LXC: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
→‎LXD: programming language + fork
m Clean up spacing errors around ref tags., replaced: /ref>O → /ref> O
 
Line 1: Line 1:
{{Short description|Operating system-level virtualization for Linux}}
{{Short description|Operating system-level virtualization for Linux}}
{{Others}}
{{Other uses}}
{{Infobox software
{{Infobox software
| title = Linux Containers
| title = Linux Containers
Line 25: Line 25:
'''Linux Containers''' ('''LXC''') is an [[operating-system-level virtualization]] method for running multiple isolated [[Linux]] systems (containers) on a control host using a single Linux kernel.
'''Linux Containers''' ('''LXC''') is an [[operating-system-level virtualization]] method for running multiple isolated [[Linux]] systems (containers) on a control host using a single Linux kernel.


The [[Linux kernel]] provides the [[cgroups]] functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any [[virtual machine]]s, and also the [[Linux namespaces|namespace isolation]] functionality that allows complete isolation of an application's view of the operating environment, including [[Process (computing)|process]] trees, [[Computer network |networking]], [[user ID]]s and [[Mount (computing)|mounted]] [[file system]]s.<ref>{{cite web | url = https://www.cs.ucsb.edu/~rich/class/cs293b-cloud/papers/lxc-namespace.pdf | title = Resource management: Linux kernel namespaces and cgroups | date = May 2013 | access-date = February 11, 2015 | author = Rami Rosen | website = CS | publisher = UCSB}}</ref>
The [[Linux kernel]] provides the [[cgroups]] functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any [[virtual machine]]s, and also the [[Linux namespaces|namespace isolation]] functionality that allows complete isolation of an application's view of the operating environment, including [[Process (computing)|process]] trees, [[Computer network|networking]], [[user ID]]s and [[Mount (computing)|mounted]] [[file system]]s.<ref>{{cite web | url = https://www.cs.ucsb.edu/~rich/class/cs293b-cloud/papers/lxc-namespace.pdf | title = Resource management: Linux kernel namespaces and cgroups | date = May 2013 | access-date = February 11, 2015 | author = Rami Rosen | website = CS | publisher = UCSB}}</ref>


LXC combines the kernel's cgroups and support for isolated [[Linux namespaces|namespace]]s to provide an isolated environment for applications.<ref name= "redhat-2020-01-30">{{Cite web |last=Kenlon |first=Seth |date= 2020-01-30 |title=Exploring simple Linux containers with lxc | publisher = IBM |url= https://www.redhat.com/sysadmin/exploring-containers-lxc |access-date=2023-07-05 |website=[[Red Hat]]}}</ref> Early versions of [[Docker (software)|Docker]] used LXC as the container execution driver,<ref name="redhat-2020-01-30" /> though LXC was made optional in v0.9 and support was dropped in Docker v1.10.<ref>{{Cite news |url= https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/|title=Docker 0.9: introducing execution drivers and libcontainer |date=2014-03-10| publisher =Docker | work = Blog|access-date= 2018-05-09 |language= en-US}}</ref><ref>{{Cite web|url= https://docs.docker.com/engine/release-notes/prior-releases/#1100-2016-02-04 | publisher =Docker | work = Engine release notes | title = 1.10.0 |date= 2016-02-04 |access-date= 2020-10-06}}</ref>
LXC combines the kernel's cgroups and support for isolated [[Linux namespaces|namespace]]s to provide an isolated environment for applications.<ref name= "redhat-2020-01-30">{{Cite web |last=Kenlon |first=Seth |date= 2020-01-30 |title=Exploring simple Linux containers with lxc | publisher = IBM |url= https://www.redhat.com/sysadmin/exploring-containers-lxc |access-date=2023-07-05 |website=[[Red Hat]]}}</ref> Early versions of [[Docker (software)|Docker]] used LXC as the container execution driver,<ref name="redhat-2020-01-30" /> though LXC was made optional in v0.9 and support was dropped in Docker v1.10.<ref>{{Cite news |url= https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/|title=Docker 0.9: introducing execution drivers and libcontainer |date=2014-03-10| publisher =Docker | work = Blog|access-date= 2018-05-09 |language= en-US}}</ref><ref>{{Cite web|url= https://docs.docker.com/engine/release-notes/prior-releases/#1100-2016-02-04 | publisher =Docker | work = Engine release notes | title = 1.10.0 |date= 2016-02-04 |access-date= 2020-10-06}}</ref>
Line 33: Line 33:


