Wine inside LXC

Abstract

Running Wine inside an unpriviliged LXC Container as a secondary user, utilizing the host systems OpenGL 3D acceleration and PulseAudio.

Host System

• Debian 9 / Stretch
• Xorg running as primary user “miguel”
• NVIDIA proprietary drivers (debian’s contrib/non-free)
• PulseAudio up & running as primary user (I run pavucontrol as miguel)
• A Secondary user “retard2” with uid/gid=1002

Preparations

Allow access to the display server and audio. Note that you should restrict this in a real world setup (e.g. auth-ip-acl):

migue@host$ xhost + # allow remote X access

add this lines to /etc/pulse/default.pa and restart pulsaudio:

load-module module-native-protocol-tcp auth-anonymous=1
load-module module-zeroconf-publish

Create Container

1. In order to allow the creation of virutal network bridges as our 
secondary user, add the following two lines to /etc/lxc/lxc-usernet:

retard2  veth         virbr0     2
retard2  veth         lxcbr0     10

2. Login as retard2 ("su" does not work well with cgroups)

miguel@host$ sudo machinectl login   # than login as retard2
retard2@host$ cat /proc/self/cgroup  # just check cgroups if you want

3. Add subuid subgid mappings to /home/retard2/.config/lxc/default.conf
You can check the ranges in /etc/subuid and /etc/subgid:

lxc.id_map = u 0 1541792 65536
lxc.id_map = g 0 1541792 65536

4. We are ready to create the lxc container as retard2: 

retard2@host$ lxc-create -n winebox -t download

Select exactly the same distro / version / arch as you run on the
host. i.e. debian / stretch / amd64

retard2@host$ lxc-ls # assure that "winebox" LXC was created

5. Adapt the new config in: ~/.local/share/lxc/winebox/config adding:

# NET
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:be:3c:5a 

# X
lxc.mount.entry = /dev/dri dev/dri none bind,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,create=dir

# NVIDIA
lxc.mount.entry = /dev/nvidia0 dev/nvidia0 none bind,create=file
lxc.mount.entry = /dev/nvidiactl dev/nvidiactl none bind,create=file

6. Finally start the container and enter its realm:

retard2@host$ lxc-start -n winebox
retard2@host$ lxc-ls --running            # check it is up & running
retard2@host$ lxc-attach -n winebox -- su # enter container (as root)

Inside the Container

1. Adapt /etc/apt/sources.list to make use of "contrib" and "non-free" 
and run:

root@winebox$ apt update

2. Get OpenGL running

root@winebox$ apt upgrade
root@winebox$ apt install mesa-utils
root@winebox$ apt install xserver-xorg-video-nvidia
root@winebox$ DISPLAY=:0 glxgears                        # check
root@winebox$ DISPLAY=:0 glxinfo  | grep "direct render" # check

3. Get PulseAudio running.
Please adapt the IP to the host's lxcbr0 ip address.

root@winebox$ apt install pavucontrol
root@winebox$ DISPLAY=:0 PULSE_SERVER=10.0.5.1 pavucontrol

At this point we should have accelerated video and audio running from 
inside our LXC. Well Done!

Wine

A few trivial requirements:

root@winebox$ apt install wget
root@winebox$ apt install gnupg
root@winebox$ apt install apt-transport-https

Now let’s get some wine accoring to: https://wiki.winehq.org/Debian:

root@winebox$ sudo dpkg --add-architecture i386
root@winebox$ wget -nc https://dl.winehq.org/wine-builds/Release.key
root@winebox$ sudo apt-key add Release.key

Add the debian stretch wine repo to your /etc/apt/sources.list:

deb https://dl.winehq.org/wine-builds/debian/ stretch main

root@winebox$ apt update
root@winebox$ apt-get install --install-recommends winehq-stable

Unfortunatelly wine still depends on the 32-bit versions of some libs so we have to replace our 64-bit verions by running:

root@winebox$ apt install libgl1-nvidia-glx:i386

Restrict Networking

Now You can optionally restrict any communication with the outside world:

miguel@host$ sudo iptables -F FORWARD       #block traffic
miguel@host$ sudo iptables -P FORWARD DROP  #block traffic

If your host is forwarding traffic you will need to set up some rules.

Finalizing Contianer

1. Create a non-root user:
root@winebox$ adduser lxc-retard

2. Now we can exit the container with :
root@winebox$ exit

3. Stop the container on the host. This might take some while.
retard2@host$ lxc-stop -n winebox

4. THIS WOULD BE A VERY GOOD MOMENT TO SNAPSHOT THE CONTIANER 
FOR LATER REUSE!

Summary

Congratulations! Now you are running “wine” as an unprivileged user inside of an unprivileged container of a secondary user, utlizing your hosts hardware acceleration and PulseAudio capabilities.

Optionally traffic forwarding has been blocked, for increased security.

Using the Container

To use your new container you will need to go through the following steps each time:

miguel@host$ xhost +
miguel@host$ sudo iptables -F FORWARD       #block traffic
miguel@host$ sudo iptables -P FORWARD DROP  #block traffic
miguel$host$ sudo machinectl login # and login as retard2

retard2@host$ lxc-start -n winebox

Now you can attach to the container as lxc-retard user:

retard2@host$ lxc-attach -n winebox -- su lxc-retard

Alternatively we can attach as root:

retard2@host$ lxc-attach -n winebox -- su

Do not forget to stop container once you are finished:

retard2@host$ lxc-stop -n winebox

Remember that stopping might take a while. Be patient!

Make sure to automate/adapt the process, according to your personal preferences and requirements.