How to create unprivileged LXC containers in Ubuntu 14.04

I am used to use LXC containers in Ubuntu. But I usually run them under the root user. I think that this is a bad practise, and I want to run them using my user. The answer is: unprivileged containers and this time…

I learned how to create unprivileged LXC containers in Ubuntu 14.04

My prayers were answered very soon and I found a very useful resource from Stéphane Graber (which is the LXC and LXD project leader at Canonical). I am summarizing the steps here, as they have been made by me, but his post is plenty of useful information, and I really recommend reading it to know what is going on.

Starting point…

I had a working Ubuntu 14.04.4 LTS installation, and a working LXC 2.0.0 installation. I was already able to run privileged containers by issuing commands like

$ sudo lxc-start -n mycontainer


If you need info about installing LXC 2, please go to this link, but it is possible that you do not need my post, yet.

First we set up the uid and gid mappings

calfonso@mmlin:~$ sudo usermod --add-subuids 100000-165536 calfonso
calfonso@mmlin:~$ sudo usermod --add-subgids 100000-165536 calfonso

Now we authorize our user to bridge devices to lxcbr0 (with a maximum quota of 10 bridges; you can set the number that best fits to you)

calfonso@mmlin:~$ sudo bash -c 'echo "calfonso veth lxcbr0 10" >> /etc/lxc/lxc-usernet'

Now let lxc access our home folder, because it needs to read the configuration file

calfonso@mmlin:~$ sudo chmod +x $HOME

And create the configuration file (you can set your values for the bridges to which you have allowed the access in the configuration file, mac addresses, etc.)

calfonso@mmlin:~$ mkdir -p $HOME/.config/lxc
calfonso@mmlin:~$ cat >> ~/.config/lxc/default.conf << EOT
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536 = veth = lxcbr0 = up = 00:16:3e:xx:xx:xx

And finally we are ready to create the unprivileged container

calfonso@mmlin:~$ lxc-create -t download -n myunprivilegedcont -- -d ubuntu -r xenial -a amd64

And that’s all 🙂

(*) Remember that you can still use privileged containers by issuing lxc-* commands using “sudo”

Recommended information

If you want to know more about the uidmap, gidmap, how the bridging permissions work, etc., I recommend you to read this post.