Linux containers (LXC) is the Linux implementation of FreeBSD Jails.

Within a Linux container we can run a self-contained installation of Linux which will utilise the system's kernel.

This is more lightweight method of virtualisation than than offered by Xen, for example.

apt-get install lxc lxc-templates bridge-utils cgroupfs-mount conntrack iptables debootstrap
/etc/init.d/cgroupfs-mount start

Disable lxc services, we will do this stuff manually.

/etc/init.d/lxc-net stop
update-rc.d lxc-net disable
/etc/init.d/lxc stop
update-rc.d lxc disable
killall dnsmasq

systemctl disable lxc-net.service
systemctl disable lxc.service

sed -i 's/LXC_AUTO="true"/LXC_AUTO="false"/ /etc/default/lxc
sed -i 's/USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/ /etc/default/lxc-net

Virtual interfaces are bridged on to the primary network interface.

auto eth0
iface eth0 inet manual

auto lxcbr0
iface lxcbr0 inet static
 bridge_ports eth0
 address 10.10.44.10
 netmask 255.255.255.0
 gateway 10.10.44.1

Virtual interfaces are contained on the their own private subnet.

auto lxcbr0
iface lxcbr0 inet static
 pre-up brctl addbr lxcbr0
 address 10.10.10.1
 netmask 255.255.255.0
 post-down brctl delbr lxcbr0

Example NAT tables for containers on private subnet.

#! /bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin

iptables -t filter -F
iptables -t filter -X
iptables -t raw -F
iptables -t nat -F
conntrack -F

# raw:PREROUTING
iptables -t raw -A PREROUTING -i lo -j NOTRACK

# raw:OUTPUT
iptables -t raw -A OUTPUT -o lo -j NOTRACK

# filter:INPUT
iptables -t filter -P INPUT ACCEPT

# filter:FORWARD
iptables -t filter -P FORWARD ACCEPT

# filter:OUTPUT
iptables -t filter -P OUTPUT ACCEPT

# nat:POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -d 0/0 -j MASQUERADE

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.proxy_arp=1

sysctl -w net.netfilter.nf_conntrack_max=524288
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440

echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range

exit 0

lxc-create -n HOSTNAME -t debian -- -r wheezy -a amd64

lxc-create -n cracker -t debian -- -r stretch -a armhf

Install keys

mkdir -p /var/cache/lxc/debian
wget "https://ftp-master.debian.org/keys/release-10.asc"
gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-10.asc
wget "https://ftp-master.debian.org/keys/release-11.asc"
gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-11.asc

Install buster

lxc-create -n cracker -t debian -- -r buster -a armhf

Install bullseye

lxc-create -n terminator -t debian -- -r bullseye -a armhf

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r stretch
# Template script checksum (SHA-1): 5a35ad98c578f5487dc5712a1c7d38af399be813
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

#lxc.net.0.type = veth
#lxc.net.0.hwaddr = 00:XX:XX:XX:XX:XX
#lxc.net.0.link = lxcbr0
#lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/cheese/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = cheese
lxc.arch = armhf
lxc.pty.max = 1024

# Local network configuration

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = lxcbr0
lxc.net.0.name = lxcnet0
lxc.net.0.hwaddr = XX:XX:XX:XX:XX:XX
lxc.net.0.veth.pair = veth0
lxc.net.0.ipv4.address = ?/24
lxc.net.0.ipv4.gateway = ?
#lxc.net.0.ipv6.address = ?
#lxc.net.0.ipv6.gateway = ?

# You may need the following for initial boot
#
# You can replace systemd by changing the lxc.init.cmd before rebooting
#
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =
lxc.init.cmd = /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1
#lxc.init.cmd = /sbin/init

Run in background (now the default)

lxc-start -d -n HOSTNAME

Run in foreground (was the default)

lxc-start -F -n HOSTNAME

Attach to container and change root password.

lxc-attach -n HOSTNAME
passwd root

lxc-stop -n HOSTNAME

Root can run containers with lower privileges. First we set aside some user ids to map to the container then configure it.

This has been tested to work Ubuntu vivid and nothing else since.

When assigning a range of ids to the root user. Choose what is available, here i chose 200000 because this was free.

usermod --add-subuids 200000-265535 root
usermod --add-subgids 200000-265535 root

The host configuration now needs to map the ids in its config.

lxc.id_map = u 0 200000 65536
lxc.id_map = g 0 200000 65536

The container root will be system uid 200000, and nobody in the container will be 265534, for example..

Before starting, the lcx directory needs the execute permission.

chmod +x /var/lib/lxc

Now we can start and stop the container, attach to it, etc.

Start container and login as root

lxc-start -F -n container

Install runit. It will ask you to enter a phrase and after installation reboot.

apt install runit-init
reboot

Login to tidy up.

lxc-attach -n container
cd /etc/service
rm getty-tty*