path: root/00_blog/00015_Admin/00050_Wine-in-LXC/index.md

Wine inside LXC
===============

Abstract
--------

Running Wine inside an unpriviliged LXC Container as a secondary user,
utilizing the host systems OpenGL 3D acceleration and PulseAudio.

Host System
-----------

* Debian 9 / Stretch
* Xorg running as primary user "miguel"
* NVIDIA proprietary drivers (debian's contrib/non-free)
* PulseAudio up & running as primary user (I run pavucontrol as miguel)
* A Secondary user "retard2" with uid/gid=1002

Preparations
------------

Allow access to the display server and audio. Note that you should 
restrict this in a real world setup (e.g. auth-ip-acl):

    migue@host$ xhost + # allow remote X access

add this lines to /etc/pulse/default.pa and restart pulsaudio:

    load-module module-native-protocol-tcp auth-anonymous=1
    load-module module-zeroconf-publish

Create Container
----------------

    1. In order to allow the creation of virutal network bridges as our 
    secondary user, add the following two lines to /etc/lxc/lxc-usernet:

    retard2  veth         virbr0     2
    retard2  veth         lxcbr0     10

    2. Login as retard2 ("su" does not work well with cgroups)

    miguel@host$ sudo machinectl login   # than login as retard2
    retard2@host$ cat /proc/self/cgroup  # just check cgroups if you want

    3. Add subuid subgid mappings to /home/retard2/.config/lxc/default.conf
    You can check the ranges in /etc/subuid and /etc/subgid:

    lxc.id_map = u 0 1541792 65536
    lxc.id_map = g 0 1541792 65536

    4. We are ready to create the lxc container as retard2: 

    retard2@host$ lxc-create -n winebox -t download

    Select exactly the same distro / version / arch as you run on the
    host. i.e. debian / stretch / amd64

    retard2@host$ lxc-ls # assure that "winebox" LXC was created

    5. Adapt the new config in: ~/.local/share/lxc/winebox/config adding:

    # NET
    lxc.network.type = veth
    lxc.network.link = lxcbr0
    lxc.network.flags = up
    lxc.network.hwaddr = 00:16:3e:be:3c:5a 

    # X
    lxc.mount.entry = /dev/dri dev/dri none bind,create=dir
    lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,create=dir

    # NVIDIA
    lxc.mount.entry = /dev/nvidia0 dev/nvidia0 none bind,create=file
    lxc.mount.entry = /dev/nvidiactl dev/nvidiactl none bind,create=file

    6. Finally start the container and enter its realm:

    retard2@host$ lxc-start -n winebox
    retard2@host$ lxc-ls --running            # check it is up & running
    retard2@host$ lxc-attach -n winebox -- su # enter container (as root)

Inside the Container
--------------------

    1. Adapt /etc/apt/sources.list to make use of "contrib" and "non-free" 
    and run:

    root@winebox$ apt update

    2. Get OpenGL running

    root@winebox$ apt upgrade
    root@winebox$ apt install mesa-utils
    root@winebox$ apt install xserver-xorg-video-nvidia
    root@winebox$ DISPLAY=:0 glxgears                        # check
    root@winebox$ DISPLAY=:0 glxinfo  | grep "direct render" # check

    3. Get PulseAudio running.
    Please adapt the IP to the host's lxcbr0 ip address.

    root@winebox$ apt install pavucontrol
    root@winebox$ DISPLAY=:0 PULSE_SERVER=10.0.5.1 pavucontrol

    At this point we should have accelerated video and audio running from 
    inside our LXC. Well Done!

Wine
----

A few trivial requirements:

    root@winebox$ apt install wget
    root@winebox$ apt install gnupg
    root@winebox$ apt install apt-transport-https

Now let's get some wine accoring to: https://wiki.winehq.org/Debian:

    root@winebox$ sudo dpkg --add-architecture i386
    root@winebox$ wget -nc https://dl.winehq.org/wine-builds/Release.key
    root@winebox$ sudo apt-key add Release.key

Add the debian stretch wine repo to your /etc/apt/sources.list:

    deb https://dl.winehq.org/wine-builds/debian/ stretch main

    root@winebox$ apt update
    root@winebox$ apt-get install --install-recommends winehq-stable

Unfortunatelly wine still depends on the 32-bit versions of some libs so
we have to replace our 64-bit verions by running:

    root@winebox$ apt install libgl1-nvidia-glx:i386

Restrict Networking
-------------------

Now You can optionally restrict any communication with the outside world:

    miguel@host$ sudo iptables -F FORWARD       #block traffic
    miguel@host$ sudo iptables -P FORWARD DROP  #block traffic

If your host is forwarding traffic you will need to set up some rules.

Finalizing Contianer
--------------------

    1. Create a non-root user:
    root@winebox$ adduser lxc-retard

    2. Now we can exit the container with :
    root@winebox$ exit

    3. Stop the container on the host. This might take some while.
    retard2@host$ lxc-stop -n winebox

    4. THIS WOULD BE A VERY GOOD MOMENT TO SNAPSHOT THE CONTIANER 
    FOR LATER REUSE!

Summary
-------

Congratulations! Now you are running "wine" as an unprivileged user
inside of an unprivileged container of a secondary user, utlizing your
hosts hardware acceleration and PulseAudio capabilities.

Optionally traffic forwarding has been blocked, for increased security.

Using the Container
-------------------

To use your new container you will need to go through the following 
steps each time:

    miguel@host$ xhost +
    miguel@host$ sudo iptables -F FORWARD       #block traffic
    miguel@host$ sudo iptables -P FORWARD DROP  #block traffic
    miguel$host$ sudo machinectl login # and login as retard2

    retard2@host$ lxc-start -n winebox

Now you can attach to the container as lxc-retard user:

    retard2@host$ lxc-attach -n winebox -- su lxc-retard

Alternatively we can attach as root:

    retard2@host$ lxc-attach -n winebox -- su

Do not forget to stop container once you are finished:

    retard2@host$ lxc-stop -n winebox

Remember that stopping might take a while. Be patient!

Make sure to automate/adapt the process, according to your personal
preferences and requirements.