How to setup an LXC installation for unprivileged users

This shows how to allow a user gitit to create and run lxc containers without root privileges.

This should work for any modern ubuntu/debian out of the box, other distros may need some patch. Mostly taken from Stéphane Graber's website

As root

As the user creating the unprivileged

(After su gitit)

Now the user should be able to create a container without root privileges:

lxc-create -t download -n gitit-container -- -d debian -r sid -a amd64

Misc

Potential errors

Failed to create directory /run/user/0/lxc/

lxc-create: utils.c: mkdir_p: 253 Permission denied - failed to create directory '/run/user/0/lxc/'

To solve this unset the variables starting with XDG, as the user:

gitit@codigoparallevar:~$ env|grep XDG
XDG_SESSION_ID=3943
XDG_RUNTIME_DIR=/run/user/0
gitit@codigoparallevar:~$ unset XDG_SESSION_ID
gitit@codigoparallevar:~$ unset XDG_RUNTIME_DIR
gitit@codigoparallevar:~$ env|grep XDG
gitit@codigoparallevar:~$

Unshare: operation not permited

unshare: Operation not permitted
read pipe: Permission denied
lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir

As root

echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
echo 1 > /proc/sys/kernel/unprivileged_userns_clone

Internal container cannot reach internet

See: internal container cannot reach internet

References