┏┓┏┓╋╋╋╋╋╋╋╋╋╋┏┓╋╋╋┏┓┏┓
┃┗┫┗┳━┳┳┳┳━┳━┳┛┣━┳┳┫┗┫┗┳━┳┳┓
┃┏┫┃┃┻┫┃┃┃╋┃╋┃╋┃━┫┃┃┏┫┏┫┻┫┏┛
┗━┻┻┻━┻━━┻━┻━┻━┻━┻━┻━┻━┻━┻┛

Linux Containers Success!

Greetings people of spaaace! There's a moth flying around space here too right now. I am glad to announce a first time major success with LXC containers! I finally had the patience to get down to dealing with, at the beginning, such an amount of debugging required and pull through. Thing is? I didn't watch a single video, I didn't do a single course online, I didn't even get any first hand advice or help! I simply forged my way through it. So I thought I would document here some of the key parts of what I discovered were things LXC needs for Debian 12.

Also, it's worth mentioning that this summer has been going really well for advanced Linux system administration, for me. Previously, suppose it was last week, I had gotten a SELinux Debian 12 VM configured well enough to launch to a new cloud platform. I struggled with a new one, it was Kamatera.com, and they honestly were not great. Their image init system rekt my SELinux user contexts I had setup for UID 1000, first unprivileged user, otherwise the sysadmin_r. I ended up paying off my balance with Digital Ocean. Yea, these guys effortlessly, programmatically, without intervention took my Debian 12 SELinux VM and made it a server. However I ultimately didn't go with it, because it still required a LOT of work and when you upload your own image you don't get automatically ipv6. It was going to be far too much work to do.

So anyways, about LXC I discovered a number of new concepts, or concepts in more depth, such as Control Groups, as part of the Linux kernel. With this came the need to understand SUBUID/SUBGID (man 5 subuid). With this concept also comes namespaces (man 7 namespaces). Included in these things to learn I've learned a bunch of new Linux concepts and commands, which to me was very cool and a bit exciting as it's been quite a long time since I've bothered my OS in such depth 😁

One drawback about LXC is that often if you change something serious enough you might have to reboot your host. This is aggravating to do on this public web facing server, when there's folks chatting on xmpp://wwan@muc.xmpp.packets.cc, but I got it done. I found that apparmor, which is Debian's default (and crap imo) LSM (linux security module), tended to cause problems, so I recommend you get apparmor configured totally, even before you work with LXC. One of the biggest gains with my efforts was configuring unprivileged containers, meaning, having my own $USER be able to use and work all the lxc-* commands, and also stash the rootfs for each container in ~/.local/share/lxc/{name}/{config,rootfs}. I sought after this because on this invaluably resourceful page it says that LXC containers get basically no security benefits from being started under root user. I took this very seriously.

I'll let you know of a very hard to find bit of information, and I'll be happy to put it here for my own future reference, but something confuses the Debian kernel or somesuch where cgroup version 1 is what it prefers, otherwise it COMPLETELY ruins LXC, and I wasn't really able to find anything that stood out, and came across a forum page where somebody asked for help, and the one line of that whole page that matters incredibly is to put systemd.unified_cgroup_hierarchy=0 in GRUB_CMDLINE_LINUX_DEFAULT="", then ofc run update-grub and reboot. What this does is disable cgroups v2, where the heirarchy for all the groups is unified, and apparently this is better, but disabling that made my stuff sing, and I was ever stoked. Perhaps there's some way to improve my setup and use v2 cgroups 🤔

Hmmmm... I'm trying to think about what else is worth mentioning, eh, I suppose my lxc.idmap config was much simpler than I was struggling with a week or more ago. It was simply to have in /etc/subuid (and /etc/subgid too exact same) username:100000:65536 and the lxc.idmap to correspond to it like lxc.idmap = u 0 100000 65535, same for group, BUT *NOTE:* I did in fact have some errors when I tried to use only 10000 and 20000 UID's (which is the last number for both /etc/subuid, and lxc.idmap in /etc/lxc/default.conf || ~/.config/lxc/default.conf) and INDEED, or at least on Debian 12, you NEED the full 65536 UID/GID's, no doubt.

EH, I hope this helps somebody! This will for sure help myself for next time, and serve as a nice short point of reference. Have some B A S S: Albion Collective Presents Teffa. Here's the SoundCloud link. pEAcE.. ✌️

Tags: LXC, system-administration, linux, servers, nginx, selinux, cgroups, containers, packets