linux/debian10-LXC.md

Setup LXC on debian 10

Install packages and add unprivileged user

apt install lxc libvirt0 libpam-cgfs bridge-utils uidmap
useradd lxcuser
cat /etc/s*id|grep lxcuser

Put the following in /etc/default/lxc-net

USE_LXC_BRIDGE="true"

Put the following in /etc/lxc/default.conf

lxc.idmap = u 0 <Replace with output of cat> <Replace with output of cat>
lxc.idmap = g 0 <Replace with output of cat> <Replace with output of cat>
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

Give root acces to unprivileged user space

echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subuid
echo "root:<Replace with output of cat>:<Replace with output of cat>" >> /etc/subgid 

Enable and start lxc network service

systemctl enable --now lxc-net

enable unprivileged user namespaces for kernels < 5.10

echo kernel.unprivileged_userns_clone=1 >> /etc/sysctl.conf
sysctl -p

Extra config KB

• Create Container lxc-create -t download -n <CTName> -- -d debian -r buster -a amd64
• Container config /var/lib/lxc/<CTName>/config
• add to Container config to start on boot lxc.start.auto = 1
• add to Container config for static ip

lxc.net.0.ipv4.address = 10.0.3.<IP>/24
lxc.net.0.ipv4.gateway = 10.0.3.1

UFW forwarding

also dont forget to add the extenal port as allow rule add to /etc/ufw/before.rules

to begin of file before *filter

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s3 -p tcp --dport <extenal port> -j DNAT --to <ctip>:<internalport>
COMMIT

to end of file before last COMMIT

#LXC forwards
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT