LXC Containers

How to start with Linux

Linux LXC Containers

This page will help you install, configure and use Linux LXC containers. This tutorial is mainly for Arch Linux but will also work on other distro’s which do not already configure LXC by default like Debian and Ubuntu, on those distro’s LXC mostly will work out of the box.

LXC containers are virtual “containers” running any flavor of Linux, which you can use for many different purposes:

– You want to play around without breaking your main system
– You want to run a (web,SMB,FTP,etc) server inside a container
– You are developing inside a secure environment which needs specific configurations, you can use pre-made containers for this with pre-configured security measures


What you need:

– Linux
– Internet to install packages
– Coffee and a bit of patience


Like I said, under Debian and Ubuntu (inc distros based on), LXC will work out of the box after installing lxc and the lxc-templates. Install LXC, LXC templates, iptables, arch-install-scripts and dnsmasq. Use your main package manager to install on non Arch based systems

On Arch Linux:

$ sudo pacman -S lxc iptables dnsmasq arch-install-scripts</code></pre>
# LXC templates are available through AUR, use pacaur or yay or any other AUR helper
$ pacaur -S lxc-templates

When everything is installed, create the file /etc/lxc/default.conf and add the following lines:

$ sudo touch /etc/lxc/default.conf

# Add the following
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

Create the file: /etc/default/lxc-net for our lxc network configuration

$ touch /etc/default/lxc-net

# Add the following to our newly created /etc/default/lxc-net file

USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAC="253"

Now create the following two files (subuid & subgid)

$ sudo touch /etc/sub{uid,gid}

Add the following to the two files you just created (subuid & subgid), I’m using my own account (marc). Needed for mapping of users who are allowed to start the containers

$ sudo vi /etc/subuid
marc: 100000:65536

$ sudo vi /etc/subgid
marc: 100000:65536

When creating an unprivileged container, the container will be created in $HOME/.local/share/lxc/ of the active user. The container will be created by the container-root user (UID =100000). This means that the $HOME folder of the active user needs to be accessible to the container-root user.

According to the only documentation, the way to achieve this is by entering the first command below within the host system. Furthermore, the default configuration template file is stored under .config/lxc, this directory needs to be created manually.

$ mkdir && chmod +x ~/.local/share/lxc/ -R
$ mkdir .config/lxc

Create the following file in your local config folder

$ touch .config/lxc/default.conf

# Add the following to it:

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

Allow the user from the host system (e.g. marc) to access the lxc bridge allowing maximal 10 virtual Ethernet connections to the bridge in unprivileged mode, create /etc/lxc/lxc-usernet with the following content:

$ sudo vi /etc/lxc/lxc-usernet
marc veth lxcbr0 10

Make sure the following services are enabled and running on boot (if you want to autostart lxc)

$ systemctl enable lxc
$ systemctl start lxc
$ systemctl enable lxc-net
$ systemctl start lxc-net

Now let’s create an unprivileged container (privileged, use sudo), if you run in to issues, us the: -F flag to get more output and see what went wrong.

$ lxc-create -n debian -t download -- -d debian -r bookworm -a amd64

# Start the container
$ lxc-start debian

# Use the container
$ lxc-attach debian

# Check if networking is working
$ ping something.com

If all ok, you have a new playground and you can create many more.