I've been setting up a "container" in my arch linux system. This is a isolated/sandboxed arch linux OS inside my current OS. The sandboxing is done using a tool called cgroups. It's similar to a chroot but a chroot only isolates the file system - a chroot isolates a lot more.
To start I followed to create my container: https://wiki.archlinux.org/index.php/Linux_Containers
I set up my internet to be configured by netctl and made a bridged profile
$ cat /etc/netctl/ethernet-dhcp-bridged
Description="LXC bridge"
Interface=br0
Connection=bridge
BindsToInterfaces=('enp2s0')
IP=dhcp
SkipForwardingDelay=yes
what this means is that instead of just having enp2s0 the ethernet interface, I also have a br0 network interface. I'm not sure about the exact details of why or how this works but the container needs it.
Invent a new local ip similar to your routers ip and put this in the config file:
## network lxc.network.type = veth lxc.network.link = br0 lxc.network.flags = up lxc.network.ipv4 = <container-ip>/24 lxc.network.ipv4.gateway = <router-ip> lxc.network.name = eth0
At this point you have a container which you can enter into and use internet from inside.
Despite the fact that forwarding X would allow something from inside a container to keylog or even take snapshots of your host - it is something I wanted to do.
To do this the container needs to access the X11 unix socket, you also need a hack ( https://github.com/lxc/lxc/issues/434 ) to stop the container mounting /tmp over the socket you bind mount into its /tmp
lxc.mount.entry = tmpfs tmp tmpfs defaults lxc.mount.entry = /dev/dri dev/dri none bind,create=dir lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir,ro
after this you can start things like xclock from inside the container.
To easily copy files between the host and the container it's nice to 'share' a folder. This is simple with an /etc/fstab entry
/var/lib/lxc/<container>/rootfs/home/<container-username>/Share /home/<username>/Share none bind 0 0
I think it could also be done with the lxc config.
I also want to be able to watch youtube videos (for example) with sound from inside the container, for this I need it to access my hosts pulse audio socket. This is similar to X but a little trickier:
lxc.mount.entry = tmpfs run tmpfs defaults lxc.mount.entry = /run/user/1000 run/user/1000 none bind,optional,create=dir,ro
I also had to create a pulse audio config file inside the container to disable use of shm (shared memory):
$ cat ~/.pulse/client.conf disable-shm=yes
and inside the container after booting it up we have to set an environment variable so pulse programs know where to look:
export PULSE_SERVER=unix:/run/user/1000/pulse/native
Now I can hear a youtube video from inside the container as well as playing a video or music outside!
This happens a lot with firefox, I don't know if it's container related:
Segmentation fault (core dumped)