LXC

LXC (Linux Containers) is a virtualization system making use of Linux's namespaces and cgroups. It is conceptually similar to Solaris's Zones and FreeBSD's Jails, providing more segregation than a simple chroot, without introducing the overhead of full virtualization. Additionally, unlike systemd-nspawn but similar to other OS-level virtualization technologies on Linux such as Docker, LXC optionally permits containers to be spawned by an unprivileged user.

LXD uses LXC through liblxc and its Go binding to help create and manage containers.

Introduction

Virtualization

Roughly speaking there are two main types of virtualization, container-based virtualization and full virtualization.

Container-based virtualization

Container based virtualization, such as LXC or Docker, is very fast and efficient. It's based on the premise that an OS kernel provides different views of the system to different running processes. This compartmentalization, sometimes called thick sandboxing, can be useful for ensuring access to hardware resources such as CPU and IO bandwidth, whilst maintaining security and efficiency.

Conceptually, containers are very similar to using a chroot, but offer far more isolation and control, mostly through the use of cgroups and namespaces. A chroot only provides filesystem isolation, while namespaces can provide network and process isolation. cgroups can be used to manage container resource allocation.

Full virtualization

Full virtualization and paravirtualization solutions, such as KVM, Xen, VirtualBox, and VMware, aim to simulate the underlying hardware. This method of virtualization results in an environment which provides more isolation, and is generally more compatible, but requires far more overhead.

LXC limitations

Isolation

LXC provides better isolation than a chroot, but many resources can be, or are still shared. Root users in privileged containers have the same level of system access as the root user outside of the container, unless ID mapping is in place.

If the kernel is built allowing a Magic SysRQ with CONFIG_MAGIC_SYSRQ, a container could abuse this to perform a Denial of Service.

Unprivileged Containers

By design, unprivileged containers cannot do several things which require privileged system access, such as:

• Mounting filesystems
• Creating device nodes
• Operations against a UID/GID outside of the mapped set
• Creation of network interfaces

In order to create network interfaces, LXC uses lxc-user-nic which uses setuid-root to create the network interfaces.

Different Operating Systems and Architectures

Containers cannot be used to run operating systems or software designed for other architectures or operating systems.

LXC components

Control groups

Control Groups are a multi-hierarchy, multi-subsystem resource management / control framework for the Linux kernel. They can be used for advanced resource control and accounting using groups which could apply to one or more processes.

Some of the resources cgroups can manage are^[1]:

• Memory usage.
• CPU bandwidth.
• Filesystem usage.
• Process limits.
• Block device IO bandwidth.
• Miscellaneous Devices.

The user-space access to these new kernel features is a kernel-provided filesystem, known as 'cgroup'. It is typically mounted at /sys/fs/cgroup and provides files similar to /proc and /sys, representing the running environment and various kernel configuration options.

File locations

LXC information is typically stored under:

• /etc/lxc/default.conf - The default guest configuration file. When new containers are created, these values are added.
• /etc/lxc/lxc.conf - LXC system configuration. See man lxc.conf.
• /etc/lxc/lxc-usernet - LXC configuration for user namespace network allocations.
• /var/lib/lxc/{guest_name}/config - Main guest configuration file.
• /var/lib/lxc/{guest_name}/rootfs/ - The root of the guest filesystem.
• /var/lib/lxc/{guest_name}/snaps/ - Guest snapshots.
• /var/log/lxc/{guest_name}.log - Guest startup logs.

Unprivileged locations

When running unprivileged containers, configuration files are loaded from the following locations, based on the user home:

• /etc/lxc/default.conf -> ~/.config/lxc/default.conf
• /etc/lxc/lxc.conf -> ~/.config/lxc/lxc.conf
• /var/lib/lxc/ -> ~/.local/share/lxc/ - This includes a directory for each guest.

