World Library  
Flag as Inappropriate
Email this Article
 

Lxc

Linux Containers
Developer(s) Daniel Lezcano, Serge Hallyn, Stéphane Graber
Initial release August 6, 2008 (2008-08-06)[1]
Stable release 1.0.5[2] / 14 July 2014 (2014-07-14)
Development status Active
Written in C, python3, shell, lua
Operating system Linux
Platform x86, x86-64, IA-64, PowerPC, SPARC, Itanium, ARM
Type OS-level virtualization
License GNU LGPL v.2.1 (some components under GNU GPL v2 and BSD)
Website .orglinuxcontainers

LXC (Linux Containers) is an operating system–level virtualization method for running multiple isolated Linux systems (containers) on a single control host.

The Linux kernel comprises cgroups for resource isolation (CPU, memory, block I/O, network, etc.) that does not require starting any virtual machines. Cgroups also provides namespace isolation to completely isolate applications' view of the operating environment, including process trees, network, user ids and mounted file systems.

LXC combines cgroups and namespace support to provide an isolated environment for applications. Docker can also use LXC as one of its execution drivers, enabling image management and providing deployment services.

Contents

  • Overview 1
  • Security 2
  • Alternatives 3
  • See also 4
  • References 5
  • External links 6

Overview

LXC provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. LXC relies on the Linux kernel cgroups functionality that was released in version 2.6.24. It also relies on other kinds of namespace-isolation functionality, which were developed and integrated into the mainline Linux kernel.

Security

Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, much like chroot jails.[3] Starting with the 1.0 release, containers run as regular users on the host using "unprivileged containers".[4] Unprivileged containers are more limited in that they cannot access hardware directly. Nevertheless, even privileged containers should provide adequate isolation in the 1.0 security model, if properly configured.[4]

Alternatives

LXC is similar to other OS-level virtualization technologies on Linux such as OpenVZ and Linux-VServer, as well as those on other operating systems such as FreeBSD jails, AIX Workload Partitions and Solaris Containers. In contrast to OpenVZ, LXC works in the vanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014, is a long-term supported version and intended to be supported for five years.[5]

See also

References

  1. ^ "LXC - Linux Containers". linuxcontainers.org. Retrieved 2014-11-10. 
  2. ^ Download lxc
  3. ^ Marco, d'Itri (2011). "Evading from linux containers". Archived from the original on 9 January 2014. Retrieved 12 February 2014. 
  4. ^ a b Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]". Retrieved 12 February 2014. However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host 
  5. ^ Stéphane Graber (2013-12-20). "LXC 1.0: Your first Ubuntu container". Stgraber.org. Retrieved 2014-02-23. 

External links

  • Official website
  • IBM developerworks article about LXC
  • "Evading from Linux Containers" by Marco D'Itri
  • Presentation about cgroups and namespaces, the underlying technology of Linux containers, by Rami Rosen
  • Presentation about Linux Containers and the future cloud, by Rami Rosen
  • LXC : Install and configure the Linux Containers
  • LSS: Secure Linux containers (LWN.net)
  • Introduction to Linux Containers
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.