Besides the regular LXC container configuration described here
Some additional steps have to be taken.
/var/lib/lxc/kde/configThe full configuration should look like this.
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64
# Container specific configuration
#lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/kde/rootfs
lxc.uts.name = kde
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.hwaddr = 00:16:3e:ab:b6:e6
lxc.net.0.flags = up
# Enable auto start of this container.
lxc.start.auto = 1
# Delay start this container 45 seconds from when the host starts.
lxc.start.delay = 15
# Add iptables rule when starting and stopping.
lxc.hook.pre-start = /var/lib/lxc/kde/port-nat-hook.sh delay pre
lxc.hook.stop = /var/lib/lxc/kde/port-nat-hook.sh post
# Changes to allow access to eth0 and allow PackageKit to update packages.
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = c 10:200 rwm
The hook script will make the port on the host be translated to the KDE LXC container where options delay delays
the pre action so the lxc-info command does not interlock with the lxc-start command.
#!/bin/bash
# Sanity check on arguments.
if [[ -z "${1}" ]]; then
echo "Argument missing.
Usage in LXC container 'config' file:
lxc.hook.pre-start = /var/lib/lxc/<container-name>/port-nat-hook.sh delay pre
lxc.hook.stop = /var/lib/lxc/<container-name>/port-nat-hook.sh post
"
exit 1
fi
# When delayed execution run it in the background.
if [[ "$1" == "delay" ]]; then
# Remove the 'delay' argument.
shift 1
# Run this script in the background and detached from the parent.
"$0" "$@" &> /dev/null & disown %-
# Exit this script normally.
exit 0
fi
# Port to nat from host interface to LXC container ip.
from_port=3389
to_port=3389
# Form the rule as an array of options.
rule=(PREROUTING --table nat --protocol tcp --dport "${from_port}" --jump DNAT --to-destination)
# Form the filename for this container.
ipv4_file="/tmp/lxc-$LXC_NAME-ipv4-addres.txt"
# Create a rule.
if [[ "$1" == "pre" ]]; then
# Allow container to start and receive an ip.
sleep 3
# Get the ipv4 info from an other wise locking up command 'lxc-info' when in the foreground.
ipv4="$(lxc-info -in "${LXC_NAME}" | grep -o '[^ ]*$')"
# Create a signature file containing the containers ip-address.
echo -e "${ipv4}" > "${ipv4_file}"
# Finish the rule with the destination ip.
rule+=("${ipv4}:${to_port}")
# When the rule does not exist create it.
if ! iptables --check "${rule[@]}"; then
iptables --append "${rule[@]}"
fi
# Remove rule when the ipv4 file exists.
elif [[ "$1" == "post" && -f "${ipv4_file}" ]]; then
# Read the ip from the file.
IFS= read -r ipv4 < "${ipv4_file}"
# Finish the rule with the destination ip.
rule+=("${ipv4}:${to_port}")
# When the rule exists delete it.
if iptables --check "${rule[@]}"; then
iptables --delete "${rule[@]}"
fi
# Remove the file ipv4 just in case?
"${ipv4_file}"
fi
Install the package kde-desktop and xrdp to allow login in using the Remote Desktop protocol.
apt-get --yes install kde-plasma-desktop xrdp
Add the user xrdp to the group ssl-certs.
usermod -aG ssl-certs xrdp
Add pam_wallet5 cinfiguration module to file /etc/pam.d/xrdp-sesman just before
the line with @include common-auth.
auth optional pam_kwallet5.so
session optional pam_kwallet5.so auto_start
After this the wallet is open at login but the wallet needs to have the same password as the user login.
Restart the xrdp service or reboot the container to make it have effect.
For some reason to have the eth0 show as a Wired Connection 1 on the desktop in a xrdp-session a fake connection is needed.
