LXC
   HOME

TheInfoList



Click Here for Items Related To - LXC
OR:
LXC on:   [Wikipedia]   [Google]   [Amazon]

Linux Containers (LXC) is an
operating-system-level virtualization OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called ''containers'' (LXC, Solaris containers, Docker, Podman), ''zones'' (Solaris containers), '' ...
method for running multiple isolated
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
systems (containers) on a control host using a single Linux kernel. The Linux kernel provides the
cgroups cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Engineers at Google started the work on this ...
functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
s, and also the namespace isolation functionality that allows complete isolation of an application's view of the operating environment, including
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...
trees, networking,
user ID Unix-like operating systems identify a user by a value called a user identifier, often abbreviated to user ID or UID. The UID, along with the group identifier (GID) and other access control criteria, is used to determine which system resources a us ...
s and
mounted Mount is often used as part of the name of specific mountains, e.g. Mount Everest. Mount or Mounts may also refer to: Places * Mount, Cornwall, a village in Warleggan parish, England * Mount, Perranzabuloe, a hamlet in Perranzabuloe parish, Co ...
file systems. LXC combines the kernel's cgroups and support for isolated
namespace In computing, a namespace is a set of signs (''names'') that are used to identify and refer to objects of various kinds. A namespace ensures that all of a given set of objects have unique names so that they can be easily identified. Namespaces ...
s to provide an isolated environment for applications. Early versions of Docker used LXC as the container execution driver, though LXC was made optional in v0.9 and support was dropped in Docker v1.10. References to
Linux containers OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called ''containers'' ( LXC, Solaris containers, Docker, Podman), ''zones'' (Solaris containers), '' ...
commonly refer to Docker containers running on Linux.


Overview

LXC provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
. LXC relies on the Linux kernel
cgroups cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Engineers at Google started the work on this ...
functionality that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.


Security

Originally, LXC containers were not as secure as other OS-level virtualization methods such as
OpenVZ OpenVZ (Open Virtuozzo) is an operating-system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments ...
: in Linux kernels before 3.8, the
root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the su ...
user of the guest system could run arbitrary code on the host system with root privileges, just as they can in
chroot A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normall ...
jails. Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers". Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured.


Alternatives

LXC is similar to other OS-level virtualization technologies on Linux such as
OpenVZ OpenVZ (Open Virtuozzo) is an operating-system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments ...
and
Linux-VServer Linux-VServer is a virtual private server implementation that was created by adding operating system-level virtualization capabilities to the Linux kernel. It is developed and distributed as open-source software. Details The project was started ...
, as well as those on other operating systems such as
FreeBSD jail The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called ''jails'', all sharing the same kernel, with ...
s,
AIX Aix or AIX may refer to: Computing * AIX, a line of IBM computer operating systems *An Alternate Index, for a Virtual Storage Access Method Key Sequenced Data Set * Athens Internet Exchange, a European Internet exchange point Places Belgi ...
Workload Partitions AIX Workload partitions (WPARs) are a software implementation of operating system-level virtualization technology introduced in the IBM's AIX 6.1 operating system that provides application environment isolation and resource control. WPARs are ...
and
Solaris Containers Solaris Containers (including Solaris Zones) is an implementation of operating system-level virtualization technology for x86 and SPARC systems, first released publicly in February 2004 in build 51 beta of Solaris 10, and subsequently in the fi ...
. In contrast to OpenVZ, LXC works in the vanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014 as a long-term supported version, was supported for five years. LXC 3.0 will be supported until June 1, 2023; LXC 4.0 until June 1, 2025; and LX 5.0 until June 1, 2027.


LXD

LXD is an alternative Linux container manager. It is built on top of LXC and aims to provide a better user experience.


See also

* Open Container Initiative *
Container Linux Container Linux (formerly CoreOS Linux) is a discontinued open-source lightweight operating system based on the Linux kernel and designed for providing infrastructure to clustered deployments, while focusing on automation, ease of applicatio ...
(formerly CoreOS Linux) * Docker, a project automating deployment of applications inside software containers *
Apache Mesos Apache Mesos is an open-source project to manage computer clusters. It was developed at the University of California, Berkeley. History Mesos began as a research project in the UC Berkeley RAD Lab by then PhD students Benjamin Hindman, Andy Ko ...
, a large-scale cluster management platform based on container isolation * Operating system-level virtualization implementations *
Proxmox Virtual Environment Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source software server for virtualization management. It is a hosted hypervisor that can run operating systems including Linux and Windows on x64 hardware. It is a Debian-based Lin ...
, an open-source server virtualization management platform supporting LXC containers and KVM *
Anbox Anbox is a free and open-source compatibility layer that aims to allow mobile applications and mobile games developed for Android to run on Linux distributions. Canonical introduced Anbox Cloud, for running Android applications in a cloud enviro ...
, uses LXC to execute Android applications in other Linux distributions


References


External links

* and
IBM developerworks article about LXC

"Evading from Linux Containers" by Marco D'Itri

Presentation about cgroups and namespaces, the underlying technology of Linux containers, by Rami Rosen

Presentation about Linux Containers and the future cloud, by Rami Rosen

LXC : Install and configure the Linux Containers

LSS: Secure Linux containers
(LWN.net)
Introduction to Linux Containers
* , April 2013 {{Linux kernel Free virtualization software Linux kernel features Linux-only free software Operating system security Virtualization software for Linux