The Linux Containers (LXC) is a virtualization environment to run multiple Linux operating systems on a single Linux operating system. To quickly understand what the LXC is, I first summarize the comparison between LXC (container-based virtualization) and KVM (hypervisor) as follows.
| LXC | KVM | |
|---|---|---|
| Guest OS | Linux only | No limit (any x86-based operating system) |
| Performance | Good | Normal |
| Security / Isolation | Normal | High |
In Ubuntu server, the LXC is managed under the package management system, apt. Therefore, it is very easy to install by executing the following command:
$sudo apt-get install lxc lxctlThe (default) base configuration of containers is located at /etc/lxc/default.conf. In this course, we will use the br0 bridge interface created in a prior class. Therefore, we edit the configuration file /etc/lxc/default.conf to use br0 instead of lxcbr0.
2lxc.network.link = br0In order to create an LXC instance, the lxc-create command can be used. The following command is a typical usage with two options; the -n option specifies the name of the instance to create, and the -t option chooses the template of the instance. Here, we use ubuntu as the template. Please refer to the man page for more details.
$sudo lxc-create -n <name> -t ubuntuTo list the instances managed by the LXC, we use the lxc-ls command. The --fancy option reports us the rich information on instances.
$sudo lxc-ls --fancyThe output of the command reports the list of instances with name, state, IPv4 and IPv6 addresses, and autostart (after the boot of the host operating system) configuration. The following is an example of the output:
NAME STATE IPV4 IPV6 AUTOSTART ------------------------------------------------ ubuntu-container STOPPED - - NO
Next, we start the created instance. The -n option specifies the name of the instance to start. The -d option is recommended to be specified to detach the instance immediately after the start of the instance.
$sudo lxc-start -n <name> -dUnlike virtual machines, the LXC provides console access to instances as the user interface instead of virtual keyboard, video and mouse. Note that virtual machines can be also operated over a virtual serial console by configuring both the operating system of the virtual machine and the virtual machine environment. The lxc-conxole command is used to connect the console to an instance. To detach the console, the sequence of Ctrl-a q is used.
$sudo lxc-console -n <name>Each container in the LXC is a set of processes isolated from each other by a namespace. Linux provides six namespaces to isolate system resources: IPC (System V IPC, POSIX message queues), network (network devices, stacks, ports, etc.), mount (mount points), PID (process IDs), user (user and group IDs), and UTS (hostname, and NIS domain name).
Since the host operating system works in a global namespace, all processes of instances are visible from the host operating system. On contrary, processes of other instances are isolated from each other, thus they are not visible from each other. The virtualization of network interfaces is similar to hypervisor software. The secondary storage is quite different from hypervisor software. In hypervisor software, virtual block devices (e.g., hard disk drives) are provisioned to virtual machines. In the LXC, filesystems under the filesystem of the host operating system but not block devices are provisioned to instances. The root of the filesystem of an instance is located under /var/lib/lxc/<name>/rootfs/. Therefore, in order to modify a file (e.g., configuration files) of instances, you can edit it by an editing tool outside from the host operating system or inside in an instance.
The default user name and password set is seriously in danger. You MUST change the password of the default user and disable the password authentication of SSH!
After creating an instance by the lxc-create command, you need to configure the network interface of the instance. Although you can edit the configuration file (i.e., /etc/network/interfaces) of the instance after starting it as you have done in the prior class, you can do it from the host operating system before starting the instance. As mentioned above, the filesystem of an instance is located at /var/lib/lxc/<name>/rootfs (in Ubuntu default), then we will edit /var/lib/lxc/<name>/rootfs/etc/network/interfaces.
$sudo edit /var/lib/lxc/<name>/rootfs/etc/network/interfacesThis time, I do not provide a sample configuration, so please take a look at the man page for /etc/network/interfaces and configure an appropriate IP address there. If you prefer to use IPv6, please let me know.