Wine inside LXC =============== Abstract -------- Running Wine inside an unpriviliged LXC Container as a secondary user, utilizing the host systems OpenGL 3D acceleration and PulseAudio. Host System ----------- * Debian 9 / Stretch * Xorg running as primary user "miguel" * NVIDIA proprietary drivers (debian's contrib/non-free) * PulseAudio up & running as primary user (I run pavucontrol as miguel) * A Secondary user "retard2" with uid/gid=1002 Preparations ------------ Allow access to the display server and audio. Note that you should restrict this in a real world setup (e.g. auth-ip-acl): migue@host$ xhost + # allow remote X access add this lines to /etc/pulse/default.pa and restart pulsaudio: load-module module-native-protocol-tcp auth-anonymous=1 load-module module-zeroconf-publish Create Container ---------------- 1. In order to allow the creation of virutal network bridges as our secondary user, add the following two lines to /etc/lxc/lxc-usernet: retard2 veth virbr0 2 retard2 veth lxcbr0 10 2. Login as retard2 ("su" does not work well with cgroups) miguel@host$ sudo machinectl login # than login as retard2 retard2@host$ cat /proc/self/cgroup # just check cgroups if you want 3. Add subuid subgid mappings to /home/retard2/.config/lxc/default.conf You can check the ranges in /etc/subuid and /etc/subgid: lxc.id_map = u 0 1541792 65536 lxc.id_map = g 0 1541792 65536 4. We are ready to create the lxc container as retard2: retard2@host$ lxc-create -n winebox -t download Select exactly the same distro / version / arch as you run on the host. i.e. debian / stretch / amd64 retard2@host$ lxc-ls # assure that "winebox" LXC was created 5. Adapt the new config in: ~/.local/share/lxc/winebox/config adding: # NET lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:be:3c:5a # X lxc.mount.entry = /dev/dri dev/dri none bind,create=dir lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,create=dir # NVIDIA lxc.mount.entry = /dev/nvidia0 dev/nvidia0 none bind,create=file lxc.mount.entry = /dev/nvidiactl dev/nvidiactl none bind,create=file 6. Finally start the container and enter its realm: retard2@host$ lxc-start -n winebox retard2@host$ lxc-ls --running # check it is up & running retard2@host$ lxc-attach -n winebox -- su # enter container (as root) Inside the Container -------------------- 1. Adapt /etc/apt/sources.list to make use of "contrib" and "non-free" and run: root@winebox$ apt update 2. Get OpenGL running root@winebox$ apt upgrade root@winebox$ apt install mesa-utils root@winebox$ apt install xserver-xorg-video-nvidia root@winebox$ DISPLAY=:0 glxgears # check root@winebox$ DISPLAY=:0 glxinfo | grep "direct render" # check 3. Get PulseAudio running. Please adapt the IP to the host's lxcbr0 ip address. root@winebox$ apt install pavucontrol root@winebox$ DISPLAY=:0 PULSE_SERVER=10.0.5.1 pavucontrol At this point we should have accelerated video and audio running from inside our LXC. Well Done! Wine ---- A few trivial requirements: root@winebox$ apt install wget root@winebox$ apt install gnupg root@winebox$ apt install apt-transport-https Now let's get some wine accoring to: https://wiki.winehq.org/Debian: root@winebox$ sudo dpkg --add-architecture i386 root@winebox$ wget -nc https://dl.winehq.org/wine-builds/Release.key root@winebox$ sudo apt-key add Release.key Add the debian stretch wine repo to your /etc/apt/sources.list: deb https://dl.winehq.org/wine-builds/debian/ stretch main root@winebox$ apt update root@winebox$ apt-get install --install-recommends winehq-stable Unfortunatelly wine still depends on the 32-bit versions of some libs so we have to replace our 64-bit verions by running: root@winebox$ apt install libgl1-nvidia-glx:i386 Restrict Networking ------------------- Now You can optionally restrict any communication with the outside world: miguel@host$ sudo iptables -F FORWARD #block traffic miguel@host$ sudo iptables -P FORWARD DROP #block traffic If your host is forwarding traffic you will need to set up some rules. Finalizing Contianer -------------------- 1. Create a non-root user: root@winebox$ adduser lxc-retard 2. Now we can exit the container with : root@winebox$ exit 3. Stop the container on the host. This might take some while. retard2@host$ lxc-stop -n winebox 4. THIS WOULD BE A VERY GOOD MOMENT TO SNAPSHOT THE CONTIANER FOR LATER REUSE! Summary ------- Congratulations! Now you are running "wine" as an unprivileged user inside of an unprivileged container of a secondary user, utlizing your hosts hardware acceleration and PulseAudio capabilities. Optionally traffic forwarding has been blocked, for increased security. Using the Container ------------------- To use your new container you will need to go through the following steps each time: miguel@host$ xhost + miguel@host$ sudo iptables -F FORWARD #block traffic miguel@host$ sudo iptables -P FORWARD DROP #block traffic miguel$host$ sudo machinectl login # and login as retard2 retard2@host$ lxc-start -n winebox Now you can attach to the container as lxc-retard user: retard2@host$ lxc-attach -n winebox -- su lxc-retard Alternatively we can attach as root: retard2@host$ lxc-attach -n winebox -- su Do not forget to stop container once you are finished: retard2@host$ lxc-stop -n winebox Remember that stopping might take a while. Be patient! Make sure to automate/adapt the process, according to your personal preferences and requirements.