LXC quick start

转载 2016年05月31日 15:49:53



Hard dependencies:

  • One of glibc, musl libc, uclib or bionic as your C library
  • Linux kernel >= 2.6.32

Extra dependencies for lxc-attach:

  • Linux kernel >= 3.8

Extra dependencies for unprivileged containers:

  • cgmanager or another CGroup manager configuring your system for unprivileged CGroups operation
  • A recent version of shadow including newuidmap and newgidmap
  • Linux kernel >= 3.12

Recommended libraries:

  • libcap (to allow for capability drops)
  • libapparmor (to set a different apparmor profile for the container)
  • libselinux (to set a different selinux context for the container)
  • libseccomp (to set a seccomp policy for the container)
  • libgnutls (for various checksumming)
  • liblua (for the LUA binding)
  • python3-dev (for the python3 binding)


In most cases, you'll find recent versions of LXC available for your Linux distribution.
Either directly in the distribution's package repository or through some backport channel.

For your first LXC experience, we recommend you use a recent supported release,
such as a recent bugfix release of LXC 1.0.

If using Ubuntu, we recommend you use Ubuntu 14.04 LTS as your container host.
LXC bugfix releases are available directly in the distribution package repository
shortly after release and those offer a clean (unpatched) upstream experience.

Ubuntu is also one of the few (if not only) Linux distributions to come by default
with everything that's needed for safe, unprivileged LXC containers.

On such an Ubuntu system, installing LXC is as simple as:

sudo apt-get install lxc

Your system will then have all the LXC commands available, all its templates
as well as the python3 binding should you want to script LXC.

Creating unprivileged containers as a user

Unprivileged containers are the safest containers.
Those use a map of uid and gid to allocate a range of uids and gids to a container.
That means that uid 0 (root) in the container is actually something like uid 100000
outside the container. So should something go very wrong and an attacker manages
to escape the container, they'll find themselves with about as many rights as a nobody user.

Unfortunately this also means that the following common operations aren't allowed:

  • mounting most of filesystems
  • creating device nodes
  • any operation against a uid/gid outside of the mapped set

Because of that, most distribution templates simply won't work with those.
Instead you should use the "download" template which will provide you with pre-built images
of the distributions that are known to work in such an environment.

Now, everything below assumes a recent Ubuntu system or another Linux distribution which offers
a similar experience (recent kernel, recent version of shadow, cgmanager and default uid/gid allocation).

First of all, you need to make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system,
so you should already have one. If not, you'll have to use usermod to give yourself one.

Next up is /etc/lxc/lxc-usernet which is used to set network devices quota for unprivileged users.
By default, your user isn't allowed to create any network device on the host, to change that, add:

your-username veth lxcbr0 10

This means that "your-username" is allowed to create up to 10 veth devices connected to the lxcbr0 bridge.

With that done, the last step is to create an LXC configuration file.

  • Create the ~/.config/lxc directory if it doesn't exist.
  • Copy /etc/lxc/default.conf to ~/.config/lxc/default.conf
  • Append the following two lines to it:
    • lxc.id_map = u 0 100000 65536
    • lxc.id_map = g 0 100000 65536

Those values should match those found in /etc/subuid and /etc/subgid, the values above are those expected
for the first user on a standard Ubuntu system.

Just before you create your first container, you probably should logout and login again,
or even reboot your machine to make sure that your user is placed in the right cgroups.
(This is only required if cgmanager wasn't installed on your machine prior to you installing LXC.)

And now, create your first container with:

lxc-create -t download -n my-container

The download template will show you a list of distributions, versions and architectures to choose from.
A good example would be "ubuntu", "trusty" (14.04 LTS) and "i386".

A few seconds later your container will be created and you can start it with:

lxc-start -n my-container -d

You can then confirm its status with either of:

lxc-info -n my-container
lxc-ls -f

And get a shell inside it with:

lxc-attach -n my-container

Stopping it can be done with:

lxc-stop -n my-container

And finally removing it with:

lxc-destroy -n my-container

Creating unprivileged containers as root

To run a system-wide unprivileged container (that is, an unprivileged container started by root)
you'll need to follow only a subset of the steps above.

