Thanks to its user friend­li­ness, Linux Con­tain­ers is very popular and has now become an important component of IT security. The eponymous LXC (Linux Con­tain­ers) container platform is used to isolate several processes from one another and the rest of the system si­mul­ta­ne­ous­ly. An image is then generated through vir­tu­al­iza­tion which allows every container to be con­tin­u­ous­ly portable and con­sis­tent from creation to test phase and until operation. As such, in­di­vid­ual ap­pli­ca­tions have a virtual en­vi­ron­ment but still col­lec­tive­ly use the kernel of the host system.

What does LXC (Linux Con­tain­ers) provide? Is sim­plic­i­ty always an advantage? And how many virtual machines are there in a Linux container?

What is LXC (Linux Con­tain­ers)?

The term Linux Con­tain­ers (LXC) applies to both vir­tu­al­ized ap­pli­ca­tions in the Linux kernel as well as the un­der­ly­ing container platform, and tech­nol­o­gy. This should be kept in mind when dis­cussing al­ter­na­tive container platforms that also use Linux Con­tain­ers as their base tech­nol­o­gy.

LXC is an open-source container platform that promises user-friend­li­ness and an intuitive, modern user ex­pe­ri­ence, which is quite atypical for container systems, through various tools, languages, templates, and libraries. In addition, the vir­tu­al­iza­tion en­vi­ron­ment can be installed and used across all current Linux dis­tri­b­u­tions.

Tip

Con­tain­ers are unique tools that are helpful for managing and de­vel­op­ing ap­pli­ca­tions in a way that was pre­vi­ous­ly un­think­able. They make it possible to isolate ap­pli­ca­tions from the system without actually com­plete­ly isolating them. They can also exchange in­for­ma­tion and com­mu­ni­cate with the outside world. Their arrival marked a veritable rev­o­lu­tion, and container tech­nol­o­gy is now booming with countless providers competing on the market. The largest container-as-a-service providers include Amazon, Microsoft, and Google. The most popular platform is Docker, a further de­vel­op­ment of the Linux Con­tain­ers (LXC) project, which is supported by all CaaS providers.

The idea for Linux Con­tain­ers tech­nol­o­gy came about in 2001. Initially, an isolated en­vi­ron­ment was im­ple­ment­ed within the framework of the VServer project. That was the basis for the es­tab­lish­ment of several con­trolled name­spaces in Linux and for what is now called Linux Con­tain­ers. Other tech­nolo­gies such as cgroups (control groups), which could control and limit the usage of resources for a process or an entire group of processes, then followed. After that came systemd, an ini­tial­iza­tion system for the man­age­ment of name­spaces and their processes.

In practice, LXC allows for ap­pli­ca­tions to be developed more quickly. Container tech­nol­o­gy is useful for porting, con­fig­u­ra­tion, and isolation. Con­tain­ers also show their strengths when it comes to data streaming in real-time in that they provide the required scal­a­bil­i­ty for ap­pli­ca­tions. Linux con­tain­ers adapt to an in­fra­struc­ture, and do so in­de­pen­dent­ly to a large extent, so that they can be used either locally, in the cloud or in a hybrid en­vi­ron­ment.

Note

The reason for container tech­nol­o­gy’s pop­u­lar­i­ty is explained as follows: Every ap­pli­ca­tion in an operating system has its tasks, and they execute them in that very en­vi­ron­ment. They rely on the existing con­fig­u­ra­tions set up by a pro­gram­mer and are thus dependent on certain libraries, contexts, and files. Con­tain­ers can be used to test ap­pli­ca­tions more easily, more rapidly, and more securely. As such, newly developed ap­pli­ca­tions can be used in a virtual en­vi­ron­ment without any problems and without the need to be debugged or re-written. The content of a container is based on the in­stal­la­tion of a Linux dis­tri­b­u­tion and contains all con­fig­u­ra­tion files, but it is much easier to set up than the actual operating system.