== Security ==
== Security ==
Originally, LXC containers were not as secure as other OS-level virtualization methods such as [[OpenVZ]]: in Linux kernels before 3.8, the [[Superuser |root]] user of the guest system could run arbitrary code on the host system with root privileges, just as they can in [[chroot]] jails.<ref>{{cite web|last= Marco |first= d'Itri |title= Evading from linux containers|url=http://blog.bofh.it/debian/id_413| work = BOFH | access-date=12 February 2014 | place = IT |archive-url= https://web.archive.org/web/20140109184419/http://blog.bofh.it/debian/id_413 |archive-date= 9 January 2014|year=2011}}</ref> Starting with the LXC&nbsp;1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".<ref name="lxc-1-0-security-features/">{{cite web|last=Graber|first=Stéphane|title=LXC 1.0: Security features [6/10]|url=https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/|access-date= 12 February 2014|date=1 January 2014|quote=However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host}}</ref> Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC&nbsp;1.0 security model, if properly configured.<ref name="lxc-1-0-security-features/" />
Originally, LXC containers were not as secure as other OS-level virtualization methods such as [[OpenVZ]]: in Linux kernels before 3.8, the [[Superuser|root]] user of the guest system could run arbitrary code on the host system with root privileges, just as they can in [[chroot]] jails.<ref>{{cite web|last= Marco |first= d'Itri |title= Evading from linux containers|url=http://blog.bofh.it/debian/id_413| work = BOFH | access-date=12 February 2014 | place = IT |archive-url= https://web.archive.org/web/20140109184419/http://blog.bofh.it/debian/id_413 |archive-date= 9 January 2014|year=2011}}</ref> Starting with the LXC&nbsp;1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".<ref name="lxc-1-0-security-features/">{{cite web|last=Graber|first=Stéphane|title=LXC 1.0: Security features [6/10]|url=https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/|access-date= 12 February 2014|date=1 January 2014|quote=However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host}}</ref> Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC&nbsp;1.0 security model, if properly configured.<ref name="lxc-1-0-security-features/" />


== Alternatives ==
== Alternatives ==
Line 39: Line 39:


