在Termux中使用LXC容器安装Debian

参考文档

https://blog.upx8.com/3587

www.coolapk.com

termux

换源

1
termux-change-repo

ssh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
pkg install openssh
sshd
vim ~/.bashrc
===
if pgrep -x "sshd" >/dev/null
  then
    echo "sshd运行中..."
  else
    sshd
    termux-wake-lock
    echo "启动sshd"
fi
===
# 默认端口 8022
# 获取用户名
whoami
# 设置密码
passwd

开机自自动

  1. 安装插件 Termux:Boot (屏幕左边右滑出现菜单)
  2. 添加
1
2
3
4
5
6
7
8
9
mkdir -p ~/.termux/boot/
vim ~/.termux/boot/0-start-sshd
===
#!/data/data/com.termux/files/usr/bin/bash
termux-wake-lock
sshd
===
chmod +x ~/.termux/boot/0-start-sshd
# termux-wake-lock命令可防止手机休眠导致 Ter­mux 应用的进程被冻结

安装lxc

1
2
3
4
5
pkg update
pkg install root-repo
pkg install lxc tsu

# tsu 切换到root用户

目录

1
2
3
4
# 相当于 /usr 目录
tree -d -L 1 $PREFIX
# home目录也是特殊的
echo $HOME

访问外部存储

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# 符号链接
termux-setup-storage
tree storage

# df -h
ls /storage
# 内置存储
ls /storage/self/primary
# sd 卡
ls /storage/9C33-6BBD

# /sdcard 外部存储的根目录

安装debian

挂载cgroup

1
2
3
tsu
# 检测cgroup版本, /sys/fs/cgroup type 后面的数字
mount | grep cgroup

cgroup1:`

1
 echo "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy" >> /$PREFIX/share/lxc/config/common.conf

cgroup2:

1
echo "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=0" >> /$PREFIX/share/lxc/config/common.conf

配置网络host模式

1
sed -i 's/lxc\.net\.0\.type = empty/lxc.net.0.type = none/g' /data/data/com.termux/files/usr/etc/lxc/default.conf

===每次重启lxc都要运行下面的命令===

1
2
3
sudo mount -t tmpfs -o mode=755 tmpfs /sys/fs/cgroup && sudo mkdir -p /sys/fs/cgroup/devices && sudo mount -t cgroup -o devices cgroup /sys/fs/cgroup/devices && sudo mkdir -p /sys/fs/cgroup/systemd && sudo mount -t cgroup cgroup -o none,name=systemd /sys/fs/cgroup/systemd

sudo lxc-setup-cgroups

创建容器

1
2
3
4
5
6
lxc-create -t download -n debian -- --server mirrors.tuna.tsinghua.edu.cn/lxc-images --no-validate

# 接着输入
# 系统------debian
# 版本------bookworm
# 架构------arm64

修改密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
sudo chroot $PREFIX/var/lib/lxc/debian/rootfs bin/passwd
# 或者修改
# /data/data/com.termux/files/usr/var/lib/lxc/debian/rootfs/etc/shadow
# 把 root:*: 改为 root:paa5KD6arxLr2:
# 这样密码就是123456

paVmoCD4tC8O2 135096

# 生成密码原理
echo $(perl -e 'print crypt($ARGV[0], "password")' 123456)
# 生成加密密码 =>
# paa5KD6arxLr2

启动容器

1
lxc-start -n debian -d -F

添加开机启动

1
2
3
4
5
6
7
8
9
vim ~/.termux/boot/1-debian
===
#!/data/data/com.termux/files/usr/bin/bash
sudo mount -t tmpfs -o mode=755 tmpfs /sys/fs/cgroup && sudo mkdir -p /sys/fs/cgroup/devices && sudo mount -t cgroup -o devices cgroup /sys/fs/cgroup/devices && sudo mkdir -p /sys/fs/cgroup/systemd && sudo mount -t cgroup cgroup -o none,name=systemd /sys/fs/cgroup/systemd

sudo lxc-setup-cgroups
sudo lxc-start debian
===
chmod +x ~/.termux/boot/1-debian

LXC容器常用命令

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 查询已创建容器
sudo lxc-ls --fancy
# -n 容器名 -d 以守护进程运行
sudo lxc-start -n debian -d
# 查询容器状态
sudo lxc-info -n debian
# 启动容器
sudo lxc-start -n debian
# 停止容器
sudo lxc-stop -n debian
# 删除容器
sudo lxc-destroy -n debian

# 冻结容器(阻塞容器所有进程直到解冻)
sudo lxc-freeze -n debian
# 解冻容器
sudo lxc-unfreeze -n debian

# 登录容器
sudo lxc-console -n debian

# 退出
Type <Ctrl+a q> to exit the console

# 再次登录
sudo lxc-console -n debian
<Ctrl+a Ctrl+a> to enter

系统只读

1
2
# 进入lxc需要先重新挂载/
mount -n -o remount,suid /

没有网络

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
groupadd -g 3003 aid_inet
usermod -G nogroup -g aid_inet _apt

echo "aid_inet:x:3003:" >> /etc/group
vim /etc/passwd
# _apt第二个数组改成3003
# _apt:x:123:3003::/nonexistent:/bin/false
vim /etc/group
# _apt添加到nogroup
# nogroup:x:65534:_apt

