Table of Contents

LXC

See also: software, Virtualization, Software Categories

Lxc is a containerized approach to virtualization, so it shares the same main process as the host system.

lxc

Information about Linux Containers (aka lxc)

User Space

User namespaces

Unprivileged containers allow users to create and administer containers without having any root privilege. The feature underpinning this is called user namespaces. User namespaces are hierarchical, with privileged tasks in a parent namespace being able to map its ids into child namespaces. By default every task on the host runs in the initial user namespace, where the full range of ids is mapped onto the full range. This can be seen by looking at /proc/self/uidmap and /proc/self/gidmap, which both will show “0 0 4294967295” when read from the initial user namespace. As of Ubuntu 14.04, when new users are created they are by default offered a range of userids. The list of assigned ids can be seen in the files /etc/subuid and /etc/subgid See their respective manpages for more information. Subuids and subgids are by convention started at id 100000 to avoid conflicting with system users.

If a user was created on an earlier release, it can be granted a range of ids using usermod, as follows: 

sudo usermod -v 100000-200000 -w 100000-200000 user1

The programs newuidmap and newgidmap are setuid-root programs in the uidmap package, which are used internally by lxc to map subuids and subgids from the host into the unprivileged container. They ensure that the user only maps ids which are authorized by the host configuration.

Basic unprivileged usage

To create unprivileged containers, a few first steps are needed. You will need to create a default container configuration file, specifying your desired id mappings and network setup, as well as configure the host to allow the unprivileged user to hook into the host network. The example below assumes that your mapped user and group id ranges are 100000-165536. 

mkdir -p ~/.config/lxc
echo "lxc.id_map = u 0 100000 65536" > ~/.config/lxc/default.conf
echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf
echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet

After this, you can create unprivileged containers the same way as privileged ones, simply without using sudo. 

lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-start -n u1 -d
lxc-attach -n u1
lxc-stop -n u1
lxc-destroy -n u1

Reference: https://help.ubuntu.com/lts/serverguide/lxc.html

LXC containers on host kb0odu

I have some containers running under the root account on kb0odu and some running under my account.

List Running Containers

Only running containers 

timothy@kb0odu:~$ sudo  lxc-ls --running -1 -f
NAME       STATE    IPV4         IPV6  AUTOSTART
------------------------------------------------
blog       RUNNING  10.50.1.70   -     NO
mysql      RUNNING  10.50.1.138  -     NO
mywiki     RUNNING  10.0.3.86    -     NO
wordpress  RUNNING  10.50.1.117  -     NO
timothy@kb0odu:~$

All containers 

timothy@kb0odu:~$ sudo lxc-ls -1 -f
NAME       STATE    IPV4         IPV6  AUTOSTART  
------------------------------------------------
blog       RUNNING  10.50.1.70   -     NO         
mongo      STOPPED  -            -     NO         
mysql      RUNNING  10.50.1.138  -     NO         
mywiki     RUNNING  10.0.3.86    -     NO         
postgres   STOPPED  -            -     NO         
wordpress  RUNNING  10.50.1.117  -     NO         
 
timothy@kb0odu:~$ lxc-ls -1 -f
NAME    STATE    IPV4        IPV6  AUTOSTART  
--------------------------------------------
puppet  RUNNING  10.0.3.9    -     NO         
tj      RUNNING  10.0.3.168  -     NO

System Space

Articles

LXC

Containers are a lightweight virtualization technology. They are more akin to an enhanced chroot than to full virtualization like Qemu or VMware, both because they do not emulate hardware and because containers share the same operating system as the host. Therefore containers are better compared to Solaris zones or BSD jails. Linux-vserver and OpenVZ are two pre-existing, independently developed implementations of containers-like functionality for Linux. In fact, containers came about as a result of the work to upstream the vserver and OpenVZ functionality.

https://help.ubuntu.com/lts/serverguide/lxc.html

lxc - Community Documentation

Overview

LinuX Containers (LXC) provide lightweight virtualization that lets you isolate processes and resources without the need to provide instruction interpretation mechanisms and other complexities of full virtualization.

Ubuntu ships with the latest version of LXC and is very active in the upstream development of LXC and the containers capabilities in the kernel.

The best documentation available at the moment for LXC can be found in the Server Guide: https://help.ubuntu.com/14.04/serverguide/lxc.html

A good getting started guide can be found at: https://www.stgraber.org/2012/05/04/lxc-in-ubuntu-12-04-lts/

https://help.ubuntu.com/community/LXC

I have some containers running under the root account on one of my hosts and some running under my account.