Installation

USE flags

Kernel

The host's kernel must be configured with Control Group, namespace, and virtual networking support:

General setup  --->
   [*] POSIX Message Queues
   [*] Control Group support  --->
      [*] Memory controller
      [*] CPU controller  --->
      [*] Freezer controller
      [*] Cpuset controller
      [*] Device controller
      [*] Simple CPU accounting controller
   [*] Namespaces support  --->
      [*] UTS namespace
      [*] IPC namespace
      [*] User namespace
      [*] PID namespace
      [*] Network namespace
[*] Networking support  --->
   Networking options  --->
      [*] TCP/IP networking
      [*]  INET: socket monitoring interface 
      [*] Network packet filtering framework (Netfilter)  --->
         [*] Advanced netfilter configuration
             Core Netfilter Configuration  --->
                [*] Netfilter Xtables support (required for ip_tables)
                [*]   CHECKSUM target support
             IP: Netfilter Configuration  --->
                [*] IP tables support (required for filtering/masq/NAT)
                [*] iptables NAT support
                [*]   MASQUERADE target support
      [*] 802.1d Ethernet Bridging 
      [*]   VLAN filtering
      [*] 802.1Q/802.1ad VLAN Support
Device Drivers  --->
   [*] Network device support  --->
      [*] Network code driver support
      [*] MAC-VLAN support
      [*] Virtual ethernet pair device
File systems  --->
   [*] FUSE (Filesystem in Userspace) support

CONFIG_POSIX_MQUEUE=y
CONFIG_FUSE=y

CONFIG_CGROUPS=y
CONFIG_MEMCG=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CPUSETS=y

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y

CONFIG_NET=y
CONFIG_NET_CORE=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP6_NF_TARGET_MASQUERADE=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_BRIDGE=y
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=y
CONFIG_MACVLAN=y
CONFIG_VETH=y
CONFIG_INET=y
CONFIG_INET_DIAG=y

Emerge

Network Configuration

LXC provides a variety of network options for containers. Container interfaces are defined with lxc.net.{i}.type, where i is the interface index number.

General Parameters

The following configuration options apply to all interface types, and are prefixed with lxc.net.{0}.:

• flags - Specifies an action to perform on the interface, up starts the interface on container creation, otherwise it must manually be started with ip.
• link - Specifies the host interface the container interface should be associated with.
• mtu - Specifies the container interface MTU.
• name - Defines the name which will be given to the interface within the container.
• hwaddrd - Defines the MAC address which will be allocated to the virtual interface, Xs in the supplied value will be randomized.
• ipv4.address - Specifies the interface's assigned IP address, in ip/cidr format, optionally, a broadcast address can be specified after the cidr to use one other than the last value on that network. Ex. lxc.net.0.ipv4.address = 192.168.123.1 192.168.123.32.
• ipv4.gateway - Specifies the interface's default gateway.

Interface Types

LXC offers a variety of interface types, which can be configured using lxc.net.{i}.type.

none

The none network type provides no network isolation or virtualization, and is comparable to Docker's host networking mode.

empty

The empty interface type starts the container with only a loopback interface, if no other interface is defined, the container should be isolated from the host's network.

phys

The phys interface type can be used to give a container access to a single interface on the host system. It must be used along with lxc.net.{i}.link which specifies the host interface.

lxc.net.0.type = phys
lxc.net.0.flags = up
lxc.net.0.link = eth0

veth

The veth or Virtual Ethernet Pair Device can be used to bridge or route, specified with lxc.net.{i}.mode, traffic between the host and container using virtual ethernet devices. The default mode of operation is Network bridge mode.

Bridge Mode

When the lxc.net.{i}.veth.mode is not specified, bridge mode will be used, which generally expects a link to be set to a bridge interface on the host system with lxc.net.{i}.link. If this link is not set, veth interface will be created in the container but not configured on the host.

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = lxcbr0

Router Mode

If lxt.net.{i}.veth.mode = router, static routes are created between the addresses associated with the specified host link device and the container's veth interface. For privileged containers, ARP and NDP entries are proxied between the host interface and the container's specified gateway interface.

