unprivileged lxc setup

$HOME|.config|lxc|default.conf

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 3e:3f:3a:3b:3c:3d

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

.config

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y

create_cgroup_hierarchy_for_lxc.sh

#!/bin/bash

printf '\n\033[42mCreating cgroup hierarchy\033[m\n\n'

for d in /sys/fs/cgroup/*; do
	f=$(basename $d)
	echo "looking at $f"
	if [ "$f" = "cpuset" ]; then
		echo 1 | sudo tee -a $d/cgroup.clone_children;
	elif [ "$f" = "memory" ]; then
		echo 1 | sudo tee -a $d/memory.use_hierarchy;
	fi
	sudo mkdir -p $d/$USER
	sudo chown -R $USER $d/$USER
	# add current process to cgroup
	echo $PPID > $d/$USER/tasks
done

etc|default|lxc

# LXC_AUTO - whether or not to start containers at boot
LXC_AUTO="true"

# BOOTGROUPS - What groups should start on bootup?
#	Comma separated list of groups.
#	Leading comma, trailing comma or embedded double
#	comma indicates when the NULL group should be run.
# Example (default): boot the onboot group first then the NULL group
BOOTGROUPS="onboot,"

# SHUTDOWNDELAY - Wait time for a container to shut down.
#	Container shutdown can result in lengthy system
#	shutdown times.  Even 5 seconds per container can be
#	too long.
SHUTDOWNDELAY=5

# OPTIONS can be used for anything else.
#	If you want to boot everything then
#	options can be "-a" or "-a -A".
OPTIONS=

# STOPOPTS are stop options.  The can be used for anything else to stop.
#	If you want to kill containers fast, use -k
STOPOPTS="-a -A -s"

USE_LXC_BRIDGE="false"  # overridden in lxc-net

[ ! -f /etc/default/lxc-net ] || . /etc/default/lxc-net

etc|default|lxc-net

# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="true"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq.  For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf

# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain.  You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR)
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).
# Once these changes are made, restart the lxc-net and network-manager services.
# 'container1.lxc' will then resolve on your host.
#LXC_DOMAIN="lxc"

etc|lxc|lxc-usernet

cengiz veth lxcbr0 10

etc|subgid

cengiz:100000:65536

etc|subuid

cengiz:100000:65536

prepare.sh

#!/bin/bash

sudo pacman --noconfirm -S lxc dnsmasq
sudo chmod +x $HOME
sudo systemctl enable dnsmasq && sudo systemctl start dnsmasq
sudo systemctl enable lxc-net && sudo systemctl start lxc-net

lxc-create -n mini -t download