Lxc unprivileged container setup - nutthawit/alpine-dotfile GitHub Wiki
sudo pacman -S lxc arch-install-scriptsMake su
sudo -sMapping to the containerized uid/gid pairs for each user who shall be able to run the containers. The example below is simply for the root user (and systemd system unit):
echo "lxc.idmap = u 0 100000 65536" >> /etc/lxc/default.conf
echo "lxc.idmap = g 0 100000 65536" >> /etc/lxc/default.conf
echo "root:100000:65536" >> /etc/subuid
echo "root:100000:65536" >> /etc/subgidDelegate unprivileged cgroups by creating a systemd unit
mkdir /etc/systemd/system/[email protected]
cat << 'EOF' > /etc/systemd/system/[email protected]/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
systemctl daemon-reloadThe changes take effect when the [email protected] is started or restarted. Since this service manages your entire user session, you must generally log out and log back in for the new configuration to apply fully.
You can then verify the configuration by checking the full unit file, including the drop-in:
systemctl cat user@$(id -u).serviceMake su
sudo -sEnable lxc-net.service
cat << 'EOF' > /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
EOF
systemctl disable --now firewalld.service
systemctl enable --now lxc-net.serviceNow the default Bridge lxcbr0 should appear
ip aCreate unprivileged user network administration file.
cat << 'EOF' > /etc/lxc/lxc-usernet
tie veth lxcbr0 10
EOFConfigure the file with the user needing to create containers. The bridge will be the same as defined in /etc/default/lxc-net
A copy of the /etc/lxc/default.conf is needed in the non-root user's home directory, e.g. ~/.config/lxc/default.conf (create the directory if needed).
Now if you are root, exit to normal user before continue!
mkdir ~/.config/lxc
sudo cp /etc/lxc/default.conf ~/.config/lxc/default.conf
sudo chown tie:tie ~/.config/lxc/default.confCreate the container
ct_name=CHANGEME
lxc-create --name $ct_name --template download -- --dist archlinux --release current --arch amd64Start the container
lxc-start --name $ct_name --logfile "/tmp/${ct_name}.log" --logpriority debugAttach to container and set the root password
lxc-attach --name $ct_name
passwdNow you can login to the container
lxc-console --name $ct_nameError 1
If you encounter the error like:
147 lxc-start cosmic 20251106032411.188 ERROR start - ../src/lxc/start.c:print_top_failing_dir:100 - Permission denied - Could not access /home/tie. Please grant it x access, or add an ACL for the container rootThe log entry indicates that the container cosmic (running as its own unprivileged user/ID-mapped user) is attempting to access the directory /home/tie on the host system, and it is being blocked with a "Permission denied" error at the kernel level.
The critical requirement is the "execute" (x) permission on the directory path. The x permission on a directory allows a user to traverse it (i.e., pass through it to access contents in subdirectories). Without x access to /home/tie, the container cannot access any deeper path it may need.
Method 1: Change Directory Permissions (Simplest)
chmod o+x /home/tieMethod 2: Use Access Control Lists (ACLs) (Recommended for Security)
TODO
Error 2
If you encounter the error like:
200 lxc-start cosmic 20251106033553.476 ERROR network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3029 - lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 1211: main: Quota reac hedEach unprivileged user (non-root) running LXC containers can only create a limited number of veth pairs (virtual Ethernet interfaces).
This limit is defined in /etc/lxc/lxc-usernet with lines like:
<username> veth <bridge> <limit>Example:
myuser veth lxcbr0 10Fix by incresed the <limit>
Mount dir to container
.local/share/lxc