KaliLinux 2017.1: Install LXD for container

This article will describe installing LXD and running containers.

1 Disable AppArmor

If you have installed AppArmor and appended "apparmor=1 security=apparmor" to kernel parameter, snapd installation will be failed.

$ sudo snap install --beta core
error: cannot perform the following tasks:
- Setup snap "core" (2271) security profiles (cannot setup seccomp for
  snap "core": fork/exec /usr/lib/snapd/snap-seccomp: no such file or
- Setup snap "core" (2271) security profiles (fork/exec
  /usr/lib/snapd/snap-seccomp: no such file or directory)

If you install LXD firstly and install AppArmor later, lxc command will be failed. This will cause even if disabling AppArmor profile for snapd.

$ lxc
snap-confine has elevated permissions and is not confined but should
be. Refusing to continue to avoid permission escalation attacks.

So disable AppArmor with removing "apparmor=1 security=apparmor" from kernel parameter.

2 Install LXD

The following script will install LXD with snap.


set -e

sudo apt install -y snapd
sudo systemctl enable snapd
sudo systemctl restart snapd

# INFO snap "core" has bad plugs or slots: core-support-plug (unknown interface)
# https://forum.snapcraft.io/t/tests-broken-in-master/457/4
sudo snap install core # --beta is not need on 2017/7/17.
sudo snap install lxd

# Add /snap/bin path to secure_path.
sudo sed -e 's;secure_path="\(.*\)";secure_path=\1:/snap/bin;g' \
     -i /etc/sudoers

# Initialize LXD with NAT network.
sudo lxd waitready
cat <<EOF | sudo lxd init

# Add lxd group.
sudo addgroup --system lxd
sudo gpasswd -a "${USER}" lxd

# Reboot for updating group.
sudo reboot

3 Run container

This can download debian/stretch image and run it. IP address is assigned to container.

$ lxc launch images:debian/stretch debian
$ lxc exec debian ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 00:16:3e:3a:14:6f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet brd scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd42:b1fe:730e:5b1d:216:3eff:fe3a:146f/64 scope global
    mngtmpaddr dynamic
       valid_lft 3593sec preferred_lft 3593sec
    inet6 fe80::216:3eff:fe3a:146f/64 scope link
       valid_lft forever preferred_lft foreve