Launching LXC Virtualization on Ubuntu

LXC (Linux Containers) is an operating system-level virtualization system that allows you to run multiple isolated user environments on a single hypervisor. Earlier, we wrote about the differences in virtualization technologies in the note What are the differences between hosting, VPS, VDS and dedicated server?. LXC is a relatively young representative of “partial” virtualization systems, allowing multiple guest containers to run on a single dedicated server or even SSD VDS. Since this is partial virtualization, only different Linux distributions can be used as guest systems — similar to the popular OpenVZ product.

What can LXC be used for?

Compared to the aging “traditional” OpenVZ, LXC is considered simpler — it works “out of the box” and does not require a special kernel installation; it is very easy to manage. However, LXC’s resource limitation capabilities are somewhat less, so this technology should primarily be considered not as a product for providing VPS services, but as an internal solution for isolating various services and facilitating further scaling. Of course, a significant advantage is the ability to use several Linux dialects within a single server — undoubtedly, many system administrators have faced different products tailored for specific distributions, complicating installation on another version of the operating system.

Let’s try out the basic capabilities of LXC — say, on a server running Ubuntu 16. First, we’ll switch the existing physical interface to “bridge” mode — this is the simplest way to provide network access to guest systems.

In /etc/network/interfaces, create the interface br0, moving the IP address settings to its properties and connecting this interface to the network adapter (enp2s0):

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

## Bridge Name ###
auto br0
### Bridge Information
iface br0 inet static
 address www.yyy.xxx.zzz
 netmask www.yyy.xxx.zzz
 network www.yyy.xxx.0
 broadcast www.yyy.xxx.255
 gateway www.yyy.xxx.1
 dns-nameservers 8.8.8.8
 bridge_ports enp2s0
 bridge_stp off
 bridge_fd 9

iface enp2s0 inet manual

After the changes, we will either restart or reconfigure the network using /etc/init.d/networking restart.

Now, install the LXC subsystem and necessary utilities:

apt-get install lxc lxc-templates wget bridge-utils cgroup-lite

Let’s run lxc-checkconfig to check if LXC support has been successfully installed:

Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.4.0-34-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note: Before booting a new kernel, you can check its configuration
usage: CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Now let’s configure the network for LXC containers — we need to disable the default bridge interface lxcbr0 that was created during LXC installation. For this, in the file /etc/default/lxc-net, set the value of the variable USE_LXC_BRIDGE to “false”.

When USE_LXC_BRIDGE is set to true, a bridge named lxcbr0 is created during startup and can be used to create a private network, but in this example, we will use the standard bridge — this will allow containers to be more universal.

Then, in the file /etc/lxc/default.conf, specify to use the previously created interface br0:

lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

The basic configuration is now complete and we can start creating LXC containers. By default, the most popular templates are installed, and you can get the list using the command ls /usr/share/lxc/templates/:

lxc-alpine lxc-archlinux lxc-centos lxc-debian lxc-fedora lxc-openmandriva lxc-oracle lxc-slackware lxc-sshd lxc-ubuntu-cloud
lxc-altlinux lxc-busybox lxc-cirros lxc-download lxc-gentoo lxc-opensuse lxc-plamo lxc-sparclinux lxc-ubuntu

Let’s start with the simplest — a virtual machine running Ubuntu. Execute the command lxc-create -n ubuntu_lxc -t ubuntu:

root@lxc:~# lxc-create -n ubuntu_lxc -t ubuntu
Checking cache download in /var/cache/lxc/xenial/rootfs-amd64 ...
Copy /var/cache/lxc/xenial/rootfs-amd64 to /var/lib/lxc/ubuntu_lxc/rootfs ...
Copying rootfs to /var/lib/lxc/ubuntu_lxc/rootfs ...
Generating locales (this might take a while)...
en_US.ISO-8859-1... done
Generation complete.
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:I6kcUu1e8gm4LFyitJ1b/vrxF1tF1izhNLNWUpIZ7yQ root@lxc (RSA)
Creating SSH2 DSA key; this may take some time ...
1024 SHA256:v85zUbwYi1zB6/Sn6RHAXvFOlra9o9v09L+2bpB6L1o root@lxc (DSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:ozhZhiRfRludJo1pLAvea1FzocBX5s2ObpO/8cuI1AY root@lxc (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:qeIRecmihv18OaC4iwsje/b90EXf9S9z4cedqtpSDmE root@lxc (ED25519)
vinvoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.

