Container management with LXC

Worlds Apart

© Lead Image © Kheng Ho Toh,

© Lead Image © Kheng Ho Toh,

Article from Issue 192/2016

Chroot lets you run a largely autonomous guest system on a computer, without the need to emulate hardware. The LXC container management tool refines this technique with a comprehensive range of additional functions.

Chroot seals off parts of a directory tree against a break-out, thus isolating users, groups, or special services in an area that is harmless for the rest of the system. FreeBSD refined the concept with "Jails," Solaris with "Zones," and Linux with container services such as LXC [1]. LXC does not use virtual machines, like VMware, but creates a virtual environment with its own processes, but using a shared kernel on the host system.

Getting Started

The following exercise uses Debian 8.0 "jessie" as the host, but it can also be transferred to other systems like openSUSE or Ubuntu with minor changes.

To begin, you need to install the lxc, lxctl, and libvirt-bin packages, including the dependencies required by the package manager (e.g., debootstrap). If you have a custom kernel, you need to enable control groups (cgroups), which you can check with the command:


Depending on the installation source, creating the root filesystem for a container can take some time. On Debian, perform this task with the command:

$ LANG=en_US.UTF-8 SUITE=jessie MIRROR= lxc-create -n debian8 -t debian

The LANG switch defines the language settings, and SUITE defines the desired template. The -n option lets you assign the container name (Figure 1). Subsystem templates created with the -t option come from the /usr/share/lxc/templates/ directory. However, you have shorter way to accomplish the same thing, as an alternative proposal from the Debian wiki [2] for creating the container shows:

Figure 1: When you create a new container, LXC downloads all the required elements and more or less sets up a turnkey system.
$ lxc-create -n debian8 -t debian -- -r jessie

After successful installation, the procedure ends by outputting a randomly generated root password, which you should write down and change with the passwd command when you first log in to the container. Entering lxc-ls lists all existing containers.

To access the container you just created at a local level, launch it with the

lxc-start -n debian8 -d

command. As with almost all lxc commands, you use the -n option to name the container (Figure 2). Make sure you enter the -d option when starting; otherwise, the login prompt appears, and you cannot kill it in the same terminal! Now request a console with the login prompt:

Figure 2: After launching the container, you can log in via a terminal.
lxc-console -n debian8

To help you discover the status and process ID of an active container and to stop the current container, use the

lxc-info -n <container>
lxc-stop -n <container>

commands. For a selection of the most important control programs, see Table 1.

Table 1

Important LXC commands



Create, Clone, Delete

Create a container

lxc-create -n <container> -t <template>

Clone a container

lxc-clone -o <container> -n <NewContainer>

Delete a container

lxc-destroy -n <container>

Starting and Stopping

Start a container

lxc-start -n <container>

Freeze a container

lxc-freeze -n <container>

Continue a container

lxc-unfreeze -n <container>

Stop a container

lxc-stop -n <container>


List all containers


List all active containers

lxc-ls ---active

List all stopped containers

lxc-ls ---stopped

Info for a container

lxc-info -n <container>

IP address of the container

lxc-info -i -n <container>

Process ID of the container

lxc-info -p -n <container>

Monitor a container

lxc-monitor -n <container>

Running Applications

Start an application in the container

lxc-attach -n <container> --<command>


To access the container on the network, you need to adjust the network settings on the host and guest. In both cases you need to edit the /etc/network/interfaces file. Additionally, you need to configure the network settings for the container in /var/lib/lxc/<Container>/config. To address the container with its own name on the LAN, add an entry to /etc/hosts (see the box "Network Configuration"); then, run adduser <user> to create a user in the container. Now enter

Network Configuration

In the following examples, the network is, with an IP address of for the host system and for the guest; the container name is debian8. You need to adjust the values from the listings to match your local conditions.

Listing 1 shows the changes to the /etc/network/interfaces file on the host; for correct name resolution in this case, also add the line debian8 to the /etc/hosts file. Then, working on the host system, open the /var/lib/lxc/debian8/config file, and add the entries from Listing 2. Finally, modify the /var/lib/lxc/debian8/rootfs/etc/network/interfaces file as shown in Listing 3.

The settings configure the network card in the host as a bridge (br0 instead eth0). The container has a virtual Ethernet (veth) interface to which br0 is connected.

After completing the changes, you first start the network on the host with the

/etc/init.d/networking restart

command. Now test the configuration by pinging the IP address of the container. To verify name resolution, you can specify the hostname instead of the IP address.

Listing 1

Host /etc/network/interfaces


Listing 2

Host /var/lib/lxc/debian8/config


Listing 3

Container Network Setup


systemctl status sshd.service

to check whether the SSH server is running in the container (Figure 3). When you pop up a new terminal, log in with

Figure 3: Checking the status of the SSH daemon inside the container.
ssh <user>@<container>

and respond to the prompt for the new SSH keys; the login to the shell should work. You can log off again by typing exit.

Cloning Containers

To create a clone of the debian8 container, you just type:

lxc-clone -o original -n new

But this only works if you stop the guest system first. Cloning in our lab took about 20 seconds. Next, change the IP address under /var/lib/lxc/debian_clone/config and /var/lib/lxc/debian_clone/rootfs/etc/network/interfaces to suit your needs. You also need to add an appropriate entry for the cloned container to the hosts files. When you start the cloned container, try to open a connection via SSH. The configuration file of the clone might have more entries than those of the original – this is normal.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • LXC: Linux Containers

    LXC is fully integrated into the kernel, providing a fast and easy approach to virtualizing individual programs and whole systems on Linux without the need for patches and additional modules.

  • Podman

    Podman gives users a quick and easy way to set up a Nextcloud instance for home use.

  • Linux Dash and Cockpit

    Linux Dash and Cockpit are small-scale solutions for monitoring a cloud-hosted virtual server from home.

  • Security Lessons: cgroups and LXC

    The big virtualization tools like KVM and Xen can’t compete on a small scale with resource-spare cgroups and Linux Containers.

  • Perl: Testing Modules with Docker

    If you want to distribute your programs across multiple platforms, you need to prepare them to run in foreign environments from the start. Linux container technology and the resource-conserving Docker project let you test your own Perl modules on several Linux distributions in one fell swoop.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More