A while ago I posted about LXC and how to use it on Ubuntu 9.10, I think it’s time to update these instructions to the current state of LXC in Ubuntu 11.04.
As a quick reminder LXC stands for Linux Containers and uses the relatively recent cgroup and namespace features of the Linux kernel to offer something that’s between a chroot and a virtual machine. That’s, basically a chroot but with fine grained resource allocation, its own network stack and its own pid namespace.
LXC is very similar to OpenVZ and Linux-Vserver but doesn’t depend on kernel patches to work.
So here’s now how to get it working on Ubuntu 11.04 in a much easier way than back in Ubuntu 9.10, thanks to all the work done upstream.
To get LXC working on Ubuntu 11.04, you’ll need to do the following:
- Install a few packages: lxc, debootstrap and bridge-utils
- Create a bridge interface with masquerading and a local IP address
- Create a mountpoint for the cgroup filesystem and make sure it’s mounted
- Write a network configuration file for your container
- Create your container (the template gets generated with the first container)
To make it even easier, I wrote the following script that you can start as root to do all the above.
It’ll add a “br-lxc” interface using the 192.168.254.0/24 network and configure masquerading.
The cgroup filesystem will be mounted at boot time in /cgroup.
A first container called natty01 will be created and started with IP 192.168.254.2 and default root password “root”.
The script is (I think) well commented and I’ve clearly indicated what’s to be run once (to setup LXC) and what’s to be run for every container you may want to create.
Script can be downloaded from: http://www.stgraber.org/download/lxc-demo.sh.
Once you have a container started, you can start playing with:
- Attach to a VT: lxc-console –name natty01
- Get the status: lxc-info –name natty01
- Get the list of running processes: lxc-ps –name natty01 aux
- Start/Stop containers: lxc-start/lxc-stop
Have fun!
Thanks for the lxc starting script and the article
I have started my own lxc instance and now i can install some server related ppa packages (firebird, apache, nginx, php) when i don’t want to mess my workstation (no virtualization support without kvm accelleration)
Also it can be cool when you have one linux-kvm instance and want to create more small instances inside that vm 🙂
Thank you, it helps a lot.
Stéphane, what is the state of LXC in Ubuntu 11.04? Is it as stable as OpenVZ or still in development?
Hi,
It’s stable in the sense that there is no crashes or stability issue that I’m aware of.
But I wouldn’t consider it “complete” or even production ready as there are some easy ways of escaping the container when you have root access within it.
So if your plan is to use LXC for a test environment or for cases where all processes will always run as a user, it should be safe to use. For uses like VPSes, I’d still recommend going with OpenVZ until LXC fixes that issue.
Thanks for your answer. I’m going to setup a virtualbox machine to try LXC. I’m going to wait to replace my OpenVZ production servers though.
Can you tell a bit more about security issues?
Here someone gives an example:
http://blog.bofh.it/debian/id_413
My doubts are:
– Is possible to do something similar in an OpenVZ container? Why?
– How to find or track the future solution for LXC? Is there a main bug registered for this?
I just saw this, pretty handy, especially the bridge masquerading thing.
I just setup a new lxc container, though, and replacing the /etc/resolv.conf makes it complain when trying to start networking:
“resolvconf: Error: /etc/resolv.conf must be a symlink”
I re-create the symlink and manually add the nameserver line and it works, but it get’s removed when i restart the container so it’s not automatic. Is there a good way to make it automatic? bind mount the host resolv.conf?
Oh, interesting. I don’t remember seeing that error message on my containers, though I’ve mostly been using 10.04 LTS on top of a 11.04 “host”, maybe that’s the difference.
Unless you actually need resolvconf (dynamic generation of /etc/resolv.conf), I’d suggest just removing it from your container and using a good old /etc/resolv.conf.
I’m not too familiar with resolvconf, but I’d guess that it probably uses some static file as input to generate /etc/resolv.conf, so you could probably modify that file directly instead.
It might also be that resolvconf reads /etc/network/interfaces for DNS information, might be another thing to look at.
Hope it helps!
Yea, i’m using natty on natty. I found a manpage on resolvconf online, and it looks like it does read /etc/network/interfaces, so to add the nameserver I just had to modify the eth0 stanza to:
auto eth0
iface eth0 inet static
address 192.168.254.2
netmask 255.255.255.0
gateway 192.168.254.1
dns-nameservers 8.8.8.8
The hardest part of learning some of these technologies is knowing that it really is possible to do yourself. You showed us it is possible by providing the script. Now I can study the script and learn how it works and become familiar with the process at my leisure while still having a working container I can use. Thank you very much Stéphane.
We have recently written some perl scripts, called lxctl (openvz-style config tools) for lxc managent.
And we plan to transfer some virtual servers (~100 to start) from openvz to lxc. You may find this packages on http://lxc.tl/ (for ubuntu lucid)
Best regards
i just tried out edbuntu with my kids, they loved it. i just wanted to thank you personally for making it possible to try it on line before i downloaded it. i am downloading edbuntu now and am excited that my kids are interested in learning and all the while learning about linux at the same time. not being a big fan of windows and think that mac is over rated.
Hi, can you pls tell me how I can run C++ programs from inside a Container ?
Hi Stephane,
Wow! That was easy to set up. My goal is to create virtual machines for students to do linux security labs. Do you have any other info on this? Any suggestions? It worked on an i686. Thank you.
Regards, Paul
This is really sweet. I’ve worked extensively with OpenVZ and lxc, opting for lxc more and more, especially on Ubu where the kernel isn’t so handy, and I’m doing isolated development.
The bridge setup is magnificient!