What are the goals and features of LXC?

The basic idea of LXC does not appear to be very different from the idea of classic vir­tu­al­iza­tion at first glance. Only when looking at the broader context do the dif­fer­ences become more obvious. The most basic principle is the following: Con­tain­ers work at the level of the operating system, whereas virtual machines work at the hardware level. This means that con­tain­ers split an operating system and isolate ap­pli­ca­tion processes from the rest of the system, whereas classic vir­tu­al­iza­tion allows several operating systems to run si­mul­ta­ne­ous­ly on one system.

Note

For several operating systems to be able to run si­mul­ta­ne­ous­ly in a virtual en­vi­ron­ment, a hy­per­vi­sor is used to emulate the hardware system. However, this implies a high usage of resources. A more compact solution is the use of ap­pli­ca­tion con­tain­ers which can be run natively on an operating system, meaning without emulation.

Linux con­tain­ers use fewer resources than a virtual machine and also have a default interface from which several con­tain­ers can be managed si­mul­ta­ne­ous­ly. A platform with LXC can also be organized across several clouds. This provides porta­bil­i­ty and guar­an­tees that ap­pli­ca­tions running correctly on the developer’s system will also function correctly on every other system. Larger ap­pli­ca­tions can be started or stopped, and their en­vi­ron­ment variables can also be changed from the Linux Con­tain­ers interface.

To summarize, the goal of LXC is to create an en­vi­ron­ment that comes as close as possible to a standard Linux in­stal­la­tion without the need for a separate kernel.

The current Linux Con­tain­ers platform uses the following kernel features to “enclose” ap­pli­ca­tions and processes in con­tain­ers:

  • Kernel name­spaces (ipc, uts, mount, pid, network and user)
  • AppArmor and SELinux-Profile
  • Seccomp policies
  • Chroots (using pivot_root)
  • Kernel ca­pa­bil­i­ties
  • cgroups (control groups)

Linux con­tain­ers are meant to be compact. As such, they are composed of only a few separate com­po­nents:

  • the liblxc library
  • several API language bindings:
  • an array of standard tools to manage the con­tain­ers
  • dis­tri­b­u­tion templates

How does LXC work?

Isolation and vir­tu­al­iza­tion are important because they aid in managing resources and security aspects as ef­fi­cient­ly as possible. For example, they make mon­i­tor­ing for errors in the system easier, which often have nothing to do with newly developed ap­pli­ca­tions. But how does LXC work? Or, to put it another way: how does Linux Con­tain­ers work?

The easiest and most sensible way to use Linux Con­tain­ers is by linking each container to a process, allowing for complete control. For each process, the name­spaces that make resources available for one or more processes using the same name­spaces are es­pe­cial­ly important. The processes also act as access controls in securing the con­tain­ers.

To use an LXC en­vi­ron­ment, the features and their functions have to be clear. cgroups (kernel control groups) limit and isolate process resources, such as CPU, I/O, memory, and network resources. In addition, the content of a control group can be managed, monitored, pri­or­i­tized, and edited.

Note

Every­thing is a file in Linux. This is why every cgroup is ul­ti­mate­ly a col­lec­tion of files (/sys/fs/cgroup). There are various tools to manage these types of files, such as CGManager.

The functions are easily un­der­stand­able, which has the advantage of making an LXC platform very beginner friendly. However, it also has some dis­ad­van­tages which will be explained in the following section.

An overview of the pros and cons of Linux Con­tain­ers

The user-friend­li­ness of Linux Con­tain­ers is its greatest advantage in com­par­i­son to classic vir­tu­al­iza­tion tech­niques. However, the in­cred­i­ble spread of LXC, a virtually all-en­com­pass­ing ecosystem along with in­no­v­a­tive tools, can mostly be at­trib­uted to the platform Docker which brought about Linux Con­tain­ers. When compared to other container systems like rkt, OpenVZ, and Cloud Foundry Garden, which are sig­nif­i­cant­ly more limited in their usage, LXC benefits from its close ties to the fore­run­ner in container platforms.

