Cleaned up and merge other Linux snippit repo
Meged https://git.bprieshof.nl/brammp/linux into ./Linux
This commit is contained in:
74
Linux/Docs/Setup-debian10-LXC.md
Normal file
74
Linux/Docs/Setup-debian10-LXC.md
Normal file
@@ -0,0 +1,74 @@
|
||||
# Setup LXC on debian 10
|
||||
|
||||
Install packages and add unprivileged user
|
||||
```
|
||||
apt install lxc libvirt0 libpam-cgfs bridge-utils uidmap
|
||||
useradd lxcuser
|
||||
cat /etc/s*id|grep lxcuser
|
||||
```
|
||||
|
||||
Put the following in /etc/default/lxc-net
|
||||
```
|
||||
USE_LXC_BRIDGE="true"
|
||||
```
|
||||
|
||||
Put the following in /etc/lxc/default.conf
|
||||
```
|
||||
lxc.idmap = u 0 <Replace with output of cat> <Replace with output of cat>
|
||||
lxc.idmap = g 0 <Replace with output of cat> <Replace with output of cat>
|
||||
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
|
||||
lxc.apparmor.profile = unconfined
|
||||
lxc.apparmor.allow_nesting = 1
|
||||
lxc.net.0.type = veth
|
||||
lxc.net.0.link = lxcbr0
|
||||
lxc.net.0.flags = up
|
||||
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
|
||||
```
|
||||
|
||||
Give root acces to unprivileged user space
|
||||
```
|
||||
echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subuid
|
||||
echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subgid
|
||||
```
|
||||
|
||||
Enable and start lxc network service
|
||||
```
|
||||
systemctl enable --now lxc-net
|
||||
```
|
||||
enable unprivileged user namespaces for kernels < 5.10
|
||||
```
|
||||
echo kernel.unprivileged_userns_clone=1 >> /etc/sysctl.conf
|
||||
sysctl -p
|
||||
```
|
||||
|
||||
|
||||
# Extra config KB
|
||||
* Create Container `lxc-create -t download -n <CTName> -- -d debian -r buster -a amd64`
|
||||
* Container config `/var/lib/lxc/<CTName>/config`
|
||||
* add to Container config to start on boot `lxc.start.auto = 1`
|
||||
* add to Container config for static ip
|
||||
```
|
||||
lxc.net.0.ipv4.address = 10.0.3.<IP>/24
|
||||
lxc.net.0.ipv4.gateway = 10.0.3.1
|
||||
```
|
||||
|
||||
|
||||
# UFW forwarding
|
||||
|
||||
also dont forget to add the extenal port as allow rule
|
||||
add to /etc/ufw/before.rules
|
||||
|
||||
to begin of file before *filter
|
||||
```
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
-A PREROUTING -i enp0s3 -p tcp --dport <extenal port> -j DNAT --to <ctip>:<internalport>
|
||||
COMMIT
|
||||
```
|
||||
|
||||
to end of file before last COMMIT
|
||||
```
|
||||
#LXC forwards
|
||||
-A FORWARD -o lxcbr0 -j ACCEPT
|
||||
-A FORWARD -i lxcbr0 -j ACCEPT
|
||||
```
|
||||
Reference in New Issue
Block a user