=== LXD ===
=== LXD ===
LXD is an alternative Linux container manager, written in [[Go (programming language)|Go]]. It is built on top of LXC and aims to provide a better user experience.<ref>{{Cite web |url= https://linuxcontainers.org/lxd/introduction/ | work = LXD | title = Introdution | publisher = Linux Containers |access-date=2020-04-14}}</ref> It is a container [[hypervisor]] providing an [[API]] to manage LXC containers.<ref>{{Cite web |last=Parrott |first=Thomas |title=Introduction to LXD projects |url= https://ubuntu.com/tutorials/introduction-to-lxd-projects#1-overview |access-date=2023-07-05 |website=Ubuntu | publisher = Canonical}}</ref> The LXD project was started in 2015 and was sponsored from the start by [[Canonical (company)|Canonical Ltd.]], the company behind [[Ubuntu Linux]]. On 4 July 2023, the LinuxContainers project announced that Canonical had decided to take over the LXD project but a fork called Incus was made.<ref>{{Cite web |date=2023-07-04 |title= LXD Has been moved to Canonical |url=https://linuxcontainers.org/lxd/ |archive-url=https://web.archive.org/web/20230704204731/https://linuxcontainers.org/lxd/ |archive-date= 2023-07-04 |access-date=2023-07-05 |website=Linux Containers}}</ref><ref>{{Cite web |last=Rudra |first=Sourav |date=2023-07-05 |title=The LXD Project Finds a New Home at Canonical |url=https://news.itsfoss.com/canonical-lxd-project/ |access-date=2023-07-05 | work = It’s Foss}}</ref>On August 25, 2023, LXD version 5.17 was officially released under the control of Canonical, providing support for OpenZFS 2.2 delegation capabilities.<ref>{{Cite web |last=Parrott |first= Thomas |date=25 August 2023 |title=LXD 5.17 has been released |url=https://discourse.ubuntu.com/t/lxd-5-17-has-been-released/38061 |website=Ubuntu | publisher = Canonical}}</ref>
LXD is an alternative Linux container manager, written in [[Go (programming language)|Go]]. It is built on top of LXC and aims to provide a better user experience.<ref>{{Cite web |url= https://linuxcontainers.org/lxd/introduction/ | work = LXD | title = Introdution | publisher = Linux Containers |access-date=2020-04-14}}</ref> It is a container [[hypervisor]] providing an [[API]] to manage LXC containers.<ref>{{Cite web |last=Parrott |first=Thomas |title=Introduction to LXD projects |url= https://ubuntu.com/tutorials/introduction-to-lxd-projects#1-overview |access-date=2023-07-05 |website=Ubuntu | publisher = Canonical}}</ref> The LXD project was started in 2015 and was sponsored from the start by [[Canonical (company)|Canonical Ltd.]], the company behind [[Ubuntu Linux]]. On 4 July 2023, the LinuxContainers project announced that Canonical had decided to take over the LXD project but a fork called Incus was made.<ref>{{Cite web |date=2023-07-04 |title= LXD Has been moved to Canonical |url=https://linuxcontainers.org/lxd/ |archive-url=https://web.archive.org/web/20230704204731/https://linuxcontainers.org/lxd/ |archive-date= 2023-07-04 |access-date=2023-07-05 |website=Linux Containers}}</ref><ref>{{Cite web |last=Rudra |first=Sourav |date=2023-07-05 |title=The LXD Project Finds a New Home at Canonical |url=https://news.itsfoss.com/canonical-lxd-project/ |access-date=2023-07-05 | work = It’s Foss}}</ref> On August 25, 2023, LXD version 5.17 was officially released under the control of Canonical, providing support for OpenZFS 2.2 delegation capabilities.<ref>{{Cite web |last=Parrott |first= Thomas |date=25 August 2023 |title=LXD 5.17 has been released |url=https://discourse.ubuntu.com/t/lxd-5-17-has-been-released/38061 |website=Ubuntu | publisher = Canonical}}</ref>


== See also ==
== See also ==

Latest revision as of 00:23, 30 April 2024

For other uses, see LXC (disambiguation).
Linux Containers
Developer(s)
  • Kernel: Virtuozzo, IBM, Google, Eric Biederman and others
  • Userspace: Daniel Lezcano, Serge Hallyn, Stéphane Graber and others
Initial releaseAugust 6, 2008; 15 years ago (2008-08-06)[1]
Stable release
6.0.0[2] Edit this on Wikidata / 3 April 2024; 44 days ago (3 April 2024)
Repository
Written inC, Shell
Operating systemLinux
Platformx86, IA-64, PowerPC, SPARC, Itanium, ARM
TypeOS-level virtualization
LicenseGNU LGPL v.2.1 (some components under GNU GPL v2 and BSD)
Websitelinuxcontainers.org

Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.

The Linux kernel provides the cgroups functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any virtual machines, and also the namespace isolation functionality that allows complete isolation of an application's view of the operating environment, including process trees, networking, user IDs and mounted file systems.[3]

LXC combines the kernel's cgroups and support for isolated namespaces to provide an isolated environment for applications.[4] Early versions of Docker used LXC as the container execution driver,[4] though LXC was made optional in v0.9 and support was dropped in Docker v1.10.[5][6]

Overview[edit]

LXC was initially developed by IBM, as part of a collaboration between several parties looking to add namespaces to the kernel.[7] It provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. LXC relies on the Linux kernel cgroups functionality[8] that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.

