ea7d3 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,2 +1,7 @@
 TODO
 ====
+
+* Check network/bridge setup.
+* Warn when `lxc.aa_allow_incomplete = 1`.
+* Check if filesystem ACLs' matches those set in `~/.config/lxc/default.conf`.
+* Container creation using debootstrap.
diff --git a/beggar b/beggar
new file mode 100755
index 0000000..6dad71d
--- /dev/null
+++ b/beggar
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+#
+# beggar containerization assistant
+#
+# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Basic parameters
+VERSION="0.1.0"
+BASENAME="`basename $0`"
+DIRNAME="`dirname $0`"
+ACTION="$1"
+VM="$2"
+GLOBAL_USER_CONFIG_FOLDER="$HOME/.config/beggar"
+GLOBAL_USER_CONFIG_FILE="$HOME/.config/beggarconfig"
+
+function beggar_startup {
+  mkdir -p $HOME/.config/lxc
+  #mkdir -p $HOME/.local/share/{lxc,lxcsnaps}  
+  #mkdir -p $HOME/.cache/lxc  
+  #touch    $HOME/.config/lxc/{lxc,default}.conf  
+
+  if [ ! -e "$HOME/.config/lxc/default.conf" ]; then
+  echo \
+"# Include system-wide settings
+lxc.include = /etc/lxc/default.conf
+
+# Subuids and subgids mapping
+$(cat /etc/subuid | grep $USER | sed -e "s/^$USER:/lxc.id_map = u 0 /" -e 's/:/ /')
+$(cat /etc/subgid | grep $USER | sed -e "s/^$USER:/lxc.id_map = g 0 /" -e 's/:/ /')
+
+# "Secure" mounting
+lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
+
+# Network configuration
+lxc.network.type   = veth
+lxc.network.link   = lxcbr0
+lxc.network.flags  = up
+lxc.network.hwaddr = 00:FF:xx:xx:xx:xx" > $HOME/.config/lxc/default.conf
+  fi
+}
+
+# Main
+beggar_startup
-- 
cgit v1.2.3