Without it the PackageKit which is used by Plasma Discover application is not able to update packages.
nmcli con add type dummy con-name fake ifname fake0 ip4 1.2.3.4/24 gw4 1.2.3.1
Since Ubuntu 24.04 LTS the PolicyKit uses javascript files for configuring rules.
After adding or changing a rule restart the service using:
systemctl restart polkit
Polkit uses a lightweight JavaScript interpreter (based on Mozilla's SpiderMonkey engine) to evaluate the rules.
To allow a user to update/refresh package information without logging in create a
file /etc/polkit-1/rules.d/50-packagekit-refresh.rules and enter the following.
polkit.addRule(function (action, subject) {
if (([
"org.freedesktop.packagekit.system-sources-refresh",
"org.freedesktop.packagekit.package-install",
"org.freedesktop.packagekit.upgrade-system",
"org.freedesktop.packagekit.trigger-offline-update"
].indexOf(action.id) !== -1) &&
subject.isInGroup("sudo")) {
return polkit.Result.YES;
}
});
The part subject.isInGroup("sudo") checks if the user is in the group of sudoers.
In the container Guest OS create a file /etc/polkit-1/rules.d/50-xrdp-network.rules.
This prevents the user to modify the network configuration or to disconnect network connections just needed for the proper working of the PackageKit software.
polkit.addRule(function (action, subject) {
if (([
"org.freedesktop.NetworkManager.settings.modify.system",
"org.freedesktop.NetworkManager.network-control",
"org.freedesktop.NetworkManager.enable-disable-network",
"org.freedesktop.NetworkManager.enable-disable-wifi",
"org.freedesktop.NetworkManager.sleep-wake"
].indexOf(action.id) !== -1) && subject.local == false && subject.active == true) {
return polkit.Result.NO;
}
});
Where:
subject.local == false: Checks if the session is remote.subject.active == true: Ensures the rule only applies to active sessions.In the container Guest OS create a file /etc/polkit-1/rules.d/50-xrdp-shutdown-reboot.rules to
create a Polkit rule to restrict Reboot and Power-Off options from the menu.
polkit.addRule(function (action, subject) {
if (([
"org.freedesktop.login1.reboot",
"org.freedesktop.login1.power-off"
].indexOf(action.id) !== -1) && subject.local == false && subject.active == true) {
return polkit.Result.NO;
}
});
Install the package freerdp or freerdp3 on Linux.
FreeRDP is an open source and free remote desktop client application.
Options between the version are not all compatible so bellow 2 sets of options to make it work optimal.
Compared to the Windows Remote Desktop Client the option /dynamic-resolution allows resizing the
desktop on command even when connecting to Windows guest OS-es.
xfreerdp Version 2Recommended options for the application version 2:
xfreerdp \
-bpp:32 \
/dynamic-resolution \
/cert-ignore \
+offscreen-cache \
/gfx:RFX \
+gfx-progressive \
+glyph-cache \
+window-drag \
+video \
/sound:sys:pulse \
/microphone:sys:pulse \
+home-drive \
/gdi:hw \
/t:"FreeRDP v2 (ubuntu@10.0.3.210)" \
/size:1910x1460 \
/v:10.0.3.210:3389 \
/u:ubuntu \
+fonts \
+aero \
+clipboard \
/compression-level:2 \
/log-level:OFF \
/from-stdin:force
xfreerdp3 Version 3Recommended options for the application version 3:
xfreerdp3 \
-bpp:32 \
/dynamic-resolution \
/cert:ignore \
/cache:bitmap:on,offscreen:on,progressive:on,glyph:on,RFX:on,thin-client:on \
/d: +window-drag \
+video \
/sound:sys:pulse \
/microphone:sys:pulse \
+home-drive \
/gdi:hw \
/t:"FreeRDP v3 (ubuntu@10.0.3.210)" \
/size:1900x800 \
/v:10.0.3.210:3389 \
/u:ubuntu \
+fonts \
+aero \
+clipboard \
/compression-level:2 \
/log-level:OFF \
/from-stdin:force