Container management with LXC
Worlds Apart
Chroot lets you run a largely autonomous guest system on a computer, without the need to emulate hardware. The LXC container management tool refines this technique with a comprehensive range of additional functions.
Chroot seals off parts of a directory tree against a break-out, thus isolating users, groups, or special services in an area that is harmless for the rest of the system. FreeBSD refined the concept with "Jails," Solaris with "Zones," and Linux with container services such as LXC [1]. LXC does not use virtual machines, like VMware, but creates a virtual environment with its own processes, but using a shared kernel on the host system.
Getting Started
The following exercise uses Debian 8.0 "jessie" as the host, but it can also be transferred to other systems like openSUSE or Ubuntu with minor changes.
To begin, you need to install the lxc, lxctl, and libvirt-bin packages, including the dependencies required by the package manager (e.g., debootstrap). If you have a custom kernel, you need to enable control groups (cgroups), which you can check with the command:
lxc-checkconfig
Depending on the installation source, creating the root filesystem for a container can take some time. On Debian, perform this task with the command:
$ LANG=en_US.UTF-8 SUITE=jessie MIRROR=http://httpredir.debian.org/debian lxc-create -n debian8 -t debian
The LANG
switch defines the language settings, and SUITE
defines the desired template. The -n
option lets you assign the container name (Figure 1). Subsystem templates created with the -t
option come from the /usr/share/lxc/templates/
directory. However, you have shorter way to accomplish the same thing, as an alternative proposal from the Debian wiki [2] for creating the container shows:
$ lxc-create -n debian8 -t debian -- -r jessie
After successful installation, the procedure ends by outputting a randomly generated root password, which you should write down and change with the passwd
command when you first log in to the container. Entering lxc-ls
lists all existing containers.
To access the container you just created at a local level, launch it with the
lxc-start -n debian8 -d
command. As with almost all lxc
commands, you use the -n
option to name the container (Figure 2). Make sure you enter the -d
option when starting; otherwise, the login prompt appears, and you cannot kill it in the same terminal! Now request a console with the login prompt:
lxc-console -n debian8
To help you discover the status and process ID of an active container and to stop the current container, use the
lxc-info -n <container> lxc-stop -n <container>
commands. For a selection of the most important control programs, see Table 1.
Table 1
Important LXC commands
Action | Command |
---|---|
Create, Clone, Delete |
|
Create a container |
|
Clone a container |
|
Delete a container |
|
Starting and Stopping |
|
Start a container |
|
Freeze a container |
|
Continue a container |
|
Stop a container |
|
Information |
|
List all containers |
|
List all active containers |
|
List all stopped containers |
|
Info for a container |
|
IP address of the container |
|
Process ID of the container |
|
Monitor a container |
|
Running Applications |
|
Start an application in the container |
|
Network
To access the container on the network, you need to adjust the network settings on the host and guest. In both cases you need to edit the /etc/network/interfaces
file. Additionally, you need to configure the network settings for the container in /var/lib/lxc/<Container>/config
. To address the container with its own name on the LAN, add an entry to /etc/hosts
(see the box "Network Configuration"); then, run adduser <user>
to create a user in the container. Now enter
Network Configuration
In the following examples, the network is 192.168.0.0/24, with an IP address of 192.168.0.37 for the host system and 192.168.0.90 for the guest; the container name is debian8
. You need to adjust the values from the listings to match your local conditions.
Listing 1 shows the changes to the /etc/network/interfaces
file on the host; for correct name resolution in this case, also add the line 192.168.0.90 debian8
to the /etc/hosts
file. Then, working on the host system, open the /var/lib/lxc/debian8/config
file, and add the entries from Listing 2. Finally, modify the /var/lib/lxc/debian8/rootfs/etc/network/interfaces
file as shown in Listing 3.
The settings configure the network card in the host as a bridge (br0
instead eth0
). The container has a virtual Ethernet (veth
) interface to which br0
is connected.
After completing the changes, you first start the network on the host with the
/etc/init.d/networking restart
command. Now test the configuration by pinging the IP address of the container. To verify name resolution, you can specify the hostname instead of the IP address.
Listing 1
Host /etc/network/interfaces
Listing 2
Host /var/lib/lxc/debian8/config
Listing 3
Container Network Setup
systemctl status sshd.service
to check whether the SSH server is running in the container (Figure 3). When you pop up a new terminal, log in with
ssh <user>@<container>
and respond to the prompt for the new SSH keys; the login to the shell should work. You can log off again by typing exit
.
Cloning Containers
To create a clone of the debian8
container, you just type:
lxc-clone -o original -n new
But this only works if you stop the guest system first. Cloning in our lab took about 20 seconds. Next, change the IP address under /var/lib/lxc/debian_clone/config
and /var/lib/lxc/debian_clone/rootfs/etc/network/interfaces
to suit your needs. You also need to add an appropriate entry for the cloned container to the hosts
files. When you start the cloned container, try to open a connection via SSH. The configuration file of the clone might have more entries than those of the original – this is normal.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.