Quite a few people have been asking for a status update of LXC in Ubuntu as of Ubuntu 12.04 LTS. This post is meant as an overview of the work we did over the past 6 months and pointers to more detailed blog posts for some of the new features.
LXC is a userspace tool controlling the kernel namespaces and cgroup features to create system or application containers.
To give you an idea:
- Feels like somewhere between a chroot and a VM
- Can run a full distro using the “host” kernel
- Processes running in a container are visible from the outside
- Doesn’t require any specific hardware, works on all supported architectures
A libvirt driver for LXC exists (libvirt-lxc), however it doesn’t use the “lxc” userspace tool even though it uses the same kernel features.
Making LXC easier
One of the main focus for 12.04 LTS was to make LXC dead easy to use, to achieve this, we’ve been working on a few different fronts fixing known bugs and improving LXC’s default configuration.
Creating a basic container and starting it on Ubuntu 12.04 LTS is now down to:
sudo apt-get install lxc sudo lxc-create -t ubuntu -n my-container sudo lxc-start -n my-container
This will default to using the same version and architecture as your machine, additional option are obviously available (–help will list them). Login/Password are ubuntu/ubuntu.
Another thing we worked on to make LXC easier to work with is reducing the number of hacks required to turn a regular system into a container down to zero.
Starting with 12.04, we don’t do any modification to a standard Ubuntu system to get it running in a container.
It’s now even possible to take a raw VM image and have it boot in a container!
The ubuntu-cloud template also lets you get one of our EC2/cloud images and have it start as a container instead of a cloud instance:
sudo apt-get install lxc cloud-utils sudo lxc-create -t ubuntu-cloud -n my-cloud-container sudo lxc-start -n my-cloud-container
And finally, if you want to test the new cool stuff, you can also use juju with LXC:
[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa sudo apt-get install juju apt-cacher-ng zookeeper lxc libvirt-bin --no-install-recommends sudo adduser $USER libvirtd juju bootstrap sed -i "s/ec2/local/" ~/.juju/environments.yaml echo " data-dir: /tmp/juju" >> ~/.juju/environments.yaml juju bootstrap juju deploy mysql juju deploy wordpress juju add-relation wordpress mysql juju expose wordpress # To tail the logs juju debug-log # To get the IPs and status juju status
Making LXC safer
Another main focus for LXC in Ubuntu 12.04 was to make it safe. John Johansen did an amazing work of extending apparmor to let us implement per-container apparmor profiles and prevent most known dangerous behaviours from happening in a container.
NOTE: Until we have user namespaces implemented in the kernel and used by the LXC we will NOT say that LXC is root safe, however the default apparmor profile as shipped in Ubuntu 12.04 LTS is blocking any armful action that we are aware of.
This mostly means that write access to /proc and /sys are heavily restricted, mounting filesystems is also restricted, only allowing known-safe filesystems to be mounted by default. Capabilities are also restricted in the default LXC profile to prevent a container from loading kernel modules or control apparmor.
More details on this are available here:
Other cool new stuff
Emulated architecture containers
It’s now possible to use qemu-user-static with LXC to run containers of non-native architectures, for example:
sudo apt-get install lxc qemu-user-static sudo lxc-create -n my-armhf-container -t ubuntu -- -a armhf sudo lxc-start -n my-armhf-container
Quite a bit of work also went into lxc-start-ephemeral, the tool letting you start a copy of an existing container using an overlay filesystem, discarding any change you make on shutdown:
sudo apt-get install lxc sudo lxc-create -n my-container -t ubuntu sudo lxc-start-ephemeral -o my-container
You can now start a container inside a container!
For that to work, you first need to create a new apparmor profile as the default one doesn’t allow this for security reason.
I already did that for you, so the few commands below will download it and install it in /etc/apparmor.d/lxc/lxc-with-nesting. This profile (or something close to it) will ship in Ubuntu 12.10 as an example of alternate apparmor profile for container.
sudo apt-get install lxc sudo lxc-create -t ubuntu -n my-host-container -t ubuntu sudo wget https://www.stgraber.org/download/lxc-with-nesting -O /etc/apparmor.d/lxc/lxc-with-nesting sudo /etc/init.d/apparmor reload sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" /var/lib/lxc/my-host-container/config sudo lxc-start -n my-host-container (in my-host-container) sudo apt-get install lxc (in my-host-container) sudo stop lxc (in my-host-container) sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc (in my-host-container) sudo start lxc (in my-host-container) sudo lxc-create -n my-sub-container -t ubuntu (in my-host-container) sudo lxc-start -n my-sub-container
Outside of the existing manpages and blog posts I mentioned throughout this post, Serge Hallyn did a very good job at creating a whole section dedicated to LXC in the Ubuntu Server Guide.
You can read it here: https://help.ubuntu.com/12.04/serverguide/lxc.html
Next week we have the Ubuntu Developer Summit in Oakland, CA. There we’ll be working on the plans for LXC in Ubuntu 12.10. We currently have two sessions scheduled:
If you want to make sure the changes you want will be in Ubuntu 12.10, please make sure to join these two sessions. It’s possible to participate remotely to the Ubuntu Developer Summit, through IRC and audio streaming.
My personal hope for LXC in Ubuntu 12.10 is to have a clean liblxc library that can be used to create bindings and be used in languages like python. Working towards that goal should make it easier to do automated testing of LXC and cleanup our current tools.
I hope this post made you want to try LXC or for existing users, made you discover some of the new features that appeared in Ubuntu 12.04. We’re actively working on improving LXC both upstream and in Ubuntu, so do not hesitate to report bugs (preferably with “ubuntu-bug lxc”).