• Unprivileged Containers in Slackware
• Stephane Graber's intro

• Physical host has to have a network bridge
• On physical host, in /etc/lxc/default.conf:

  lxc.network.type=veth
  lxc.network.link=br0
  lxc.network.flags=up

• Create container: lxc-create -n lxcguest -t /usr/share/lxc/templates/lxc-freeslack
• Edit container's config and:
  • Set MAC for virtual NIC: lxc.network.hwaddr = DE:AD:BE:EF:00:00
  • Change location(s) of mount(s), if needed
  • Change container's /etc/rc.d/rc.inet1.conf
• Start container: lxc-start -n lxcguest -d
• Connect to container's console: lxc-console -n lxcname
  Default login/password is root/root
• Packages to add:
  • perl
  • python
  • python-setuptools
  • vim
  • less
  • rsync
  • sudo
  • db48
  • gnupg
  • gnupg2
  • curl
  • guile
  • gc
  • make
  • nmap
  • libunistring
  • libffi
  • git

1. Prerequisites
2. Create standard root-privileged container
3. Remap that container's owner & group numbers to the user's subuid & subgid
4. Move the container into the user's file space
5. Run the unprivileged container

• Ensure the libcgroup package is at least libcgroup-0.41-x86_64-2_slack14.2
• In /etc/cgconfig.conf:

  group lxc { 
      perm {
          task {
              uid = rk4n3;
              gid = rk4n3;
          }
      admin {
            uid = rk4n3;
            gid = rk4n3;
        }
    }
  
    cpuset {
        cgroup.clone_children = 1;
        cpuset.mems = 0;
        cpuset.cpus = 0-3;
    }
    cpu {}
    cpuacct {}
    blkio {}
    memory { memory.use_hierarchy = 1; }
    devices {}
    freezer {}
    net_cls {}
    perf_event {}
    net_prio {}
  }

• In /etc/cgrules.conf:

  rk4n3           *               lxc/

• As root:

  usermod --add-subuids 100000-165536 rk4n3
  usermod --add-subgids 100000-165536 rk4n3

• Start cgconfig (1st) and cgred (2nd) services, verify with: lscgroup

Acquire uidmapshift.c and container-userns-convert from: nsexec tools

Build uidmapshift with:

gcc -o uidmapshift uidmapshift.c

Near the end of the container-userns-convert , around line 61, change the call to uidmapshift to be $PATHTOYOUR/uidmapshift, then make container-userns-convert executable. Perform the actual conversion with (as root):

./container-userns-convert yourcontainername 100000

In $HOME/.config/lxc/default.conf:

lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = DE:AD:BE:EF:xx:xx
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

In /etc/lxc/lxc-usernet:

rk4n3 veth br0 10

• Packages to install for lighttpd (preferred)
  • php
• Packages to install for lighttpd2 (experimental)
  • lua
  • colm
  • kelbt
  • ragel
  • libev
  • libunwind (optional: pass UNWIND=yes to lighttpd2 slackbuild)
  • libiodbc
  • libmcrypt
  • libxml2
  • cyrus-sasl
  • enchant
  • aspell
  • aspell-en
  • t1lib
  • icu4c
  • sqlite
  • net-snmp
  • libxslt
  • libgcrypt
  • libnl3
  • libgpg-error
  • lighttpd2

• Install the mysql package(s)
  • Prerequisites in addition to template's packages: libaio and jemalloc

• libXaw
• libXft
• libXmu
• libXt
• libX11
• libXpm
• libXau
• libXdmcp
• libxcb
• libXrender
• libXext
• libSM
• libICE
• libXinerama
• utempter
• harfbuzz
• freetype
• fontconfig
• dejavu-fonts-ttf
• font-misc-misc
• xterm