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.veth.mode = router
lxc.net.0.link = eth0

vlan

The vlan interface type can be used with a host interface specified with lxc.net.{i}.link and VLAN id specified with lxc.net.{i}.vlan.id. This type is comparable to the phys type, but only the specified VLAN is shared.

lxc.net.0.type = vlan
lxc.net.0.flags = up
lxc.net.0.link = eth0
lxc.net.0.vlan.id = 100

macvlan

The macvlan interface type can be used to share a physical interface with the host. A link must be specified with lxc.net.{i}.link. The mode can be configured with lxc.net.{i}.macvlan.mode where the default mode is private mode.

private mode

Setting lxc.net.{i}.macvlan.mode = private results in a macvlan interface which cannot communicate to the devices upper_dev, or the interface which the macvlan interface is based off of.

lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.link = eth0
lxc.net.0.macvlan.vlan = 100

vepa (Virtual Ethernet Port Aggregator)

Setting lxc.net.{i}.macvlan.mode = vepa results in a macvlan interface which operates similarly to private mode, but packets are actually sent to the switch, not virtually bridged. This allows different subinterfaces to communicate with each other using another switch.

lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.macvlan.mode = vepa
lxc.net.0.link = eth0
lxc.net.0.macvlan.vlan = 100

bridge

Setting lxc.net.{i}.macvlan.mode = bridge results in a macvlan interface which only delivers traffic across the bridge, not allowing outbound traffic.

lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.macvlan.mode = bridge
lxc.net.0.link = eth0
lxc.net.0.macvlan.vlan = 100
lxc.net.0.name = macvlan_bridge0

lxc.net.1.type = macvlan
lxc.net.1.flags = up
lxc.net.1.macvlan.mode = bridge
lxc.net.1.link = eth0
lxc.net.1.macvlan.vlan = 100
lxc.net.1.name = macvlan_bridge1

passthru

Only one subinterface can use lxc.net.{i}.macvlan.mode = bridge, this operates similarly to using phys or vlan mode, but offers more isolation, since the container doesn't actually get access to the physical interface, but the macvlan interface which is associated with it.

lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.macvlan.mode = passthru
lxc.net.0.link = eth0
lxc.net.0.macvlan.vlan = 100

DNS Configuration

DNS settings can be configured by editing /etc/resolv.conf within the container like it would be done on a normal system.

Host Configuration

LXC will not automatically create interfaces for containers, even if the container is configured to use something like a bridge on the host.

OpenRC Netifrc Bridge creation

Netifrc can be used to create bridges:

bridge_lxcbr0=""
config_lxcbr0="192.168.78.1/24"

A symbolic link for this interface's init unit can be created with:

The bridge can be created with:

This bridge can be created at boot with:

Nftables NAT rules

This file will be automatically loaded if using Nftables#Modular_Ruleset_Management, but can be loaded by making the file executable and running it.

#! /sbin/nft -f

define lxc_net = 192.168.78.0/24

table inet nat {
  set nat_nets {
    type ipv4_addr
    flags interval
    elements = { $lxc_net }
  }
}

table inet nat {
  chain	postrouting {
    oifname $wan_interface ip saddr @nat_nets counter masquerade
  }
}

Service Configuration

OpenRC

To create an init script for a specific container, simply create a symbolic link from /etc/init.d/lxc to /etc/init.d/lxc.guestname:

This can be started, then set to start at boot with:

Unified Cgroups for Unprivileged Containers

If running unprivileged containers on OpenRC based systems, the rc_cgroup_mode must be changed from hybrid to unified and rc_cgroup_controllers must be populated:

...
rc_cgroup_mode="unified"
rc_cgroup_controllers="yes"
...

Systemd

To start a container by name:

To stop ii, issue:

To start it automatically at (host) system boot up, use:

Creating User Namespaces for Unprivileged Containers

Unprivileged containers require cgroups to be delegated in advance. These are not managed by LXC.

