LXC
 | This article relies too much on references to primary sources. (February 2018) |
 | |
| Developer(s) |
|
|---|---|
| Initial release | August 6, 2008[1] |
| Stable release | 4.0.6
/ 12 January 2021[2] |
| Repository | |
| Written in | C, Shell |
| Operating system | Linux |
| Platform | x86, IA-64, PowerPC, SPARC, Itanium, ARM |
| Type | OS-level virtualization |
| License | GNU LGPL v.2.1 (some components under GNU GPL v2 and BSD) |
| Website | linuxcontainers |
Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.
The Linux kernel provides the cgroups functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any virtual machines, and also the namespace isolation functionality that allows complete isolation of an application's view of the operating environment, including process trees, networking, user IDs and mounted file systems.[3]
LXC combines the kernel's cgroups and support for isolated namespaces to provide an isolated environment for applications. Early versions of Docker used LXC as the container execution driver, though LXC was made optional in v0.9 and support was dropped in Docker v1.10.[4][5] References to Linux containers commonly refer[6] to Docker containers running on Linux.
Overview[]
LXC provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. LXC relies on the Linux kernel cgroups functionality that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.
Security[]
Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, just as they can in chroot jails.[7] Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".[8] Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured.[8]
Alternatives[]
LXC is similar to other OS-level virtualization technologies on Linux such as OpenVZ and Linux-VServer, as well as those on other operating systems such as FreeBSD jails, AIX Workload Partitions and Solaris Containers. In contrast to OpenVZ, LXC works in the vanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014, is a long-term supported version and intended to be supported for five years.[9] LXC 2.0 and 3.0 are long-term support releases: LXC 2.0 will be supported until June 1, 2021; LXC 3.0 will be supported until June 1, 2023.[10]
LXD[]
LXD is a system container manager, basically an alternative to LXC's tools, not a "rewrite of LXC". In fact it is building on top of LXC to provide a new, better user experience.[11]
See also[]
- Open Container Initiative
- Container Linux (formerly CoreOS Linux)
- Docker, a project automating deployment of applications inside software containers
- Apache Mesos, a large-scale cluster management platform based on container isolation
- Operating system-level virtualization implementations
- Proxmox Virtual Environment, an open-source server virtualization management platform supporting LXC containers and KVM
- Anbox, uses LXC to execute Android applications in other Linux distributions
References[]
- ^ "LXC - Linux Containers". linuxcontainers.org. Retrieved 2014-11-10.
- ^ "Releases". Github. Retrieved 4 September 2019.
- ^ Rami Rosen (May 2013). "Resource management: Linux kernel namespaces and cgroups" (PDF). cs.ucsb.edu. Retrieved February 11, 2015.
- ^ "Docker 0.9: introducing execution drivers and libcontainer - Docker Blog". Docker Blog (in American English). 2014-03-10. Retrieved 2018-05-09.
- ^ "Docker Engine release notes - 1.10.0 (2016-02-04)". 2016-02-04. Retrieved 2020-10-06.
- ^ "Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC) | Linux Journal". www.linuxjournal.com. Retrieved 2021-07-10.
- ^ Marco, d'Itri (2011). "Evading from linux containers". Archived from the original on 9 January 2014. Retrieved 12 February 2014.
- ^ a b Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]". Retrieved 12 February 2014.
However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host
- ^ Graber, Stéphane (2013-12-20). "LXC 1.0: Your first Ubuntu container". Stgraber.org. Retrieved 2014-02-23.
- ^ "Linux Containers - LXC". linuxcontainers.org. Retrieved 2021-03-02.
- ^ "Linux Containers - LXD - Introduction". linuxcontainers.org. Retrieved 2020-04-14.
External links[]
- Official website and source code repository on GitHub
- IBM developerworks article about LXC
- "Evading from Linux Containers" by Marco D'Itri
- Presentation about cgroups and namespaces, the underlying technology of Linux containers, by Rami Rosen
- Presentation about Linux Containers and the future cloud, by Rami Rosen
- LXC : Install and configure the Linux Containers
- LSS: Secure Linux containers (LWN.net)
- Introduction to Linux Containers
- LXC on Android on YouTube, April 2013
- Free virtualization software
- Linux kernel features
- Linux-only free software
- Operating system security
- Virtualization-related software for Linux