unprivileged containers under debian 8 jessie
---------------------------------------------

tl;dr:   horrible, but works



1. Install sysvinit

  # apt-get install sysvinit-core sysvinit sysvinit-utils
  # reboot

2. Remove systemd

  # apt-get remove --purge --auto-remove systemd
  # echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd

3. Install needed tools

  # apt-get install bridge-utils uidmap cgroup-tools

4. Configure bridge

  # cat >> /etc/network/interfaces << __EOF__
auto lxcbr0
iface lxcbr0 inet static
        bridge_fd 0
        address 10.0.1.1
        netmask 255.255.255.0
        bridge_stp off
        bridge_waitport 0
        bridge_ports none
__EOF__

  # ifup lxcbr0

5. Configure user's lxc defaults

  $ id thresh
uid=1012(thresh) gid=50(staff) groups=50(staff),51(syseng)

  $ fgrep thresh /etc/subuid
thresh:689824:65536
  $ fgrep thresh /etc/subgid
thresh:689824:65536

^^^ means I can use 65536 sub uids/gids starting with 689824, so..

  $ mkdir -p ~/.config/lxc
  $ cat >> ~/.config/lxc/default.conf << __EOF__
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 689824 65536
lxc.id_map = g 0 689824 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 52:54:00:AB:01:01
__EOF__

  # echo "thresh veth lxcbr0 10" > /etc/lxc/lxc-usernet

6. Set needed kernel parameter

  # echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.conf && sysctl -p

7. Create a cgroup for user and move all the stuff to that cgroup:
  # cat > /etc/cgconfig.conf << __EOF__
mount {
        cpu = /sys/fs/cgroup;
        cpuset = /sys/fs/cgroup;
        cpuacct = /sys/fs/cgroup;
        #memory  = /sys/fs/cgroup;
        devices = /sys/fs/cgroup;
        freezer = /sys/fs/cgroup;
        net_cls = /sys/fs/cgroup;
        blkio   = /sys/fs/cgroup;
        perf_event = /sys/fs/cgroup;
}

group thresh {
    perm {
        task {
            uid = thresh;
        }
        admin {
            uid = thresh;
        }
    }
    cpu {
    }
    cpuset {
        cpuset.cpus = 0-1;
        cpuset.mems = 0;
    }
}
__EOF__

  # cat > /etc/cgrules.conf << __EOF__
thresh * thresh
__EOF__
  
  # cat >>/etc/rc.local << __EOF__
/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
/usr/sbin/cgrulesengd
__EOF__

  # reboot

8. Launch containers marked as auto-start on system boot:
  # cat >> /etc/rc.local << __EOF__
/bin/su -c /usr/bin/lxc-autostart thresh
__EOF__

9. Create a container. For some reason jessie is not available so create wheezy instead:

  $ lxc-create -t download -n p2 -- -d debian -r wheezy -a amd64
  $ lxc-start -n p2 -d 

   yay!

  $ lxc-ls --fancy
NAME  STATE    IPV4  IPV6  AUTOSTART
------------------------------------
p2    RUNNING  -     -     NO

10. Autostart the container:
  $ echo "lxc.start.auto = 1" >> .local/share/lxc/p2/config



-- 
thresh 13/08/2015