Specifically, you need to manually allocate a uid and gid range to root in /etc/subuid and /etc/subgid.
And then set that range in /etc/lxc/default.conf using lxc.id_map entries similar to those above.

And that's it. Root doesn't need network devices quota and uses the
global configuration file so the other steps don't apply.

Any container you create as root from that point on will be running unprivileged.

Creating privileged containers

Privileged containers are containers created by root and running as root.

Depending on the Linux distribution, they may be protected by some capability dropping, apparmor profiles,
selinux context or seccomp policies but ultimately, the processes still run as root and so you should never
give access to root inside a privileged container to an untrusted party.

If you still have to create privileged containers, it's quite simple. Simply don't do any of the configuration
described above and LXC will create privileged containers.


sudo lxc-create -t download -n privileged-container

Will create a new "privileged-container" privileged container on your system using an image from the download template.


本次分析使用的LXC版本为1.0.1,操作系统使用的为ubuntu 14.04 32bit。 1、  有两个启动工作(下面两个脚本文件在lxc启动和关闭的时候执行): 1./etc/init/lxc-...
  • linuxchyu
  • linuxchyu
  • 2014年03月14日 16:23
  • 1286

lxc-start -n TestServer0 不能正确重启

问题如下: root@autotest-OptiPlex-7040:~# lxc-start -n TestServer0 lxc-start: tools/lxc_start.c: main: 36...
  • sxy19930313
  • sxy19930313
  • 2017年09月25日 09:49
  • 82

vue 学习笔记一之Quick Start

vue 学习笔记一之Quick Start (前提:安装node环境) Quick start, install vue-cli $ npm install -g vue-cli $ vue init...
  • chong2230
  • chong2230
  • 2017年03月09日 11:10
  • 303

dom4j Quick start

Parsing XMLOne of the first things youll probably want to do is to parse an XML document of...
  • evane1890
  • evane1890
  • 2007年04月25日 18:05
  • 1162

LXC1.0.7-- lxc-start 源码分析 01

最近较关心LinuxContainer 的启动流程,所以就从lxc_start.c这个文件看起。 首先进入源文件,直接到main程序来,本人喜欢按照程序执行的顺序来看代码,所以看个人喜好了。 int...
  • gdh55555
  • gdh55555
  • 2015年08月25日 11:31
  • 1107

LXC1.0.7-- lxc-start 源码分析 02

最近在忙别的事,耽误了 接着reboot说 reboot:     conf->reboot = 0;     ret = lxc_start(c->name, argv, c...
  • gdh55555
  • gdh55555
  • 2015年09月01日 09:15
  • 769

微信小程序实验一、小程序与服务器端入门视频讲解(以Wafer Quick Start为例)

一、实验目的 以Wafer Quick Start为例,掌握微信小程序的入门,特别是服务器端与小程序端之间的交互,实现登录、请求登录状态、上传图片、建立信道与CGI的功能。...
  • u013487761
  • u013487761
  • 2017年12月23日 11:44
  • 1338

Spring boot quick start

  • jiaobuchong
  • jiaobuchong
  • 2016年01月10日 11:03
  • 1604

spark2.0 翻译:Quick Start 快速开始

spark编译包下载 首先先去下载spark编译好的包,http://spark.apache.org/downloads.html 由于spark不依赖hadoop而运行,所以我们此处可以下载任意...
  • gogogogood
  • gogogogood
  • 2016年09月23日 17:28
  • 534


@ComponentScan spring-quick-start是SpringFrameWork的一个入门级的例子。通过这个例子,我们还是可以学到一些东西的。 下面这个网址是这个例子的地址: htt...
  • hotdust
  • hotdust
  • 2016年09月08日 22:46
  • 700
您举报文章:LXC quick start