When working with unprivileged LXC containers on Ubuntu 14.04, you might notice that while privileged containers auto-start perfectly with lxc.start.auto = 1, unprivileged containers need some extra configuration. The main reason is that system init scripts typically run as root and don't have access to unprivileged containers belonging to regular users.
To make unprivileged containers auto-start, we'll need to create a systemd service that runs as the container owner. Here's the complete approach:
First, let's create a systemd service unit file. Create /etc/systemd/system/lxc-unpriv@.service:
[Unit]
Description=LXC unprivileged container %i
After=network.target lxcfs.service
[Service]
User=%i
Group=%i
ExecStart=/usr/bin/lxc-start -n CONTAINER_NAME
ExecStop=/usr/bin/lxc-stop -n CONTAINER_NAME
Type=forking
Restart=on-failure
[Install]
WantedBy=multi-user.target
Replace CONTAINER_NAME with your actual container name. The %i in the User/Group fields will be replaced with the username when enabling the service.
For a user named 'devuser' with container 'myapp-container', you would:
sudo systemctl enable lxc-unpriv@devuser.service
sudo systemctl start lxc-unpriv@devuser.service
If you need to manage multiple containers per user, create a wrapper script and modify the service file:
#!/bin/bash
# /usr/local/bin/lxc-start-unpriv
USER=$1
CONTAINERS=("web" "db" "cache")
for container in "${CONTAINERS[@]}"; do
/usr/bin/lxc-start -n $container -u $USER
done
Then update the service file's ExecStart to point to this script.
For systems using Upstart (like Ubuntu 14.04), create /etc/init/lxc-unpriv.conf:
description "LXC unprivileged container"
author "Your Name"
start on started lxc-net
stop on runlevel [!2345]
respawn
exec sudo -u USERNAME /usr/bin/lxc-start -n CONTAINER_NAME -d
- Ensure the user has proper permissions in
/etc/subuidand/etc/subgid - Check container logs with
lxc-info -n CONTAINER_NAME --log - Verify the container config has
lxc.start.auto = 1
When working with unprivileged LXC containers on Ubuntu 14.04, the standard auto-start mechanism (lxc.start.auto = 1) often fails because:
- System init scripts typically check containers under
/var/lib/lxc - Unprivileged containers reside in user home directories (
~/.local/share/lxc) - Permission hierarchies prevent systemd from accessing user-owned containers
We'll implement a three-layer approach:
- Root-level systemd unit to trigger user sessions
- User-level systemd service to manage containers
- Container-specific configuration tuning
First, create a systemd service template as root:
/etc/systemd/system/lxc-auto-start@.service:
[Unit]
Description=Auto-start LXC containers for user %i
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/su - %i -c "/usr/bin/lxc-autostart"
ExecStop=/usr/bin/su - %i -c "/usr/bin/lxc-autostart -s"
User=%i
Then configure user-level automation:
~/.config/lxc/lxc.conf:
lxc.lxcpath = /home/$USER/.local/share/lxc
lxc.start.auto = 1
lxc.start.delay = 5
For the root-to-user handoff to work, add sudoers exception:
/etc/sudoers.d/lxc-autostart:
%lxc-users ALL = (root) NOPASSWD: /usr/bin/lxc-autostart
For a container named "dev-container", verify configuration:
$ lxc-info -n dev-container
Name: dev-container
State: STOPPED
Autostart: YES
Enable the service for user "developer":
$ sudo systemctl enable lxc-auto-start@developer.service
$ sudo systemctl start lxc-auto-start@developer
- Check
journalctl -xefor system-level errors - Run
lxc-autostart -Las the user to verify container detection - Ensure
~/.local/share/lxchas correct permissions (700)
When auto-starting multiple containers:
lxc.start.order = 10 # Start early in sequence
lxc.group = database # Create dependency groups
lxc.start.delay = 15 # Allow network initialization