Installation (on Gentoo)

Installation proceeded fine using the usual methods. The kernel configuration for this package is rather critical. Recent versions of the linux kernel (5.2?) have replaced the NF_NAT_MASQUERADE_IPV4 and NF_NAT_MASQUERADE_IPV6 kernel options with a version agnostic NF_NAT_MASQUERADE option. LXD may complain about this when it installs. Additionally, it requires full ipv6 support for iptables, even when the ipv6 useflag is disabled, this took me a while to realise.

Graphical applications in containers with xpra

Graphical applications can be run in the container using ssh forwarding. An arguably better solution is using xpra; it allows reattaching to the running sessions after a loss of the network. I currently run spotify in the container using xpra start ssh/cerium --start-child spotify, which uses ssh as the transport and authentication mechanism. Both the host and the container need to have xpra installed.

The Snappy package manager appears not to work

When installing spotify using the snappy package manager on an ubuntu container, it complains about not being allowed to mount a squashfs container:

$ lxc exec cerium -- snap install spotify
error: system does not fully support snapd: cannot mount squashfs image using "squashfs":
       mount: /tmp/sanity-mountpoint-808218672: mount failed: Operation not permitted.

I'm sure the workaround for this is relatively straightforward once I've figured it out what it is. In the mean time, installing spotify from the debian package was the easier solution.

Networking

I've resolved to creating a network bridge managed by the OS rather than LXD itself. The host machine already sits behind a NAT and the automagical networking that LXD was doing was causing some hard to diagnose issues.