sudo lxc-create --template download --name u1
or, abbreviated
sudo lxc-create -t download -n u1
This will interactively ask for a container root filesystem type to download - in particular the distribution, release, and architecture. To create the
container non-interactively, you can specify these values on the command line:
sudo lxc-create -t download -n u1 -- --dist ubuntu --release xenial --arch amd64
or
sudo lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64
You can now use lxc-ls to list containers, lxc-info to obtain detailed container information, lxc-start to start and lxc-stop to stop the container.
lxc-attach and lxc-console allow you to enter a container, if ssh is not an option. lxc-destroy removes the container, including its rootfs. See the
manual pages for more information on each command. An example session might look like:
sudo lxc-ls --fancy
sudo lxc-start --name u1 --daemon
sudo lxc-info --name u1
sudo lxc-stop --name u1
sudo lxc-destroy --name u1
User namespaces
Unprivileged containers allow users to create and administer containers without having any root privilege. The feature underpinning this is
called user namespaces. User namespaces are hierarchical, with privileged tasks in a parent namespace being able to map its ids into child
namespaces. By default every task on the host runs in the initial user namespace, where the full range of ids is mapped onto the full range. This
can be seen by looking at /proc/self/uid_map and /proc/self/gid_map, which both will show "0 0 4294967295" when read from the initial user
namespace. As of Ubuntu 14.04, when new users are created they are by default offered a range of userids. The list of assigned ids can be seen
in the files /etc/subuid and /etc/subgid See their respective manpages for more information. Subuids and subgids are by convention started at id
100000 to avoid conflicting with system users.
If a user was created on an earlier release, it can be granted a range of ids using usermod , as follows:
sudo usermod -v 100000-200000 -w 100000-200000 user1
The programs newuidmap and newgidmap are setuid-root programs in the uidmap package, which are used internally by lxc to map subuids
and subgids from the host into the unprivileged container. They ensure that the user only maps ids which are authorized by the host
configuration.
Basic unprivileged usage
To create unprivileged containers, a few first steps are needed. You will need to create a default container configuration file, specifying your
desired id mappings and network setup, as well as configure the host to allow the unprivileged user to hook into the host network. The example
below assumes that your mapped user and group id ranges are 100000-165536. Check your actual user and group id ranges and modify the
example accordingly:
grep $USER /etc/subuid
grep $USER /etc/subgid
mkdir -p ~/.config/lxc
echo "lxc.id_map = u 0 100000 65536" > ~/.config/lxc/default.conf
echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf
echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
After this, you can create unprivileged containers the same way as privileged ones, simply without using sudo.
lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64
lxc-start -n u1 -d
lxc-attach -n u1