Running GUI applications in LXD on Fedora 26

Create container:

[iaroki@fedora ~]$ lxc launch images:debian/stretch chrome

Install needed tools:

[iaroki@fedora ~]$ lxc exec chrome bash
root@chrome:~# adduser iaroki
root@chrome:~# apt update
root@chrome:~# apt install x11-apps mesa-utils alsa-utils

Map UID and GID ramges:

[iaroki@fedora ~]$ echo "root:1000:1" | sudo tee -a /etc/subuid /etc/subgid

Set UID/GUID ranges for container:

[iaroki@fedora ~]$ lxc config set chrome raw.idmap "both $UID 1000"
[iaroki@fedora ~]$ lxc restart chrome

Mount X11 socket and .Xauthority file:

[iaroki@fedora ~]$ lxc config device add chrome X0 disk path=/tmp/.X11-unix/X0 source=/tmp/.X11-unix/X0
[iaroki@fedora ~]$ lxc config device add chrome Xauthority disk path=/home/iaroki/.Xauthority source=${XAUTHORITY}

Passthrough GPU device:

[iaroki@fedora ~]$ lxc config device add chrome GPU gpu
[iaroki@fedora ~]$ lxc config device set chrome uid 1000
[iaroki@fedora ~]$ lxc config device set chrome gid 1000

Check results with:

[iaroki@fedora ~]$ lxc exec chrome -- sudo --login --user iaroki
iaroki@chrome:~$ export DISPLAY=:0
iaroki@chrome:~$ echo "export DISPLAY=:0" >> ~/.profile
iaroki@chrome:~$ glxgears

Now we can install and run chromium browser inside:

[iaroki@fedora ~]$ lxc exec chrome -- sudo --login --user iaroki
iaroki@chrome:~$ sudo apt install chromium
iaroki@chrome:~$ chromium
Running GUI applications in LXD on Fedora 26

LXD installation on Fedora 26

LXD is not working with enabled SELinux so we need to disable it with comand:

[root@fedora ~]# setenforce permissive

Enable ganto repository to download neded packages:

[root@fedora ~]# dnf copr enable ganto/lxd

Now time to install LXD:

[root@fedora ~]# dnf install lxd lxd-client lxd-tools

In order to run lxc tools our user need to be in a lxd group, so add it:

[root@fedora ~]# usermod -aG lxd iaroki

Set sub{u,g}id’s range for containeraized root user:

[root@fedora ~]# echo "root:1000000:65536" >> /etc/subuid
[root@fedora ~]# echo "root:1000000:65536" >> /etc/subgid

Enable and start LXD daemon:

[root@fedora ~]# systemctl enable lxd.service
[root@fedora ~]# systemctl start lxd.service

Finally run LXD initialization:

[root@fedora ~]# lxd init

And now as a normal user (iaroki in my case) start container:

[iaroki@fedora ~]$ lxc launch images:debian/stretch mydebian
[iaroki@fedora ~]$ lxc exec mydebian bash

Enjoy LXD!

LXD installation on Fedora 26

How to backup LXC containers

Moving LXC containers between host systems

This is how I migrate LXC containers between systems. I’ve successfully moved ubuntu based 12.04 containers to a 14.04 host, and they work great.

  • Shutdown the container
    # lxc-stop -n $NAME
  • Archive container rootfs & config
    # cd /var/lib/lxc/$NAME/
    # tar --numeric-owner -czvf container_fs.tar.gz ./*

    The ‘–numeric-owner’ flag is very important! Without it, the container may not boot because the uid/gids get mangled in the extracted filesystem. When tar creates an archive, it preserves user / group ownership information. By default, when extracting, tar tries to resolve the archive user/group ownership names with the ids on the system running tar. This is intended to ensure that user ownership is resolved on the new system, in case the UID numeric values differ between systems.

    This is bad for an LXC filesystem because the numeric uid/gid ownership is intended to be preserved for the whole filesystem. If it gets resolved to a different value, bad things happen.

  • Copy the file to your new server
    # rsync -avh container_fs.tar.gz user@newserver:/var/lib/lxc/
  • Extract rootfs
    # mkdir /var/lib/lxc/$NAME/
    # cd /var/lib/lxc/$NAME/
    # tar --numeric-owner -xzvf container_fs.tar.gz ./*

If you’re using an overlay backed container, you’ll also need to migrate the container this new one is based off of. Lastly, you might see a few warnings about skipped socket files:

tar: /var/lib/lxc/$NAME/rootfs/dev/log: socket ignored

I’ve ignored this error, and haven’t had any issues with any of the containers I manage. If you have further issues, add your error messages to the original post and I’ll elaborate.



How to backup LXC containers

LXC share folder

Exposing a directory on the host machine to an LXC container

  1. Log into the container and create an empty directory, this will be the mount point
  2. Log out and stop the container.
  3. Open to your container’s config file
    • For regular LXC containers: /var/lib/lxc/mycontainer/config
    • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/config
  4. Add a new line above the lxc.mount directive, that follows the format below. Substitute proper paths as necessary:
    • lxc.mount.entry = /path/to/folder/on/host /path/to/mount/point none bind 0 0
    • Both of these paths are relative to the host machine.
    • Location of the root fs in the container can be found at:
      • For regular LXC containers: /var/lib/lxc/mycontainer/rootfs/
      • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/rootfs

Note: If the host’s user does not exist in the container, the container will still be mounted, but with nobody:nogroup as the owner. This may not be a problem unless you need to write to these files, in which case you’ll need to give everybody write permission to that folder. (i.e. chmod -R go+w /folder/to/share)


I want to share /home/julianlam/foobar to my unprivileged container bazquux. In bazquux, I want this folder to be found at /mnt/baz.

In the container:

$ cd /mnt
$ sudo mkdir baz
$ logout

In the host, I will add the following line above lxc-mount in /home/julianlam/.local/share/lxc/bazquux/config:

lxc.mount.entry = /home/julianlam/foobar /home/julian/.local/share/lxc/bazquux/rootfs/mnt/baz none bind 0 0


LXC share folder

Bridge interface for lxc-containers

Script for creating bridge interface and applying  iptable routing rule:



echo 1 > /proc/sys/net/ipv4/ip_forward

Edit the container config:

# Network configuration = veth = up = lxc-br0 = eth0 = 00:FF:AA:00:00:01 = =

Edit the container interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

Enjoy the working network inside your lxc-container!

Bridge interface for lxc-containers