Linux Containers

I've been setting up a "container" in my arch linux system. This is a isolated/sandboxed arch linux OS inside my current OS. The sandboxing is done using a tool called cgroups. It's similar to a chroot but a chroot only isolates the file system - a chroot isolates a lot more.

To start I followed to create my container:

Bridged internet

I set up my internet to be configured by netctl and made a bridged profile

$ cat /etc/netctl/ethernet-dhcp-bridged 
Description="LXC bridge"

what this means is that instead of just having enp2s0 the ethernet interface, I also have a br0 network interface. I'm not sure about the exact details of why or how this works but the container needs it.

Invent a new local ip similar to your routers ip and put this in the config file:

## network = veth = br0 = up = <container-ip>/24 = <router-ip> = eth0

At this point you have a container which you can enter into and use internet from inside.

X11 from inside container

Despite the fact that forwarding X would allow something from inside a container to keylog or even take snapshots of your host - it is something I wanted to do.

To do this the container needs to access the X11 unix socket, you also need a hack ( ) to stop the container mounting /tmp over the socket you bind mount into its /tmp

lxc.mount.entry = tmpfs tmp tmpfs defaults
lxc.mount.entry = /dev/dri		dev/dri		none	bind,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir,ro

after this you can start things like xclock from inside the container.

A shared folder

To easily copy files between the host and the container it's nice to 'share' a folder. This is simple with an /etc/fstab entry

/var/lib/lxc/<container>/rootfs/home/<container-username>/Share	/home/<username>/Share	none		bind				0 0

I think it could also be done with the lxc config.

Pulse Audio

I also want to be able to watch youtube videos (for example) with sound from inside the container, for this I need it to access my hosts pulse audio socket. This is similar to X but a little trickier:

lxc.mount.entry = tmpfs run tmpfs defaults
lxc.mount.entry = /run/user/1000 run/user/1000 none bind,optional,create=dir,ro

I also had to create a pulse audio config file inside the container to disable use of shm (shared memory):

$ cat ~/.pulse/client.conf 

and inside the container after booting it up we have to set an environment variable so pulse programs know where to look:

export PULSE_SERVER=unix:/run/user/1000/pulse/native

Now I can hear a youtube video from inside the container as well as playing a video or music outside!

Firefox problem

This happens a lot with firefox, I don't know if it's container related:

Segmentation fault      (core dumped)