LXC
Developer(s) | |
---|---|
Initial release | August 6, 2008[1] |
Stable release | 6.0.0[2]
/ 3 April 2024 |
Repository | |
Written in | GNU GPL v2 and BSD) |
Website | linuxcontainers |
Linux Containers (LXC) is an
The
LXC combines the kernel's cgroups and support for isolated namespaces to provide an isolated environment for applications.[4] Early versions of Docker used LXC as the container execution driver,[4] though LXC was made optional in v0.9 and support was dropped in Docker v1.10.[5][6]
Overview
LXC was initially developed by IBM, as part of a collaboration between several parties looking to add namespaces to the kernel.[7] It provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. LXC relies on the Linux kernel cgroups functionality[8] that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.
Security
Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, just as they can in chroot jails.[9] Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".[10] Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured.[10]
Alternatives
LXC is similar to other OS-level virtualization technologies on Linux such as
LXD
LXD is an alternative Linux container manager, written in
See also
- Open Container Initiative
- Container Linux (formerly CoreOS Linux)
- Docker, a project automating the deployment of applications inside software containers
- Apache Mesos, a large-scale cluster management platform based on container isolation
- Operating system-level virtualization implementations
- Proxmox Virtual Environment, an open-source server virtualization management platform supporting LXC containers and KVM
- Anbox, uses LXC to execute Android applications in other Linux distributions
References
- ^ "Downloads". Linux containers. Archived from the original on 2014-11-10. Retrieved 2014-11-10.
- ^ "Release v6.0.0". 3 April 2024. Retrieved 11 April 2024.
- ^ Rami Rosen (May 2013). "Resource management: Linux kernel namespaces and cgroups" (PDF). CS. UCSB. Retrieved February 11, 2015.
- ^ a b Kenlon, Seth (2020-01-30). "Exploring simple Linux containers with lxc". Red Hat. IBM. Retrieved 2023-07-05.
- ^ "Docker 0.9: introducing execution drivers and libcontainer". Blog. Docker. 2014-03-10. Retrieved 2018-05-09.
- ^ "1.10.0". Engine release notes. Docker. 2016-02-04. Retrieved 2020-10-06.
- ^ Webb, Jordan (2022-09-13). "LXC and LXD: a different container story". LWN.net. Retrieved 2023-07-05.
- ^ Koutoupis, Petros (2018-08-27). "Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)". Linux Journal. Retrieved 2023-07-05.
- ^ Marco, d'Itri (2011). "Evading from linux containers". BOFH. IT. Archived from the original on 9 January 2014. Retrieved 12 February 2014.
- ^ a b Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]". Retrieved 12 February 2014.
However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he'd find himself having the privileges of a regular user on the host
- ^ Graber, Stéphane (2013-12-20). "LXC 1.0: Your first Ubuntu container". St. Graber. Retrieved 2014-02-23.
- ^ "LXC". Linux containers. Retrieved 2023-02-07.
- ^ "Introdution". LXD. Linux Containers. Retrieved 2020-04-14.
- ^ Parrott, Thomas. "Introduction to LXD projects". Ubuntu. Canonical. Retrieved 2023-07-05.
- ^ "LXD Has been moved to Canonical". Linux Containers. 2023-07-04. Archived from the original on 2023-07-04. Retrieved 2023-07-05.
- ^ Rudra, Sourav (2023-07-05). "The LXD Project Finds a New Home at Canonical". It’s Foss. Retrieved 2023-07-05.
- ^ Parrott, Thomas (25 August 2023). "LXD 5.17 has been released". Ubuntu. Canonical.
External links
- Official website and source code repository on GitHub
- IBM developerworks article about LXC
- "Evading from Linux Containers" by Marco D'Itri
- Presentation about cgroups and namespaces, the underlying technology of Linux containers, by Rami Rosen
- Presentation about Linux Containers and the future cloud, by Rami Rosen
- LXC : Install and configure the Linux Containers
- LSS: Secure Linux containers (LWN.net)
- Introduction to Linux Containers
- LXC on Android on YouTube, April 2013