late autumn



Lxc on Android 📱

LXC is an operating system-level virtualization technology that provides a user-space interface for Linux kernel container functionality. It packages the application software system into a software container, which includes the code of the application software itself, as well as the required operating system kernel and libraries.

1. Compiling the Kernel#

1.1. Adjusting Kernel Configuration#

Use this repository to quickly add configurations:

git fetch main
git merge -s ours --no-commit --allow-unrelated-histories --squash FETCH_HEAD
git read-tree --prefix=docker -u FETCH_HEAD
echo "source \"docker/Kconfig\"" >> arch/arm64/Kconfig
git commit -m -a "Imported docker/ from"

Then compile it yourself.

1.2. Kernel Patch#

  1. Fix possible panic situations
--- orig/net/netfilter/xt_qtaguid.c     2020-05-12 12:13:14.000000000 +0300
+++ my/net/netfilter/xt_qtaguid.c       2019-09-15 23:56:45.000000000 +0300
@@ -737,7 +737,7 @@
        struct proc_iface_stat_fmt_info *p = m->private;
        struct iface_stat *iface_entry;
-       struct rtnl_link_stats64 dev_stats, *stats;
+       struct rtnl_link_stats64 *stats;
        struct rtnl_link_stats64 no_dev_stats = {0};  
@@ -745,13 +745,8 @@
        current->pid, current->tgid, from_kuid(&init_user_ns, current_fsuid()));
        iface_entry = list_entry(v, struct iface_stat, list);
+       stats = &no_dev_stats; 
-       if (iface_entry->active) {
-               stats = dev_get_stats(iface_entry->net_dev,
-                                     &dev_stats);
-       } else {
-               stats = &no_dev_stats;
-       }
         * If the meaning of the data changes, then update the fmtX
         * string.
  1. Fix missing cpuset prefix in cgroup
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3786,6 +3786,10 @@ static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp,
 		cfile->kn = kn;
+	if (cft->ss && (cgrp->root->flags & CGRP_ROOT_NOPREFIX) && !(cft->flags & CFTYPE_NO_PREFIX)) {
+				snprintf(name, CGROUP_FILE_NAME_MAX, "%s.%s", cft->ss->name, cft->name);
+				kernfs_create_link(cgrp->kn, name, kn);
+	}
 	return 0;

Specifically compile the kernel.
The following steps are omitted.

2. Installing LXC using Termux#

pkg update && pkg install root-repo && apt install lxc tsu

2.1. Configuring and Starting LXC Containers#

First, cgroup needs to be mounted.

mount -t tmpfs -o mode=755 tmpfs /sys/fs/cgroup
mkdir -p /sys/fs/cgroup/devices
mount -t cgroup -o devices cgroup /sys/fs/cgroup/devices

lxc-setup-cgroups #may not be necessary

Create a container.

# Modify network configuration before creating the container
Refer to the following 2.1 network configuration

lxc-create -t download -n my-container -- --server --no-validate

# Enter the distribution, version number, and architecture in order
# Then start the container
lxc-start -n my-container -d -F

# Soon, an error will occur
#Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
#[!!!!!!] Failed to mount API filesystems.
#Exiting PID 1...

# Solution 1
echo "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=0" >> $PREFIX/share/lxc/config/common.conf.d/systemd.conf
# Solution 2
mkdir -p /sys/fs/cgroup/systemd && mount -t cgroup cgroup -o none,name=systemd /sys/fs/cgroup/systemd

Adjust the LXC container password

chroot path /bin/su -
lxc-attach -n my-container passwd

Configure DNS resolution inside the container

echo -e "[Match]\nName=wlan0\n\n[Network]\nDHCP=yes\n\n[DHCP]\nRouteMetric=120" \
> /etc/systemd/network/
systemctl restart systemd-networkd

2.1. Network Configuration#

There are currently two tested network configurations

2.1.1 Using Host Mode#

Make the following adjustments before creating the container

sed -i 's/lxc\.net\.0\.type = empty/ = none/g' $PREFIX/etc/lxc/default.conf

If you want to run Docker in host mode, do the following adjustments next
Enter the container and input the following commands:

update-alternatives --set iptables /usr/sbin/iptables-legacy
iptables -t filter -F

#If it can be started, you don't need to use the following command
iptables -t filter -X
In host mode, DNS resolution is generally automatic, but exceptions are not ruled out. If DNS cannot be resolved
echo > /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
# systemctl enable systemd-networkd

2.1.1 Using veth Mode#

The following configuration is required for the first time:

apt install dnsmasq wget -y
#Modify the default LXC configuration
echo -e " = veth \
\ = lxcbr0 \
\ = up \
\ = 00:16:3e:xx:xx:xx" \
> $PREFIX/etc/lxc/default.conf
# Modify lxc-net
wget -O $PREFIX/libexec/lxc/lxc-net && chmod a+x $PREFIX/libexec/lxc/lxc-net

Each time the device is restarted and you want to use veth, please

$PREFIX/libexec/lxc/lxc-net start

Meow meow meow meow meow

Reference Articles:#

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.