diff options
Diffstat (limited to '00_blog/00015_Admin/00050_Wine-in-LXC')
| -rw-r--r-- | 00_blog/00015_Admin/00050_Wine-in-LXC/index.md | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/00_blog/00015_Admin/00050_Wine-in-LXC/index.md b/00_blog/00015_Admin/00050_Wine-in-LXC/index.md new file mode 100644 index 0000000..24344e0 --- /dev/null +++ b/00_blog/00015_Admin/00050_Wine-in-LXC/index.md @@ -0,0 +1,197 @@ +Wine inside LXC +=============== + +Abstract +-------- + +Running Wine inside an unpriviliged LXC Container as a secondary user, +utilizing the host systems OpenGL 3D acceleration and PulseAudio. + +Host System +----------- + +* Debian 9 / Stretch +* Xorg running as primary user "miguel" +* NVIDIA proprietary drivers (debian's contrib/non-free) +* PulseAudio up & running as primary user (I run pavucontrol as miguel) +* A Secondary user "retard2" with uid/gid=1002 + +Preparations +------------ + +Allow access to the display server and audio. Note that you should +restrict this in a real world setup (e.g. auth-ip-acl): + + migue@host$ xhost + # allow remote X access + +add this lines to /etc/pulse/default.pa and restart pulsaudio: + + load-module module-native-protocol-tcp auth-anonymous=1 + load-module module-zeroconf-publish + +Create Container +---------------- + + 1. In order to allow the creation of virutal network bridges as our + secondary user, add the following two lines to /etc/lxc/lxc-usernet: + + retard2 veth virbr0 2 + retard2 veth lxcbr0 10 + + 2. Login as retard2 ("su" does not work well with cgroups) + + miguel@host$ sudo machinectl login # than login as retard2 + retard2@host$ cat /proc/self/cgroup # just check cgroups if you want + + 3. Add subuid subgid mappings to /home/retard2/.config/lxc/default.conf + You can check the ranges in /etc/subuid and /etc/subgid: + + lxc.id_map = u 0 1541792 65536 + lxc.id_map = g 0 1541792 65536 + + 4. We are ready to create the lxc container as retard2: + + retard2@host$ lxc-create -n winebox -t download + + Select exactly the same distro / version / arch as you run on the + host. i.e. debian / stretch / amd64 + + retard2@host$ lxc-ls # assure that "winebox" LXC was created + + 5. Adapt the new config in: ~/.local/share/lxc/winebox/config adding: + + # NET + lxc.network.type = veth + lxc.network.link = lxcbr0 + lxc.network.flags = up + lxc.network.hwaddr = 00:16:3e:be:3c:5a + + # X + lxc.mount.entry = /dev/dri dev/dri none bind,create=dir + lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,create=dir + + # NVIDIA + lxc.mount.entry = /dev/nvidia0 dev/nvidia0 none bind,create=file + lxc.mount.entry = /dev/nvidiactl dev/nvidiactl none bind,create=file + + 6. Finally start the container and enter its realm: + + retard2@host$ lxc-start -n winebox + retard2@host$ lxc-ls --running # check it is up & running + retard2@host$ lxc-attach -n winebox -- su # enter container (as root) + +Inside the Container +-------------------- + + 1. Adapt /etc/apt/sources.list to make use of "contrib" and "non-free" + and run: + + root@winebox$ apt update + + 2. Get OpenGL running + + root@winebox$ apt upgrade + root@winebox$ apt install mesa-utils + root@winebox$ apt install xserver-xorg-video-nvidia + root@winebox$ DISPLAY=:0 glxgears # check + root@winebox$ DISPLAY=:0 glxinfo | grep "direct render" # check + + 3. Get PulseAudio running. + Please adapt the IP to the host's lxcbr0 ip address. + + root@winebox$ apt install pavucontrol + root@winebox$ DISPLAY=:0 PULSE_SERVER=10.0.5.1 pavucontrol + + At this point we should have accelerated video and audio running from + inside our LXC. Well Done! + +Wine +---- + +A few trivial requirements: + + root@winebox$ apt install wget + root@winebox$ apt install gnupg + root@winebox$ apt install apt-transport-https + +Now let's get some wine accoring to: https://wiki.winehq.org/Debian: + + root@winebox$ sudo dpkg --add-architecture i386 + root@winebox$ wget -nc https://dl.winehq.org/wine-builds/Release.key + root@winebox$ sudo apt-key add Release.key + +Add the debian stretch wine repo to your /etc/apt/sources.list: + + deb https://dl.winehq.org/wine-builds/debian/ stretch main + + root@winebox$ apt update + root@winebox$ apt-get install --install-recommends winehq-stable + +Unfortunatelly wine still depends on the 32-bit versions of some libs so +we have to replace our 64-bit verions by running: + + root@winebox$ apt install libgl1-nvidia-glx:i386 + +Restrict Networking +------------------- + +Now You can optionally restrict any communication with the outside world: + + miguel@host$ sudo iptables -F FORWARD #block traffic + miguel@host$ sudo iptables -P FORWARD DROP #block traffic + +If your host is forwarding traffic you will need to set up some rules. + +Finalizing Contianer +-------------------- + + 1. Create a non-root user: + root@winebox$ adduser lxc-retard + + 2. Now we can exit the container with : + root@winebox$ exit + + 3. Stop the container on the host. This might take some while. + retard2@host$ lxc-stop -n winebox + + 4. THIS WOULD BE A VERY GOOD MOMENT TO SNAPSHOT THE CONTIANER + FOR LATER REUSE! + +Summary +------- + +Congratulations! Now you are running "wine" as an unprivileged user +inside of an unprivileged container of a secondary user, utlizing your +hosts hardware acceleration and PulseAudio capabilities. + +Optionally traffic forwarding has been blocked, for increased security. + +Using the Container +------------------- + +To use your new container you will need to go through the following +steps each time: + + miguel@host$ xhost + + miguel@host$ sudo iptables -F FORWARD #block traffic + miguel@host$ sudo iptables -P FORWARD DROP #block traffic + miguel$host$ sudo machinectl login # and login as retard2 + + retard2@host$ lxc-start -n winebox + +Now you can attach to the container as lxc-retard user: + + retard2@host$ lxc-attach -n winebox -- su lxc-retard + +Alternatively we can attach as root: + + retard2@host$ lxc-attach -n winebox -- su + +Do not forget to stop container once you are finished: + + retard2@host$ lxc-stop -n winebox + +Remember that stopping might take a while. Be patient! + +Make sure to automate/adapt the process, according to your personal +preferences and requirements. |