# 普通用户修改第二个用户组为3003
vim /etc/passwd

# 会被重置, 每次都要执行
echo "nameserver 8.8.8.8" > /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
配置路由
1
2
3
4
5
getway=$(sudo ip route get 8.8.8.8 | awk '{ for(i=1; i<=NF; i++) { if($i == "via") { print $(i+1); break; } } }')
sudo ip rule add pref 1 from all lookup main
sudo ip rule add pref 2 from all lookup default
sudo ip route add default via $getway dev wlan0
sudo ip rule add from all lookup main pref 30000
调整防火墙
1
2
apt install iptables
iptables -t filter -F
添加到 rc.local
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
vim /lib/systemd/system/rc-local.service
# 最后, 空一行, 添加
===
[Install]
WantedBy=multi-user.target
Alias=rc-local.service
===

vim /etc/rc.local
===
#!/bin/sh

mount -n -o remount,suid /

systemctl start systemd-resolved
echo "nameserver 8.8.8.8" > /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved

getway=$(sudo ip route get 8.8.8.8 | awk '{ for(i=1; i<=NF; i++) { if($i == "via") { print $(i+1); break; } } }')
sudo ip rule add pref 1 from all lookup main
sudo ip rule add pref 2 from all lookup default
sudo ip route add default via $getway dev wlan0
sudo ip rule add from all lookup main pref 30000
update-alternatives --set iptables /usr/sbin/iptables-legacy
iptables -t filter -F
===

chmod +x /etc/rc.local

systemctl enable rc-local

lxc里的docker报错

1
2
下载 https://redblue.lanzouk.com/iENa411tn8qj
解压后替换 /data/data/com.termux/files/usr/var/lib/lxc/debian/rootfs/usr/bin/runc

添加ssh启动

1
2
3
4
5
6
7
apt install openssh-server
vim /etc/ssh/sshd_config
===
#PermitRootLogin prohibit-password
PermitRootLogin yes
===
systemctl restart sshd
1
2
sudo ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
date

映射目录

1
2
3
4
5
tsu
cd $PREFIX/var/lib/lxc/debian
vim config
# lxc.mount.entry = /宿主机路径 容器内路径 none bind 0 0
lxc.mount.entry = /storage/self/primary /data/data/com.termux/files/usr/var/lib/lxc/debian/rootfs none bind 0 0

查看电流

1
/sys/class/power_supply/battery/current_now

proot

提取config

root 后, 提取 /proc/config.gz, 然后解压

selinux

getenforce:强制模式 enforcing, 宽容模式 permissive

切换到宽容: setenforce 0

busybox mount -t cifs -o username=guest,password=,vers=3.0 //192.168.2.1/h1 /mnt/runtime/write/emulated/0/CIFS

mount -t cifs -o username=guest,password=,ro,iocharset=utf8 //192.168.1.2/h1 /mnt/runtime/write/emulated/0/CIFS

su –mount-master -c mount -o username=guest -t cifs //192.168.2.1/h1 /mnt/runtime/write/emulated/0/CIFS

alist

/usr/bin/alist admin set Xinmima –data ‘/etc/alist’

lxc

1
2
3
alias start="su -c /data/lxc/ubuntu root"

alias stop="su -c /data/lxc/stop root"

tun

1
2
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
1
2
3
4
modprobe tun

vim /etc/modules-load.d/modules.conf
tun
1
ls -al /dev/net/tun
1
ip rule add from 组网的设备ip lookup main pref 1

docker

1
2
3
vim $PREFIX/etc/docker/daemon.json

storage-driver 改为vfs

container 装回旧版

1
2
3
4
5
pkg install docker
pkg uninstall docker
pkg uninstall containerd
dpkg -i containerd_1.6.21-1_aarch64.deb
dpkg -i docker_1_20.10.24_aarch64.deb

网络

1
2
3
4
5
6
7
pkg install iproute2

getway=$(ip route get 8.8.8.8 | grep -oP '(?<=via )[^ ]*')
sudo ip route add default via $getway dev wlan0
sudo ip rule add from all lookup main pref 30000
sudo ip rule add pref 1 from all lookup main
sudo ip rule add pref 2 from all lookup default

挂载

1
2
3
4
sudo mount -o remount,rw /
sudo mount -t tmpfs -o uid=0,gid=0,mode=755 cgroup /sys/fs/cgroup

sudo dockerd --iptables=false &>/dev/null &
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# It will make storage writable to add some file and folders docker require

sudo mount -o remount,rw /

# It will make cgroup mountable as existing process in dockerd can not mount properly

sudo mount -t tmpfs -o mode=755 tmpfs /sys/fs/cgroup
sudo mkdir -p /sys/fs/cgroup/devices
sudo mount -t cgroup -o devices cgroup /sys/fs/cgroup/devices

# It will check if /var/run/ folder already created and creat if not

DIRECTORY=/var/run/
if [ ! -d "$DIRECTORY" ]; then
  mkdir -p /var/run/
fi

# It will mount run folder location of docker to official location

sudo mount --bind /data/docker/run/ /var/run/

# Now gracefully start docker
# iptables command not required as we have now network access

sudo dockerd &>/dev/null & # --iptables=false
1
sudo ls /data/docker/lib/docker/volumes
build with Hugo, theme Stack, visits 0