Running an unprivileged LXC on a Debian host

I recently switched from Ubuntu to Debian Testing. I used to run OpenWrt in VirtualBox without issue, but now looking to switch to LXC since VirtualBox is not included in the Debian repositories.

I've followed the instructions at https://openwrt.org/docs/guide-user/virtualization/lxc

Have overcome the first roadblocks by running:
$ sudo sysctl kernel.unprivileged_userns_clone=1

And editing /etc/lxc/default.conf

-lxc.apparmor.profile = generated
+lxc.apparmor.profile = unconfined

But am now encountering the following error:

$ lxc-ls --version
3.0.4

$ lxc-start -n openwrt_x64 -F
lxc-start: openwrt_x64: conf.c: lxc_setup_boot_id: 3493 Permission denied - Failed to mount /dev/.lxc-boot-id to /proc/sys/kernel/random/boot_id
lxc-start: openwrt_x64: sync.c: __sync_wait: 61 An error occurred in another process (expected sequence number 7)
lxc-start: openwrt_x64: start.c: lxc_abort: 1115 No such file or directory - Failed to send SIGKILL to 30782
lxc-start: openwrt_x64: start.c: __lxc_start: 2031 Failed to spawn container "openwrt_x64"
lxc-start: openwrt_x64: tools/lxc_start.c: main: 329 The container failed to start

I'm guessing it is related to CGroups since I'm not running as root, but not sure how to best sort it all out.
Any ideas? @moserwi @alex1452

Well, I didn't realize there were LXC templates available for OpenWrt. This is fantastic.
I finally have unprivileged containers working with the following:

$ lxc-create -n openwrt -t download -- -d openwrt -r 19.07 -a amd64
$ lxc-start -n openwrt
$ lxc-attach -n openwrt --clear-env

The --clear-env option was needed to fix the container $PATH

1 Like

Curious as to why you didn't just go with qemu/kvm when VirtualBox wasn't available.

That said, good choice: if you're already running a Linux based network appliance, it's hard to justify the extra overhead of another kernel, and even virtio-net involves an unnecessary performance hit. I run multiple instances of OpenWrt in lxc containers (lxd rather than lxc, which eliminates jumping through a lot of hoops re privileges, especially with macvlan interfaces).

I certainly did play around with virt-manager over the past week, but having been spoiled by LXC in Proxmox VE, I wanted to see it working on my main Desktop machine.

Hello @skyblaster I looked for many websites but I did not find command of the theme for version 18.06, I was about to use it too

Thank you so much for sharing it.

Excuse me, how did you get the template command?

I will try using

$ lxc-create -n openwrt -t download - -d openwrt -r 18.06 -a amd64

Since the only thing that varies in my case is the version of openwrt.

It would be nice if we could document it on the openwrt wiki.
Sorry, you are a frequent user of the wiki, on which page would it be correct to document this information?
I would like to help by adding this information for other users.

Thanks again for sharing with the community.

Regards :grinning: :beers:

Hi @geryescalier

Yes, I can confirm that by running that command, you should end up with the latest build of 18.06.8.

$ lxc-create -n openwrt_18.06.8 -t download -- -d openwrt -r 18.06 -a amd64
The cached copy has expired, re-downloading...
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an OpenWrt container.

$ lxc-start -n openwrt_18.06.8
$ lxc-attach -n openwrt_18.06.8 --clear-env


BusyBox v1.28.4 () built-in shell (ash)


/ # cat /etc/os-release 
NAME="OpenWrt"
VERSION="18.06.8"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 18.06.8"
VERSION_ID="18.06.8"
HOME_URL="http://openwrt.org/"
BUG_URL="http://bugs.openwrt.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r7989-82fbd85747"
LEDE_BOARD="x86/64"
LEDE_ARCH="x86_64"
LEDE_TAINTS=""
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://openwrt.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt 18.06.8 r7989-82fbd85747"

I can't remember exactly where I found that command. I may have simply figured it out from reading the ARCH Wiki and then finding openwrt listed on the linuxcontainers.org image server.

https://wiki.archlinux.org/index.php/Linux_Containers#Container_creation
https://us.images.linuxcontainers.org/

This "https://openwrt.org/docs/guide-user/virtualization/lxc" would certainly be the correct wiki page to edit. It's been awhile since I've contributed there, so please do so if you have the time.

Cheers :beers:

1 Like

Thank you very much for all the help @skyblaster on the wiki I will put the command on the page you suggest.
Regards :grinning: :beers: