LXC

Last updated
Linux Containers
Developer(s)
  • Kernel: Virtuozzo, IBM, Google, Eric Biederman and others
  • Userspace: Daniel Lezcano, Serge Hallyn, Stéphane Graber and others
Initial releaseAugust 6, 2008;16 years ago (2008-08-06) [1]
Stable release
6.0.0 [2]   OOjs UI icon edit-ltr-progressive.svg / 3 April 2024;4 months ago (3 April 2024)
Repository
Written in C, Shell
Operating system Linux
Platform x86, IA-64, PowerPC, SPARC, Itanium, ARM
Type OS-level virtualization
License GNU LGPL v.2.1 (some components under GNU GPL v2 and BSD)
Website linuxcontainers.org

Linux Containers (LXC) is an operating system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.

Contents

The Linux kernel provides the cgroups functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any virtual machines, and also the namespace isolation functionality that allows complete isolation of an application's view of the operating environment, including process trees, networking, user IDs and mounted file systems. [3]

LXC combines the kernel's cgroups and support for isolated namespaces to provide an isolated environment for applications. [4] Early versions of Docker used LXC as the container execution driver, [4] though LXC was made optional in v0.9 and support was dropped in Docker v1.10. [5] [6]

Overview

LXC was initially developed by IBM, as part of a collaboration between several parties looking to add namespaces to the kernel. [7] It provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. LXC relies on the Linux kernel cgroups functionality [8] that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.

Security

Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, just as they can in chroot jails. [9] Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers". [10] Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured. [10]

Alternatives

LXC is similar to other OS-level virtualization technologies on Linux such as OpenVZ and Linux-VServer, as well as those on other operating systems such as FreeBSD jails, AIX Workload Partitions and Solaris Containers. In contrast to OpenVZ, LXC works in the vanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014 as a long-term supported version, was supported for five years. [11] LXC 4.0 will be supported until June 1, 2025 and LXC 5.0 until June 1, 2027. [12]

LXD

LXD is an alternative Linux container manager, written in Go. It is built on top of LXC and aims to provide a better user experience. [13] It is a container hypervisor providing an API to manage LXC containers. [14] The LXD project was started in 2015 and was sponsored from the start by Canonical Ltd., the company behind Ubuntu. On 4 July 2023, the LinuxContainers project announced that Canonical had decided to take over the LXD project but a fork called Incus was made. [15] [16] On August 25, 2023, LXD version 5.17 was officially released under the control of Canonical, providing support for OpenZFS 2.2 delegation capabilities. [17]

See also

Related Research Articles

chroot Operation that changes the apparent root directory in Unix-like systems

chroot is an operation on Unix and Unix-like operating systems that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

seccomp is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit , sigreturn , read and write to already-open file descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

<span class="mw-page-title-main">OpenVZ</span> Operating-system level virtualization technology

OpenVZ is an operating-system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments (VEs). OpenVZ is similar to Solaris Containers and LXC.

The following is about Virtualization development. In computing, virtualization is the use of a computer to simulate another computer. Through virtualization, a host simulates a guest by exposing virtual hardware devices, which may be done through software or by allowing access to a physical device connected to the machine.

<span class="mw-page-title-main">TurnKey Linux Virtual Appliance Library</span> Open-Source virtual appliance library

The TurnKey Linux Virtual Appliance Library is a free open-source software project which develops a range of Debian-based pre-packaged server software appliances. Turnkey appliances can be deployed as a virtual machine, in cloud computing services such as Amazon Web Services or installed in physical computers.

libvirt Management tool

libvirt is an open-source API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESXi, QEMU and other virtualization technologies. These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes.

Alpine Linux is a Linux distribution designed to be small, simple, and secure. It uses musl, BusyBox, and OpenRC instead of the more commonly used glibc, GNU Core Utilities, and systemd. This makes Alpine one of few Linux distributions not to be based on the GNU Core Utilities.

QVD is an open-source virtual desktop infrastructure (VDI) product built on Linux. Its main purpose is to provide remote desktops to users.