Current default time zone: 'Etc/UTC'
Local time is now: Tue Aug 16 15:40:57 UTC 2016.
Universal Time is now: Tue Aug 16 15:40:57 UTC 2016.

##
# The default user is 'ubuntu' with password 'ubuntu'!
# Use the 'sudo' command to run tasks as root in the container.
##

With additional parameters, you can choose another release of Ubuntu or, for example, another architecture. For example, the command lxc-create -t ubuntu -n lxc_trusty — -r trusty -a amd64 can be used to prepare a container for Ubuntu 14 (Trusty) of architecture amd64.

So, our virtual machine is created. Now let’s start it using lxc-start -n ubuntu_lxc -d, and then connect to the created container:

root@lxc:~# lxc-console -n ubuntu_lxc
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Ubuntu 16.04.1 LTS ubuntu_lxc pts/0

ubuntu1_lxc login: ubuntu
Password:
Last login: Tue Aug 16 15:57:15 UTC 2016 on pts/0
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@ubuntu_lxc:~$ uname -a
Linux ubuntu_lxc 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ubuntu_lxc:~$

If necessary, in the network settings of the operating system, you can specify network settings, activate necessary services, install required packages.

If a virtual machine with CentOS 7 is needed, first of all, the traditional package manager for RedHat systems must be installed, which can be done with just one command apt-get install yum. After that, start lxc-create:

root@lxc:~# lxc-create -n centos7_lxc -t centos -- -R 7 -a x86_64
Host CPE ID from /etc/os-release:
Checking cache download in /var/cache/lxc/centos/x86_64/7/rootfs ...
Cache found. Updating...
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 155 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 160 kB 00:00:00
(3/4): base/7/x86_64/primary_db | 5.3 MB 00:00:01
(4/4): updates/7/x86_64/primary_db | 6.5 MB 00:00:06
...
Copy /var/cache/lxc/centos/x86_64/7/rootfs to /var/lib/lxc/centos7_lxc/rootfs ...
Copying rootfs to /var/lib/lxc/centos7_lxc/rootfs ...
Storing root password in '/var/lib/lxc/centos7_lxc/tmp_root_pass'
Expiring password for user root.
passwd: Success

Container rootfs and config have been created.
Edit the config file to check/enable networking setup.

The temporary root password is stored in:

'/var/lib/lxc/centos7_lxc/tmp_root_pass'

The root password is set up as expired and will require it to be changed at first login, which you should do as soon as possible. If you lose the root password or wish to change it without starting the container, you can change it from the host by running the following command (which will also reset the expired flag):

```bash
chroot /var/lib/lxc/centos7_lxc/rootfs passwd

The temporary password is located in the file /var/lib/lxc/centos7_lxc/tmp_root_pass, copy it to the clipboard, then start the container and connect to it. Note — you will immediately have to specify a new root password:

root@lxc:~# lxc-start -n centos7_lxc -d
root@lxc:~# lxc-console -n centos7_lxc
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

CentOS Linux 7 (Core)
Kernel 4.4.0-34-generic on an x86_64

centos7_lxc login: root
Password:
You are required to change your password immediately (root enforced)
Changing password for root.
(current) UNIX password:
New password:
Retype new password:
[root@centos7_lxc ~]# uname -a
Linux centos7_lxc.layer6.net 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@centos7_lxc ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

LXC containers are a great, simple solution for creating your own private virtual Linux machines that do not require special conditions to operate. Of course, in the case of LXC, there is not as much flexibility and capabilities as offered by KVM/QEMU technologies — however, for many tasks, using LXC is justified.

Want to start using LXC right now?

Order any virtual server on SSD drives, enter the coupon ITLDCLXC and a perpetual 10% discount is in your pocket! If necessary, our technical support will help choose the right location and plan. Join us!

More about LXC, utilities, and recommendations:

- Linuxcontainers.org - Ubuntu Documentation — Virtualization — LXC - Official Debian Wiki — LXC - XGU.ru Wiki — LXC - LXC Web Panel — LXC container management panel - Proxmox VE Wiki — Linux Container - Linux Containers with LXC: some best practices