From 0e4810dcfb132bf276a282e25b8523a4009ae08b Mon Sep 17 00:00:00 2001 From: Miguel Date: Sun, 17 Mar 2019 18:14:32 +0100 Subject: rename blog dir --- 080_blog/00015_Admin/00050_Wine-in-LXC/index.md | 197 ------------------------ 1 file changed, 197 deletions(-) delete mode 100644 080_blog/00015_Admin/00050_Wine-in-LXC/index.md (limited to '080_blog/00015_Admin/00050_Wine-in-LXC') diff --git a/080_blog/00015_Admin/00050_Wine-in-LXC/index.md b/080_blog/00015_Admin/00050_Wine-in-LXC/index.md deleted file mode 100644 index 24344e0..0000000 --- a/080_blog/00015_Admin/00050_Wine-in-LXC/index.md +++ /dev/null @@ -1,197 +0,0 @@ -Wine inside LXC -=============== - -Abstract --------- - -Running Wine inside an unpriviliged LXC Container as a secondary user, -utilizing the host systems OpenGL 3D acceleration and PulseAudio. - -Host System ------------ - -* Debian 9 / Stretch -* Xorg running as primary user "miguel" -* NVIDIA proprietary drivers (debian's contrib/non-free) -* PulseAudio up & running as primary user (I run pavucontrol as miguel) -* A Secondary user "retard2" with uid/gid=1002 - -Preparations ------------- - -Allow access to the display server and audio. Note that you should -restrict this in a real world setup (e.g. auth-ip-acl): - - migue@host$ xhost + # allow remote X access - -add this lines to /etc/pulse/default.pa and restart pulsaudio: - - load-module module-native-protocol-tcp auth-anonymous=1 - load-module module-zeroconf-publish - -Create Container ----------------- - - 1. In order to allow the creation of virutal network bridges as our - secondary user, add the following two lines to /etc/lxc/lxc-usernet: - - retard2 veth virbr0 2 - retard2 veth lxcbr0 10 - - 2. Login as retard2 ("su" does not work well with cgroups) - - miguel@host$ sudo machinectl login # than login as retard2 - retard2@host$ cat /proc/self/cgroup # just check cgroups if you want - - 3. Add subuid subgid mappings to /home/retard2/.config/lxc/default.conf - You can check the ranges in /etc/subuid and /etc/subgid: - - lxc.id_map = u 0 1541792 65536 - lxc.id_map = g 0 1541792 65536 - - 4. We are ready to create the lxc container as retard2: - - retard2@host$ lxc-create -n winebox -t download - - Select exactly the same distro / version / arch as you run on the - host. i.e. debian / stretch / amd64 - - retard2@host$ lxc-ls # assure that "winebox" LXC was created - - 5. Adapt the new config in: ~/.local/share/lxc/winebox/config adding: - - # NET - lxc.network.type = veth - lxc.network.link = lxcbr0 - lxc.network.flags = up - lxc.network.hwaddr = 00:16:3e:be:3c:5a - - # X - lxc.mount.entry = /dev/dri dev/dri none bind,create=dir - lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,create=dir - - # NVIDIA - lxc.mount.entry = /dev/nvidia0 dev/nvidia0 none bind,create=file - lxc.mount.entry = /dev/nvidiactl dev/nvidiactl none bind,create=file - - 6. Finally start the container and enter its realm: - - retard2@host$ lxc-start -n winebox - retard2@host$ lxc-ls --running # check it is up & running - retard2@host$ lxc-attach -n winebox -- su # enter container (as root) - -Inside the Container --------------------- - - 1. Adapt /etc/apt/sources.list to make use of "contrib" and "non-free" - and run: - - root@winebox$ apt update - - 2. Get OpenGL running - - root@winebox$ apt upgrade - root@winebox$ apt install mesa-utils - root@winebox$ apt install xserver-xorg-video-nvidia - root@winebox$ DISPLAY=:0 glxgears # check - root@winebox$ DISPLAY=:0 glxinfo | grep "direct render" # check - - 3. Get PulseAudio running. - Please adapt the IP to the host's lxcbr0 ip address. - - root@winebox$ apt install pavucontrol - root@winebox$ DISPLAY=:0 PULSE_SERVER=10.0.5.1 pavucontrol - - At this point we should have accelerated video and audio running from - inside our LXC. Well Done! - -Wine ----- - -A few trivial requirements: - - root@winebox$ apt install wget - root@winebox$ apt install gnupg - root@winebox$ apt install apt-transport-https - -Now let's get some wine accoring to: https://wiki.winehq.org/Debian: - - root@winebox$ sudo dpkg --add-architecture i386 - root@winebox$ wget -nc https://dl.winehq.org/wine-builds/Release.key - root@winebox$ sudo apt-key add Release.key - -Add the debian stretch wine repo to your /etc/apt/sources.list: - - deb https://dl.winehq.org/wine-builds/debian/ stretch main - - root@winebox$ apt update - root@winebox$ apt-get install --install-recommends winehq-stable - -Unfortunatelly wine still depends on the 32-bit versions of some libs so -we have to replace our 64-bit verions by running: - - root@winebox$ apt install libgl1-nvidia-glx:i386 - -Restrict Networking -------------------- - -Now You can optionally restrict any communication with the outside world: - - miguel@host$ sudo iptables -F FORWARD #block traffic - miguel@host$ sudo iptables -P FORWARD DROP #block traffic - -If your host is forwarding traffic you will need to set up some rules. - -Finalizing Contianer --------------------- - - 1. Create a non-root user: - root@winebox$ adduser lxc-retard - - 2. Now we can exit the container with : - root@winebox$ exit - - 3. Stop the container on the host. This might take some while. - retard2@host$ lxc-stop -n winebox - - 4. THIS WOULD BE A VERY GOOD MOMENT TO SNAPSHOT THE CONTIANER - FOR LATER REUSE! - -Summary -------- - -Congratulations! Now you are running "wine" as an unprivileged user -inside of an unprivileged container of a secondary user, utlizing your -hosts hardware acceleration and PulseAudio capabilities. - -Optionally traffic forwarding has been blocked, for increased security. - -Using the Container -------------------- - -To use your new container you will need to go through the following -steps each time: - - miguel@host$ xhost + - miguel@host$ sudo iptables -F FORWARD #block traffic - miguel@host$ sudo iptables -P FORWARD DROP #block traffic - miguel$host$ sudo machinectl login # and login as retard2 - - retard2@host$ lxc-start -n winebox - -Now you can attach to the container as lxc-retard user: - - retard2@host$ lxc-attach -n winebox -- su lxc-retard - -Alternatively we can attach as root: - - retard2@host$ lxc-attach -n winebox -- su - -Do not forget to stop container once you are finished: - - retard2@host$ lxc-stop -n winebox - -Remember that stopping might take a while. Be patient! - -Make sure to automate/adapt the process, according to your personal -preferences and requirements. -- cgit v1.2.3