Linux Containers (LXC) on Debian

Linux Containers1 (LXC) (official site) leverage the functionality of cgroups (documentation) and namespaces to isolate processes in the context of the operating system. In a very simplified way, LXC is a type of OS virtualization included with the Linux kernel.

One of the advantages of OS type virtualization is that they are less complex to put in place compared to "classical" virtualization. To set up Virtualbox or VMware, for instance, require the installation of kernel modules and additional services that are not built into the operating system by default. On the other hand, LXC support is provided with the Linux kernel and we simply need to install management tools.

Also, resources such as CPU, RAM and disk space are not reserved for LXC containers in the sense that they can be with "classical" virtualization like Virtualbox. The overhead in memory usage is caused by the fact that resources allocated to the guest system as not made available to the host. A slice of 512 Mb of RAM will be reserved for a Virtualbox guest, even if it doesn't fully use the available RAM itself.

LXC works differently by being closer to the host OS (and a little bit less isolated we could say). CPU, RAM and hard drive space are made available to the processes running inside LXC container just like they are on the host operating system.

Debian supports LXC since Debian 6.0 "Squeeze" which was launched in 2011. Since then, support for LXC and other tools have bee constantly uploaded into the main repository. Most modern distributions now support LXC, even RHEL and CentOS 6.

On Debian, if you don't have systemd installed2, you need to add this line into /etc/fstab:

cgroup  /sys/fs/cgroup  cgroup  defaults  0   0

Once cgroup is mounted, all that is needed is to install the packages and run the system checkup tool:

apt-get install lxc bridge-utils libvirt-bin debootstrap
[...]

lxc-checkconfig
[...]
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

In the checkup is successful, we can create our first LXC container by running the following command:

lxc-create -n my_first_lxc -t debian

When the container is created, it is possible to start it. Be sure to note the password for root:

lxc-start -n my_first_lxc

Fine tuning of the LXC guest can be done by modifying the guest configuration file /var/lib/lxc/my_first_lxc/config.

Since LXC containers do not do not use disk images by default, it is possible to bind paths of the host file system into the guest file system. This can add a lot of flexibility.

I find LXC containers very useful for software compiling. Before using LXC, I was an adept of chroot, which is another form of isolation. chroot is still very useful, but I found it cumbersome to use without scripting the necessary bindings. It also has it's limits on the networking side. With LXC, it is possible to bridge the network interface and give the container a dedicated IP address. It is very useful to isolate services that need network access.

LXC is very simple to use, and it is without any surprises that Docker leverages LXC to simplify the management and distribution of containers.

Additional references:


  1. I realize the use of "'Linux Container' containers" is a form of pleonasm. Feel free to suggest corrections when I finally setup my mail server. 

  2. With systemd, this is not required if you install the package libvirt-bin.