Container management with LXC
Worlds Apart
Chroot lets you run a largely autonomous guest system on a computer, without the need to emulate hardware. The LXC container management tool refines this technique with a comprehensive range of additional functions.
Chroot seals off parts of a directory tree against a break-out, thus isolating users, groups, or special services in an area that is harmless for the rest of the system. FreeBSD refined the concept with "Jails," Solaris with "Zones," and Linux with container services such as LXC [1]. LXC does not use virtual machines, like VMware, but creates a virtual environment with its own processes, but using a shared kernel on the host system.
Getting Started
The following exercise uses Debian 8.0 "jessie" as the host, but it can also be transferred to other systems like openSUSE or Ubuntu with minor changes.
To begin, you need to install the lxc, lxctl, and libvirt-bin packages, including the dependencies required by the package manager (e.g., debootstrap). If you have a custom kernel, you need to enable control groups (cgroups), which you can check with the command:
lxc-checkconfig
Depending on the installation source, creating the root filesystem for a container can take some time. On Debian, perform this task with the command:
$ LANG=en_US.UTF-8 SUITE=jessie MIRROR=http://httpredir.debian.org/debian lxc-create -n debian8 -t debian
The LANG
switch defines the language settings, and SUITE
defines the desired template. The -n
option lets you assign the container name (Figure 1). Subsystem templates created with the -t
option come from the /usr/share/lxc/templates/
directory. However, you have shorter way to accomplish the same thing, as an alternative proposal from the Debian wiki [2] for creating the container shows:
$ lxc-create -n debian8 -t debian -- -r jessie
After successful installation, the procedure ends by outputting a randomly generated root password, which you should write down and change with the passwd
command when you first log in to the container. Entering lxc-ls
lists all existing containers.
To access the container you just created at a local level, launch it with the
lxc-start -n debian8 -d
command. As with almost all lxc
commands, you use the -n
option to name the container (Figure 2). Make sure you enter the -d
option when starting; otherwise, the login prompt appears, and you cannot kill it in the same terminal! Now request a console with the login prompt:
lxc-console -n debian8
To help you discover the status and process ID of an active container and to stop the current container, use the
lxc-info -n <container> lxc-stop -n <container>
commands. For a selection of the most important control programs, see Table 1.
Table 1
Important LXC commands
Action | Command |
---|---|
Create, Clone, Delete |
|
Create a container |
|
Clone a container |
|
Delete a container |
|
Starting and Stopping |
|
Start a container |
|
Freeze a container |
|
Continue a container |
|
Stop a container |
|
Information |
|
List all containers |
|
List all active containers |
|
List all stopped containers |
|
Info for a container |
|
IP address of the container |
|
Process ID of the container |
|
Monitor a container |
|
Running Applications |
|
Start an application in the container |
|
Network
To access the container on the network, you need to adjust the network settings on the host and guest. In both cases you need to edit the /etc/network/interfaces
file. Additionally, you need to configure the network settings for the container in /var/lib/lxc/<Container>/config
. To address the container with its own name on the LAN, add an entry to /etc/hosts
(see the box "Network Configuration"); then, run adduser <user>
to create a user in the container. Now enter
Network Configuration
In the following examples, the network is 192.168.0.0/24, with an IP address of 192.168.0.37 for the host system and 192.168.0.90 for the guest; the container name is debian8
. You need to adjust the values from the listings to match your local conditions.
Listing 1 shows the changes to the /etc/network/interfaces
file on the host; for correct name resolution in this case, also add the line 192.168.0.90 debian8
to the /etc/hosts
file. Then, working on the host system, open the /var/lib/lxc/debian8/config
file, and add the entries from Listing 2. Finally, modify the /var/lib/lxc/debian8/rootfs/etc/network/interfaces
file as shown in Listing 3.
The settings configure the network card in the host as a bridge (br0
instead eth0
). The container has a virtual Ethernet (veth
) interface to which br0
is connected.
After completing the changes, you first start the network on the host with the
/etc/init.d/networking restart
command. Now test the configuration by pinging the IP address of the container. To verify name resolution, you can specify the hostname instead of the IP address.
Listing 1
Host /etc/network/interfaces
Listing 2
Host /var/lib/lxc/debian8/config
Listing 3
Container Network Setup
systemctl status sshd.service
to check whether the SSH server is running in the container (Figure 3). When you pop up a new terminal, log in with
ssh <user>@<container>
and respond to the prompt for the new SSH keys; the login to the shell should work. You can log off again by typing exit
.
Cloning Containers
To create a clone of the debian8
container, you just type:
lxc-clone -o original -n new
But this only works if you stop the guest system first. Cloning in our lab took about 20 seconds. Next, change the IP address under /var/lib/lxc/debian_clone/config
and /var/lib/lxc/debian_clone/rootfs/etc/network/interfaces
to suit your needs. You also need to add an appropriate entry for the cloned container to the hosts
files. When you start the cloned container, try to open a connection via SSH. The configuration file of the clone might have more entries than those of the original – this is normal.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Wine 10 Includes Plenty to Excite Users
With its latest release, Wine has the usual crop of bug fixes and improvements, along with some exciting new features.
-
Linux Kernel 6.13 Offers Improvements for AMD/Apple Users
The latest Linux kernel is now available, and it includes plenty of improvements, especially for those who use AMD or Apple-based systems.
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.