A system ad­min­is­tra­tor who has already worked with a hy­per­vi­sor-based vir­tu­al­iza­tion method like Hyper-V will have no problems using LXC. The entire set-up, including the creation of container templates and their de­ploy­ment, the con­fig­u­ra­tion of the operating system and es­tab­lish­ing con­nec­tions, and the de­ploy­ment of ap­pli­ca­tions, remains the same. All scripts and workflows that have been written for virtual machines can also be used for Linux Con­tain­ers. As such, de­vel­op­ers are not given new, cus­tomized solutions or tools but can seam­less­ly continue to work in a familiar en­vi­ron­ment with their own scripts and au­toma­tion workflows.

One major dis­ad­van­tage of LXC becomes very obvious when it comes to memory man­age­ment: Even though various memory backends are supported (Ivm, overlayfs, zfs and btrfs), every­thing is saved to rootfs by default. There is no pos­si­bil­i­ty to register images. In this respect, other container platforms offer smarter and more flexible solutions, both for saving con­tain­ers and the man­age­ment of images.

When is LXC used?

LXC is an open-source project that is fi­nan­cial­ly supported by Canonical, the company behind the Linux dis­tri­b­u­tion Ubuntu. The greatest support, however, comes from the user community which col­lec­tive­ly develops stable versions and security updates and also pushes the project forward. Various editions of LXC now even come with ongoing support and regular security updates. Other versions are main­tained as best as possible, usually until a newer, more stable version appears.

In most cases, Linux Con­tain­ers is used as a sup­port­ing, sup­ple­men­tary container tech­nol­o­gy, which is not unusual in this field since, in contrast to virtual machines, con­tain­ers are still a very new tech­nol­o­gy. However, you should keep in mind that container tech­nol­o­gy providers are con­stant­ly growing, along with the ecosystem around the tech­nol­o­gy.

LXC is currently an entirely viable al­ter­na­tive to existing tra­di­tion­al ap­pli­ca­tions, which is specif­i­cal­ly geared towards VM ad­min­is­tra­tors. The tran­si­tion from a virtual machine to a container tech­nol­o­gy is easier with Linux Con­tain­ers than with other container tech­nolo­gies.

What are the al­ter­na­tives to Linux Con­tain­ers?

The most popular LXC al­ter­na­tive is Docker. This platform, based on Linux Con­tain­ers, has been con­tin­u­ous­ly developed over the past few years and can now also be run on Windows systems. As such, the largest cloud providers, such as Google, IBM, AWS and Azure, are now able to offer native Docker support.

A well-known container al­ter­na­tive (Linux) for the vir­tu­al­iza­tion of a complete server is OpenVZ. Like LXC, OpenVZ uses the kernel of the host operating system and makes the virtual server available to users in an isolated en­vi­ron­ment.

KVM is an open-source vir­tu­al­iza­tion tech­nol­o­gy that is already built into Linux. KVM stands for “Kernel-based Virtual Machine.” It can be used to convert Linux into a hy­per­vi­sor, allowing the host computer to run multiple isolated en­vi­ron­ments.

Ku­ber­netes orig­i­nal­ly came from Google which was one of the first sup­port­ers of the Linux Con­tain­ers tech­nol­o­gy. This open-source platform automates the ac­tiv­i­ties of Linux Con­tain­ers. Entire groups of hosts running the con­tain­ers are assembled into clusters, making it very easy to manage them all.

Note

When working with LXC, it will be im­pos­si­ble to avoid the closely related LXD. It is difficult to dif­fer­en­ti­ate these two terms and tech­nolo­gies from one another. LXD is a further de­vel­op­ment of LXC and also contains a system daemon.

Go to Main Menu