It is possible to delegate unprivileged cgroups by creating a systemd unit:

[Service]
Delegate=cpu cpuset io memory pids

Unprivileged User configuration

While it is possible to create a single LXC user to run all unprivileged containers with, it's a much better practice to create a LXC user for each container, or groups of related containers.

User Creation

To create a new user, which will be used to run dnscrypt containers:

Network Quota Allocation

Allocations for network device access must be made by editing /etc/lxc/lxc-usernet:

lxc-dnscrypt veth lxcbr0 1

Sub UID and GID mapping

Once the user has been created, subUIDs and subGIDs must be mapped.

Current mappings can be checked with:

larry:100000:65536
lxc-dnscrypt:165536:65536

larry:100000:65536
lxc-dnscrypt:165536:65536

Default container configuration creation

LXC does not create user configuration by default, ~/.config/lxc may need to be created:

Adding the user ID map information is a good base:

lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536

Guest configuration

Guest Filesystem Creation

To create the base container fileystem, to be imported with the local template, emerge can be used:

Once the build has completed, it can be archived with:

Template scripts

A number of template scripts are distributed with the LXC package. These scripts assist with generating various guest environments.

Template scripts exist at /usr/share/lxc/templates as bash scripts, but should be executed via the lxc-create tool as follows:

Download template

The download template is the easiest and most commonly used template, downloading a container from a repository.

Using download as the template-name displays a list of available guest environments to download and saves the guest image in /var/lib/lxc.

Available containers can be viewed with:

To download an Ubuntu container, selecting the lunar release, and amd64 architecture:

Local template

The local template allows a guest root filesystem to be imported from a xzipped tarball.

Create an empty metadata tarball

If using a LXC version lower than 6, start by creating a metadata tarball:

Import a stage3 tarball

LXC's local template can be used to natively import stage 3 tarballs:

Backing Store

By default, containers will use the dir backing, copying the files into a directory.

Using a backing such as btrfs will allow lxc-copy to create a new container using another container as a snapshot.

The backing type is specified with --bdev or -B:

Mount configuration

By default, LXC will not make any mounts - including ones like /proc and /sys, to create these mounts:

lxc.mount.auto = proc:mixed  # Mount /proc as rw but /proc/sys and /proc/sysrq-trigger as ro
lxc.mount.auto = sys:ro  # mount /sys read only
lxc.mount.auto = cgroup:ro  # Mount /sys/fs/cgroups read only

TTY configuration

The following configuration is taken from /usr/share/lxc/config/common.conf, it creates 1024 ptys and 4 ttys:

# Setup the LXC devices in /dev/lxc/
lxc.tty.dir = lxc

# Allow for 1024 pseudo terminals
lxc.pty.max = 1024

# Setup 4 tty devices
lxc.tty.max = 4

Init configuration

The way LXC starts a container can be adjusted with:

lxc.init.uid = 169  # Set the UID of the init process
lxc.init.gid = 169  # Set the GID of the init process
lxc.init.cmd = /usr/bin/tini /usr/bin/transmission-daemon -- -f -g /var/lib/transmission  # Tell lxc to use tini init, start transmission

Logging configuration

LXC's log level can be adjusted with lxc.log.level:

lxc.log.level = 4

File

To send log information to a file, set the file with lxc.log.file:

lxc.log.file = /var/log/containers/container_name.log

Syslog

LXC containers can be configured to send logs to syslog using lxc.log.syslog:

lxc.log.syslog = daemon

Console Logging

To log the container console, lxc.console.logfile can be used:

lxc.console.logfile = /var/log/lxc/container_console.log

Usage

Starting a container

To start a container, simply use lxc-start with the container name:

Stopping a container

A container can be stopped with lxc-stop:

lxc-console

Using lxc-console provides console access to a guest with lxc.tty = 1 defined:

lxc-attach

lxc-attach starts a process inside a running container. If no command is specified, it looks for the default shell. Therefore, you can get into the container by:

Accessing the container with sshd

A common technique to allow users direct access into a system container is to run a separate sshd inside the container. Users then connect to that sshd directly. In this way, you can treat the container just like you treat a full virtual machine where you grant external access. If you give the container a routable address, then users can reach it without using ssh tunneling.

