Conveniently Good Containers  Documentation

What is this

This is a Python script that can be used to easily manage unprivileged LXCs. It features automatic (non-overlapping) subuid/subgid and IP address allocation.

I haven't tested this on anything other than Debian stretch.

How can I use this to my advantage

  1. Install the prerequisites.
    sudo apt install lxc lxcfs -t stretch-backports
    sudo apt install dnsmasq-base fossil
  2. Edit your kernel boot parameters (e.g., the GRUB_CMDLINE_LINUX=... line in /etc/default/grub) and add the cgroup_enable=memory swapaccount=1 options. This is necessary for accounting and limiting container memory usage.
  3. Install.
    sudo -i
    mkdir cgc1; cd cgc1
    fossil clone https://hydra.ecd.space/f/cgc/ cgc.fossil
    fossil open cgc.fossil release
    python3 setup.py install
    cgc1 setup --install-conf --install-lxc-net --add-subids
    service lxc-net restart
  4. Create a base debian image.
    lxc-create -t debian -n stretch-base -B btrfs -- -r stretch --mirror=http://httpredir.debian.org/debian
  5. Configure networking for it.
    cgc1 configure -n stretch-base --rootfs-purge-net --purge-net --ipaddr 10.3.0.0/16
  6. Switch from systemd to sysvinit inside the LXC or else you'll have to add the cap_sys_admin capability to the whitelist (which is probably a bad idea).
    lxc-start -n stretch-base
    lxc-attach -n stretch-base -- apt-get install --yes sysvinit-core sysvinit-utils
    lxc-stop -n stretch-base
  7. Make a (cheap, copy-on-write) copy of stretch-base and make it unprivileged.
    lxc-copy -n stretch-base -N stretch-unprivileged
    cgc1 configure -n stretch-unprivileged --auto-idmap --ipaddr auto --purge-include -t debian
  8. Use stretch-unprivileged as a basis for your new LXCs.
    lxc-copy -n stretch-unprivileged -N my-lxc
    cgc1 configure -n my-lxc --auto-idmap --ipaddr auto --lxc-set lxc.cgroup.memory.limit_in_bytes 1000M
  9. Enjoy.