Index
- Part 1: Introduction
- Part 2: Basic configuration files
- Part 3: Creating an unprivileged container on Slackware
- Part 4: Scripts overview
- Part 5: Natting example
- Part 6: Migrating to Slackware-current - LXC-6 - cgroup2
- Browse the scripts' folder
- Changelog
Let's see how to manage unprivileged containers also in Slackware-current (15.1 to be), which -at the time I'm writing- ships kernel-6.15.3, lxc-6.0.5 and libcgroups-3.2.0.
My attempts to use cgroup1 failed, but I managed to use cgroup2, even though limits settings are not working inside containers.
First of all, enable cgroup2 in /etc/default/cgroups
CGROUPS_VERSION=2
Disable rc.cgconfig and rc.cgred at boot time:
chmod -x /etc/rc.d/rc.cgconfig /etc/rc.d/rc.cgred
I'm not sure if this is mandatory, but let's pass an option to the kernel in order to completely disable cgroup1 by adding the following to lilo.conf, elilo.conf or whatelse
append="cgroup_no_v1=all"
If you want to attempt to handle container's limits you should mount /sys/fs/cgroup properly by patching /etc/rc.d/rc.S at line 96:
- mount -t cgroup2 none /sys/fs/cgroup + mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime,nsdelegate none /sys/fs/cgroup
Replace the file /etc/lxc/lxc-common.conf in this way (all lxc.cgroup.* options are now lxc.cgroup2.*):
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = lxcbr0
lxc.net.0.name = eth0
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.tty.max = 1
lxc.pty.max = 1024
lxc.cgroup2.devices.deny = a
# /dev/null and zero
lxc.cgroup2.devices.allow = c 1:3 rwm
lxc.cgroup2.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup2.devices.allow = c 5:1 rwm
lxc.cgroup2.devices.allow = c 5:0 rwm
lxc.cgroup2.devices.allow = c 4:0 rwm
lxc.cgroup2.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup2.devices.allow = c 1:9 rwm
lxc.cgroup2.devices.allow = c 1:8 rwm
lxc.cgroup2.devices.allow = c 136:* rwm
lxc.cgroup2.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup2.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you better.
#lxc.cap.drop=sys_admin
# proc & sys, remove from /etc/fstab
lxc.mount.auto = proc:mixed sys:ro cgroup:rw
Be aware that, if you want to use my scripts with slackware-current you have to download the main branch of my github instead of the latest release:
git clone https://github.com/sagredo-dev/LXC-scripts.git