If you set up the container with a virtual ethernet interface connected to a bridge on the host, then it can have its own Ethernet address on the LAN, and you should be able to connect directly to it without logically involving the host (the host will transparently relay all traffic destined for the container, without the need for any special considerations). You should be able to simply 'ssh <container_ip>'.

Troubleshooting

Systemd containers on an OpenRC host

To use systemd in the container, a recent enough (>=4.6) kernel version with support for cgroup namespaces is needed. Additionally the host needs to have a name=systemd cgroup hierarchy mounted. Doing so does not require running systemd on the host:

Containters freeze on 'lxc stop' with OpenRC

Please see LXD#Containters_freeze_on_.27lxc_stop.27_with_OpenRC. Just replace 'lxc exec' with 'lxc-console' or 'lxc-attach' to get console access.

newuidmap error

Packages sys-auth/pambase-20150213 and sys-apps/shadow-4.4-r2 provides newuidmap and newgidmap commands without required permissions for lxc. As result, all lxc-* commands return error like:

newuidmap: write to uid_map failed: Operation not permitted

For example:

newuidmap: write to uid_map failed: Operation not permitted
error mapping child
setgid: Invalid argument

To fix this issue, set setuid and setgid flags with command:

For more details regarding bug, see this issue: [1]

Could not set clone_children to 1 for cpuset hierarchy in parent cgroup

As of december 2017, unified cgroups recently introduced in systemd and openrc are messing things up in the realm of unprivileged containers. It's tricky to see in other distros how they solve the problem because Arch doesn't support unprivileged containers and Ubuntu Xenial is on systemd 229 (unified cgroups became the default with 233), Debian stretch is on 232.

I began looking at non-LTS ubuntu releases but I haven't figured out what they're doing yet. It involves using the new cgfsng driver which, to my knowledge, has never been made to work on Gentoo. Unprivileged containers always worked with cgmanager which is now deprecated.

To work around that on systemd, you'll have to manually set user namespaces by following "Create user namespace manually (no systemd)" instructions above, ignoring the "no systemd" part. After that, you should be good to go.

On the OpenRC side, you also have to disable unified cgroups. You do that by editing /etc/rc.conf and setting rc_cgroup_mode="legacy"

That will bring you pretty far because your unprivileged container will boot, but if you boot a systemd system, it won't be happy about not being in its cosy systemd world. You will have to manually create a systemd cgroup for it. this write up about LXC under alpine helps a lot.

tee: /sys/fs/cgroup/memory/memory.use_hierarchy: Device or resource busy

Current kernel upstream changed behavior for cgroup v1 and it is unable to change memory_hierarchy after lxc fs mount. To use this functionality, set rc_cggroup_memory_use_hierarchy="yes" in /etc/rc.conf

lxc-console: no promt / console (may be a temporary as of 2019-10)

Make sure the container spawns the right agetty / ttys, so lxc-console can connect to it. Alternatively, connect to the console.

Gentoo LXC images from jenkins server currently might not work out of the box as expected before - they don't spawn ttys because of this reported bug / fix. Try connecting with lxc-console using the "-t 0" option, which explicitly connects to the container console instead of a tty:

Alternatively, spawn more standard ttys inside the container by editing /etc/inittab:

...
# TERMINALS
x1:12345:respawn:/sbin/agetty 38400 console linux
c1:12345:respawn:/sbin/agetty 38400 tty1 linux
c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
...

See also

• Docker — a container virtualization environment
• LXD — is a next generation system container manager.
• Magic SysRq — a kernel hack that enables the kernel to listen to specific key presses and respond by calling a specific kernel function.

External resources

• CAP_SYS_ADMIN: the new root
• Stéphane Graber's LXC 1.0: Blog post series

References