Security[edit]

Originally, LXC containers were not as secure as other OS-level virtualization methods such as OpenVZ: in Linux kernels before 3.8, the root user of the guest system could run arbitrary code on the host system with root privileges, just as they can in chroot jails.[9] Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".[10] Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured.[10]

Alternatives[edit]

LXC is similar to other OS-level virtualization technologies on Linux such as OpenVZ and Linux-VServer, as well as those on other operating systems such as FreeBSD jails, AIX Workload Partitions and Solaris Containers. In contrast to OpenVZ, LXC works in the vanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014 as a long-term supported version, was supported for five years.[11] LXC 4.0 will be supported until June 1, 2025 and LXC 5.0 until June 1, 2027.[12]

LXD[edit]

LXD is an alternative Linux container manager, written in Go. It is built on top of LXC and aims to provide a better user experience.[13] It is a container hypervisor providing an API to manage LXC containers.[14] The LXD project was started in 2015 and was sponsored from the start by Canonical Ltd., the company behind Ubuntu Linux. On 4 July 2023, the LinuxContainers project announced that Canonical had decided to take over the LXD project but a fork called Incus was made.[15][16] On August 25, 2023, LXD version 5.17 was officially released under the control of Canonical, providing support for OpenZFS 2.2 delegation capabilities.[17]

See also[edit]

References[edit]

  1. ^ "Downloads". Linux containers. Archived from the original on 2014-11-10. Retrieved 2014-11-10.
  2. ^ "Release v6.0.0". 3 April 2024. Retrieved 11 April 2024.
  3. ^ Rami Rosen (May 2013). "Resource management: Linux kernel namespaces and cgroups" (PDF). CS. UCSB. Retrieved February 11, 2015.
  4. ^ a b Kenlon, Seth (2020-01-30). "Exploring simple Linux containers with lxc". Red Hat. IBM. Retrieved 2023-07-05.
  5. ^ "Docker 0.9: introducing execution drivers and libcontainer". Blog. Docker. 2014-03-10. Retrieved 2018-05-09.
  6. ^ "1.10.0". Engine release notes. Docker. 2016-02-04. Retrieved 2020-10-06.
  7. ^ Webb, Jordan (2022-09-13). "LXC and LXD: a different container story". LWN.net. Retrieved 2023-07-05.
  8. ^ Koutoupis, Petros (2018-08-27). "Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)". Linux Journal. Retrieved 2023-07-05.
  9. ^ Marco, d'Itri (2011). "Evading from linux containers". BOFH. IT. Archived from the original on 9 January 2014. Retrieved 12 February 2014.
  10. ^ a b Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]". Retrieved 12 February 2014. However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he'd find himself having the privileges of a regular user on the host
  11. ^ Graber, Stéphane (2013-12-20). "LXC 1.0: Your first Ubuntu container". St. Graber. Retrieved 2014-02-23.
  12. ^ "LXC". Linux containers. Retrieved 2023-02-07.
  13. ^ "Introdution". LXD. Linux Containers. Retrieved 2020-04-14.
  14. ^ Parrott, Thomas. "Introduction to LXD projects". Ubuntu. Canonical. Retrieved 2023-07-05.
  15. ^ "LXD Has been moved to Canonical". Linux Containers. 2023-07-04. Archived from the original on 2023-07-04. Retrieved 2023-07-05.
  16. ^ Rudra, Sourav (2023-07-05). "The LXD Project Finds a New Home at Canonical". It’s Foss. Retrieved 2023-07-05.
  17. ^ Parrott, Thomas (25 August 2023). "LXD 5.17 has been released". Ubuntu. Canonical.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=LXC&oldid=1221446668"