Request: LXC template for installing Alpine in unpriv container on non-Alpine host
I have a Turris Omnia router, armv7l / armhf architecture. The installed OS is Turris OS, based on OpenWRT, which includes LXC version 4.0.12
I have successfully installed Alpine in several LXC containers from the repo.turris.cz server. They work beautifully for services within my home network and I am a very happy Alpine user. However, these containers are all privileged. I would now like to container to run a server which would have some exposure to the routed Internet and obviously wish this to be unprivileged.
The two repos preconfigured by Turris OS were: repo.turris.cz, which (as I write) now has damaged or empty images; and linuxcontainers.org which seems not to host images for armhf at all. Neither of these are Alpine's problem, obviously, but I clearly can't rely on either as a source for my Alpine installs.
So I copied the LXC template and config file from Alpine's lxc-templates-legacy-alpine
package to the Turris host. I added a line to the template to map armv7l architecture to armhf and tried lxc-create -t alpine
. The template immediately found the latest build (3.18) and installed directly from an Alpine mirror; a few seconds later I had a perfectly working minimal Alpine system - but in a privileged container. Wonderful!
I then attempted to create (running as root) an unprivileged container by adding /etc/sub[ug]id
maps and matching lxc.idmap
keys to the host's LXC default config (as documented in linuxcontainers.org/lxc/getting-started). Unfortunately, I discovered that the Alpine template refuses to install an unprivileged container.
ERROR: This template can't be used for unprivileged containers.
ERROR: You may want to try the "download" template instead.
These messages are unhelpful. There is no obvious reason why I should not be able to install images in an unprivileged container: indeed this would seem to be a common use for a minimal Alpine install. Suggesting that I use the download template rather misses the point of why I'm trying to build directly from a reliable Alpine mirror.
At the end of LXC's "getting started" page, there is a short list of links after the heading "Distribution LXC documentation" - there is no link for Alpine and I can't see anything on the Alpine web pages which indicates how to install Alpine in an unprivileged LXC container.
Would it be possible to:
- Update the Alpine LXC template to support unprivileged containers
- And package this template so that it's clearly up to date and not marked "legacy"
- Provide information on using this template from non-Alpine hosts.
- Provide linuxcontainers.org with a link to that information which they can add to their "getting started" page.
To be clear, I am aware that LXD/Incus defaults to unprivileged containers; Turris OS supports LXC and I am happy using LXC for my minimal system.