Get Started with LXC: Explained with Installation Guide

Containers have been around for a while, but their recent broad adoption has transformed modern application development and deployment.

You can see containers as separate environments used for running different applications or software systems on a single computer while keeping them isolated from one another. Containers are different from virtual machines because they share the same operating system kernel as the host machine they operate on. This makes containers more lightweight and efficient. Each container has a separate view of the operating system, its processes, network, and storage. So applications running in different containers don’t interfere with each other.

There are two broad categories of containers—Linux containers (LXC) and Windows containers. While LXC run on the Linux kernel, Windows containers run on the Windows operating system.

This article explains the usage and installation of LXC. Also, we’ll compare LXC with LXD (Linux Daemon), a similar container solution.

What is LXC?

LXC was initially developed by IBM. It’s a tool used for operating-system virtualization. LXC is used to run multiple isolated Linux systems (containers) on a control host using a single Linux kernel [Source: Wikipedia].

Each LXC container has its files, processes, network interfaces, and other resources isolated from the other containers and the host system. LXC uses Linux namespaces, a kernel feature that allows the partitioning of global system resources into isolated instances. LXC also uses cgroups, another Linux kernel feature, to limit, measure, and control resource usage for processes.

By combining resource isolation through namespaces and resource control through cgroups, LXC provides a secure and efficient way to run multiple isolated Linux environments on a single host system.

How to Install LXC

Most Linux distributions offer recent versions of LXC either directly in their package repositories or through backport channels. For your first LXC experience, it is advisable to use a recent supported release for a smoother experience. If you’re using Ubuntu, Ubuntu 18.04 LTS is the recommended choice as a container host.

Now let’s go through the steps of installing LXC on Ubuntu, one of the most popular Linux distributions.

First, update your package lists by running the following command:

Then install LXC and its dependencies by running the command:

After running the preceding command, your system will have all the LXC commands available, all its templates as well as the python3 binding should you want to script LXC.

Once the installation is complete, you can verify that LXC is correctly installed by running:

You should get an output similar to this in your terminal:

Privileged and Unprivileged LXC Containers

There are two methods of using LXC—privileged and unprivileged. These methods determine the level of access and permissions granted to the container processes, affecting their isolation, security, and functionality.

How to Create Privileged LXC Containers

Privileged containers are containers created by root and run with root privileges on the host system. This grants them unrestricted access to system resources and the ability to perform operations reserved for the root user. This mode offers greater flexibility and control over system configurations, making it suitable for applications that require direct access to hardware resources or kernel modifications. However, privileged containers pose security risks. Due to their elevated privileges, any actions performed within a privileged container can affect the stability and security of the host system.

To create a privileged LXC container interactively, run the following command:

The preceding command will interactively ask for the container root filesystem type to download, including the distribution, release, and architecture. The download template shows you a list of available container images and their details.

If you want to create a container non-interactively, specify the values of the root filesystem type, the distribution, release, and architecture in your command. For example, if you want to create a container, named privileged-container, using the Ubuntu Linux distribution version 20.04 (Focal Fossa) on the AMD64 architecture, run the command:

See Linux Containers – Image server for the list of available container images and their details.

To start your privileged-container container, run the command:

After running the preceding command, use the following command to check if your container is now running:

Running the preceding command should give you an output similar to this:

You can follow the preceding steps to create as many privileged containers as you want. For a detailed list of all LXC (Linux Containers) on your system in a more readable format, run:

To remove a container, you have to first stop it using the lxc-stop command like this:

Then remove the container and it’s configuration files using the lxc-destroy command:

See LXC / Manpages for the complete list of LXC commands and their usage.

How to Create Unprivileged LXC Containers

Unprivileged LXC containers have limited access and enhanced isolation compared to privileged LXC containers. They are launched without root privileges using features like user namespaces and resource limitations. This improves security and minimizes the risk of breaching the host system.

To create an unprivileged LXC container, you need to start by creating a default container configuration file. This file should specify your preferred ID mappings and network setup. Also, you will need to configure the host to allow the unprivileged user to connect to the host network.

First, run the following commands to check if your user has user and group id ranges:

If your user has no ranges assigned, add them with the following command:

Now create an LXC config directory and default config file by running:

Now create an unprivileged container named unprivileged-container, using the Ubuntu Linux distribution version 20.04 (Focal Fossa) on the AMD64 architecture by running the command:

Once you have created your unprivileged container, check if your working directory has execute permission by running the command:

If your working directory has the execute permission, you will get an output similar to this:

If it doesn’t, you can grant it the execute permission by running the command:

Now, start the container by running the following command:

LXC vs LXD

Both LXC (Linux Containers) and LXD (Linux Daemon) are tools used for virtualization and container management on Linux systems. While LXC provides the core functionality for creating and running containers, LXD is an extension that improves LXC with additional features and capabilities. To get started with LXD, see First steps with LXD.

The following table shows the differences between LXC and LXD:

Conclusion

Linux containers have revolutionized the way applications are packaged and deployed across different environments, offering lightweight virtualization and efficient resource utilization. While LXC pioneered operating system-level virtualization on Linux, providing the core functionality for creating and managing containers, LXD has emerged as a powerful extension that enhances the container management experience. By introducing a single system daemon for managing multiple containers, host-level security features, live migration support, snapshots, and storage pooling capabilities, LXD addresses many of the shortcomings of LXC. As the adoption of containerization continues to grow, container solutions like LXD that streamline and simplify container management will become increasingly valuable.

References and further reading

https://en.wikipedia.org/wiki/LXC
https://linuxcontainers.org/lxc/getting-started/
https://ubuntu.com/server/docs/lxc-containers
https://askubuntu.com/questions/293275/what-is-lxc-and-how-to-get-started
https://documentation.ubuntu.com/lxd/en/latest/explanation/lxd_lxc/