Checkpoint/Restore In Userspace (CRIU), is a software tool for the Linux operating system. Using this tool, it is possible to freeze a running application and checkpoint it to persistent storage as a collection of files. One can then use the files to restore and run the application from the point it was frozen at. The distinctive feature of the CRIU project is that it is mainly implemented in user space, rather than in the kernel.

Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it describes a software edition that is supported for months or years longer than the software's standard edition.

Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first released in 2013 and is developed by Docker, Inc.

lmctfy is an implementation of an operating system–level virtualization, which is based on the Linux kernel's cgroups functionality.

Namespaces are a feature of the Linux kernel that partition kernel resources such that one set of processes sees one set of resources, while another set of processes sees a different set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple namespaces. Examples of such resources are process IDs, host-names, user IDs, file names, some names associated with network access, and Inter-process communication.

<span class="mw-page-title-main">Proxmox Virtual Environment</span> Linux distribution for server virtualization

Proxmox Virtual Environment is a virtualisation platform designed for the provisioning of hyper-converged infrastructure.

<span class="mw-page-title-main">Snap (software)</span> Software deployment system for Linux by Canonical

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel and the systemd init system. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for cloud applications but was later ported to also work for Internet of Things devices and desktop applications.

Virtuozzo is a software company that develops virtualization and cloud management software for cloud computing providers, managed services providers and internet hosting service providers. The company's software enables service providers to offer Infrastructure as a service, Container-as-a-Service, Platform as a service, Kubernetes-as-a-Service, WordPress-as-a-Service and other solutions.

<span class="mw-page-title-main">Anbox</span> Free and open-source compatibility layer that aims to allow mobile applications and mobile games

Anbox is a discontinued free and open-source compatibility layer that aims to allow mobile applications and mobile games developed for Android to run on Linux distributions. Canonical introduced Anbox Cloud, for running Android applications in a cloud environment.

Container Linux is a discontinued open-source lightweight operating system based on the Linux kernel and designed for providing infrastructure for clustered deployments. One of its focuses was scalability. As an operating system, Container Linux provided only the minimal functionality required for deploying applications inside software containers, together with built-in mechanisms for service discovery and configuration sharing.

References

  1. "Downloads". Linux containers. Archived from the original on 2014-11-10. Retrieved 2014-11-10.
  2. "Release v6.0.0". 3 April 2024. Retrieved 11 April 2024.
  3. Rami Rosen (May 2013). "Resource management: Linux kernel namespaces and cgroups" (PDF). CS. UCSB. Retrieved February 11, 2015.
  4. 1 2 Kenlon, Seth (2020-01-30). "Exploring simple Linux containers with lxc". Red Hat . IBM. Retrieved 2023-07-05.
  5. "Docker 0.9: introducing execution drivers and libcontainer". Blog. Docker. 2014-03-10. Retrieved 2018-05-09.
  6. "1.10.0". Engine release notes. Docker. 2016-02-04. Retrieved 2020-10-06.
  7. Webb, Jordan (2022-09-13). "LXC and LXD: a different container story". LWN.net . Retrieved 2023-07-05.
  8. Koutoupis, Petros (2018-08-27). "Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)". Linux Journal . Retrieved 2023-07-05.
  9. Marco, d'Itri (2011). "Evading from linux containers". BOFH. IT. Archived from the original on 9 January 2014. Retrieved 12 February 2014.
  10. 1 2 Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]" . Retrieved 12 February 2014. However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he'd find himself having the privileges of a regular user on the host
  11. Graber, Stéphane (2013-12-20). "LXC 1.0: Your first Ubuntu container". St. Graber. Retrieved 2014-02-23.
  12. "LXC". Linux containers. Retrieved 2023-02-07.
  13. "Introduction". LXD. Linux Containers. Retrieved 2020-04-14.
  14. Parrott, Thomas. "Introduction to LXD projects". Ubuntu. Canonical. Retrieved 2023-07-05.
  15. "LXD Has been moved to Canonical". Linux Containers. 2023-07-04. Archived from the original on 2023-07-04. Retrieved 2023-07-05.
  16. Rudra, Sourav (2023-07-05). "The LXD Project Finds a New Home at Canonical". It’s Foss. Retrieved 2023-07-05.
  17. Parrott, Thomas (25 August 2023). "LXD 5.17 has been released". Ubuntu. Canonical.