Skip to content

Instantly share code, notes, and snippets.

@theodric

theodric/lxc.shit

Last active June 8, 2025 19:37
Show Gist options
  • Save theodric/0c6210ebdc7b0d2b20cad20edc5faad3 to your computer and use it in GitHub Desktop.
Save theodric/0c6210ebdc7b0d2b20cad20edc5faad3 to your computer and use it in GitHub Desktop.
Download ZIP
LXC shit
Raw
lxc.shit
If not making own container from scratch:
lxc-create -n thecontainername -t download
lxc-start -n thecontainername
lxc-attach -n thecontainername
lxc-stop -n thecontainername
/var/lib/lxc/thecontainername
in there:
config <FILE>
rootfs <DIR>
All kinds of fuckin horseshit to make openvpn work.
container config:
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = aarch64
# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/thecontainername/rootfs
lxc.uts.name = thecontainername
lxc.init.cmd = /sbin/init
#lxc.cap.keep = net_admin cap_net_raw
lxc.environment = container=lxc
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 02:aa:fe:ed:b0:0b
# Also modify the main config to get rid of legacy cgroup red herring shit and loosey goosey all the perms:
cat /usr/share/lxc/config/common.conf
# Default configuration shared by all containers
# Setup the LXC devices in /dev/lxc/
lxc.tty.dir = lxc
# Allow for 1024 pseudo terminals
lxc.pty.max = 1024
# Setup 4 tty devices
lxc.tty.max = 4
# Drop some harmful capabilities
#lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
# Ensure hostname is changed on clone
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
# Default unified cgroup configuration
#
# CGroup allowlist
#lxc.cgroup2.devices.deny = a
lxc.cgroup2.devices.deny =
## Allow any mknod (but not reading/writing the node)
lxc.cgroup2.devices.allow = c *:* rwm
lxc.cgroup2.devices.allow = b *:* rwm
## Allow specific devices
### /dev/null
lxc.cgroup2.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup2.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup2.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup2.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup2.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup2.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup2.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup2.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup2.devices.allow = c 136:* rwm
### fuse
lxc.cgroup2.devices.allow = c 10:229 rwm
# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
# Lastly, include all the configs from /usr/share/lxc/config/common.conf.d/
lxc.include = /usr/share/lxc/config/common.conf.d/
# and the extra conf.d file that helps with openvpn
cat /usr/share/lxc/config/common.conf.d/00-openvpn.conf
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment