LXC stands for Linux Containers.
Linux containers are light-weight “
virtualization” methods that runs multiple virtual units simultaneously on a single control host on a single Linux kernel.
The Linux kernel contains cgroups for resource isolation (CPU, memory, block I/O, network, etc, ), which does not require starting any virtual machines.
Cgroups also provides namespace isolation to completely isolate application view of the operating environment, including process trees, networks, userids and mounted filesystems.
LXC is open source software and licensed under GNU LGPLv2.1+ license.
Containers actually make use of kernel features called namespaces, cgroups, and chroots, to carve off a contained area.
So, the end result of LXC looks much like a virtual machine, but without any hypervisor.
1. Pre-req for LXC Install
Before you install LXC, make sure your system is up-to-date using yum update as shown below.
root@hackthesec:~$ yum update
LXC is dependent on two libraries; libpcap and libcgroup. This also requires busybox and bridge utilities.
Install the following required packages for our LXC install.
root@hackthesec:~$ yum install libcap-devel libcgroup busybox wget bridge-utils
Let us make sure we got all the compilers and related development tools that are required to compile and install any software from source code.
root@hackthesec:~$ yum groupinstall "Development tools"
2. Download LXC Linux Containers
Use wget to download the tar ball of the latest stable version of LXC to your machine as shown below.
root@hackthesec:~$ wget http://linuxcontainers.org/downloads/lxc-1.1.5.tar.gz
If you get a certificate related error message while using the above wget, then use the no-check-certificate option as shown below.
root@hackthesec:~$ wget --no-check-certificate https://linuxcontainers.org/downloads/lxc-1.1.5.tar.gz
Alternatively, if you prefer, you can also use git clone to download the latest development version or stable version as shown below.
root@hackthesec:~$ git clone git://github.com/lxc/lxc -b {branch}
In the above command, the {branch} can either be “master” for the current development branch, or “stable-1.0″ for the stable update branch of the 1.0 version.
3. Configure Bridged Adapter
Next, create a bridged adapter and configure the static IP on the bridged adapter as shown in the following ifcfg-eth0 example. Ensure your physical adapter points to this bridged adapter in ifcfg-eth0.
root@hackthesec:~$ cd /etc/sysconfig/network-scripts
root@hackthesec:~$ vi ifcfg-br0
DEVICE="br0"
BOOTPROTO="static"
IPADDR="xxx.xxx.xxx.xxx"
NETMASK="255.255.255.xxx"
ONBOOT="yes"
TYPE="Bridge"
NM_CONTROLLED="no"
Replace all the “xxx” in the above file with the values that matches your ip-address and networkmask. For example, change the IPADDR value in the above file to the ip-address of your machine.
4. Install LXC Linux Container
Next, untar the LXC tar ball, that we downloaded earlier, execute the ./configure, and do make and make install, to install the LXC on your system as shown below.
By default, this will install all the lxc binaries under /usr/local/bin directory.
root@hackthesec:~$ tar xvfz lxc-1.1.5.tar.gz
root@hackthesec:~$ cd lxc-1.1.5/
root@hackthesec:~$ ./configure
root@hackthesec:~$ make && make install
The following are few of the last few lines from the output for the above ./configure command.
root@hackthesec:~$ ./configure
...
...
config.status: creating src/python-lxc/setup.py
config.status: creating src/lua-lxc/Makefile
config.status: executing depfiles commands
config.status: executing default commands
----------------------------
Environment:
- compiler: gcc
- distribution: centos
- init script type(s): sysvinit
- rpath: no
- GnuTLS: no
- Bash integration: yes
Security features:
- Apparmor: no
- Linux capabilities: yes
- seccomp: no
- SELinux: no
- cgmanager: no
Bindings:
- lua: no
- python3: no
Documentation:
- examples: yes
- API documentation: yes
- user documentation: no
Debugging:
- tests: no
- mutex debugging: no
Paths:
- Logs in configpath: no
The following are the last few lines from the output for the above make command.
root@hackthesec:~$ make
...
Building full member lists recursively...
Adding members to member groups.
...
Generating style sheet...
Generating index page...
Generating page index...
Generating example documentation...
Generating file sources...
Generating code for file /usr/save/lxc-1.1.5/src/lxc/attach_options.h...
Generating code for file /usr/save/lxc-1.1.5/src/lxc/lxccontainer.h...
Generating code for file /usr/save/lxc-1.1.5/src/lxc/lxclock.h...
Generating file documentation...
Generating docs for file /usr/save/lxc-1.1.5/src/lxc/attach_options.h...
...
Generating file member index...
make[2]: Leaving directory `/usr/save/lxc-1.1.5/doc/api'
make[2]: Entering directory `/usr/save/lxc-1.1.5/doc'
...
Making all in hooks
make[1]: Entering directory `/usr/save/lxc-1.1.5/hooks'
make[1]: Nothing to be done for `all'.
...
The following are the last few lines from the output for the above make install command.
root@hackthesec:~$ make install
...
Making install in hooks
make[1]: Entering directory `/usr/save/lxc-1.1.5/hooks'
/bin/mkdir -p '/usr/local/share/lxc/hooks'
/usr/bin/install -c clonehostname mountecryptfsroot ubuntu-cloud-prep squid-deb-proxy-client '/usr/local/share/lxc/hooks'
...
/bin/mkdir -p /usr/local/var/lib/lxc
/bin/mkdir -p /usr/local/var/cache/lxc
/bin/mkdir -p '/usr/local/lib/pkgconfig'
/usr/bin/install -c -m 644 lxc.pc '/usr/local/lib/pkgconfig'
...
5. Create Soft Link for LXC Shared Libraries
Execute lxc-info to verify that the LXC is installed successfully. If everything is installed properly, we’ll see a message saying that the give container name (for example, test) doesn’t exist. We have not created any container at this stage. We just want to make sure this command is not throwing any shared library related errors.
root@hackthesec:~$ lxc-info --name test
test doesn't exist
Depending on how things on configured on your system, you might also get the following liblxc.so.1 library related error message.
root@hackthesec:~$ lxc-info --name test
lxc-info: error while loading shared libraries: liblxc.so.1: cannot open shared object file: No such file or directory
In this case, to fix it, create a link called libxc.so.1 as shown below, which will point to the correct version of the liblxc.so.x.x.x file.
root@hackthesec:~$ ln -s /usr/local/lib/liblxc.so.1.1.5 /lib64/liblxc.so.1
root@hackthesec:~$ ls -l /lib64/liblxc.so.1
lrwxrwxrwx. 1 root root 30 Jan 20 09:17 /lib64/liblxc.so.1 -> /usr/local/lib/liblxc.so.1.1.5
6. Verify LXC Setup and Configuration
Next, you can also execute the lxc-checkconfig to verify that your lxc environment is setup correctly.
The following will have output in four different sections: 1) Namespaces, 2) Control Groups 3) Misc and 4) Checkpoint/Restore. Partial output is shown below.
root@hackthesec:~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-2.6.32-431.el6.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
..
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
..
--- Checkpoint/Restore ---
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
..
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig
If everything is configured properly on your system, in the above output, all of the options in the above groups should say “enabled”.