Provided by: lxc_0.6.3-1_i386
lxc - linux containers
You are in a hurry, and you don’t want to read this man page. Ok,
without warranty, here are the commands to launch a shell inside a
container with a predefined configuration template, it may work.
/usr/bin/lxc-execute -n foo -f /etc/lxc/lxc-macvlan.conf /bin/bash
The container technology is actively being pushed into the mainstream
linux kernel. It provides the resource management through the control
groups aka process containers and resource isolation through the
The linux containers, lxc, aims to use these new functionalities to
provide an userspace container object which provides full resource
isolation and resource control for an applications or a system.
The first objective of this project is to make the life easier for the
kernel developers involved in the containers project and especially to
continue working on the Checkpoint/Restart new features. The lxc is
small enough to easily manage a container with simple command lines and
complete enough to be used for other purposes.
The lxc relies on a set of functionalies provided by the kernel which
needs to be active. Depending of the missing functionalities the lxc
will work with a restricted number of functionalities or will simply
The following list gives the kernel features to be enabled in the
kernel to have the full features container:
* General setup
* Control Group support
-> Namespace cgroup subsystem
-> Freezer cgroup subsystem
-> Cpuset support
-> Simple CPU accounting cgroup subsystem
-> Resource counters
-> Memory resource controllers for Control Groups
* Group CPU scheduler
-> Basis for grouping tasks (Control Groups)
* Namespaces support
-> UTS namespace
-> IPC namespace
-> User namespace
-> Pid namespace
-> Network namespace
* Security options
-> File POSIX Capabilities
The kernel version >= 2.6.27 shipped with the distros, will work with
lxc, this one will have less functionalities but enough to be
interesting. With the kernel 2.6.29, lxc is fully functional.
Before using the lxc, your system should be configured with the file
capabilities, otherwise you will need to run the lxc commands as root.
The control group can be mounted anywhere, eg: mount -t cgroup cgroup
/cgroup. If you want to dedicate a specific cgroup mount point for
lxc, that is to have different cgroups mounted at different places with
different options but let lxc to use one location, you can bind the
mount point with the lxc name, eg: mount -t cgroup lxc /cgroup4lxc or
mount -t cgroup -ons,cpuset,freezer,devices lxc /cgroup4lxc
A container is an object where the configuration is persistent. The
application will be launched inside this container and it will use the
configuration which was previously created.
How to run an application in a container ?
Before running an application, you should know what are the resources
you want to isolate. The default configuration is to isolate the pids,
the sysv ipc and the mount points. If you want to run a simple shell
inside a container, a basic configuration is needed, especially if you
want to share the rootfs. If you want to run an application like sshd,
you should provide a new network stack and a new hostname. If you want
to avoid conflicts with some files eg. /var/run/httpd.pid, you should
remount /var/run with an empty directory. If you want to avoid the
conflicts in all the cases, you can specify a rootfs for the container.
The rootfs can be a directory tree, previously bind mounted with the
initial rootfs, so you can still use your distro but with your own /etc
Here is an example of directory tree for sshd:
[root@lxc sshd]$ tree -d rootfs
| |-- pts
| ‘-- shm
| ‘-- network
| ‘-- ssh
| ‘-- sshd
| ‘-- empty
| ‘-- sshd
and the mount points file associated with it:
[root@lxc sshd]$ cat fstab
/lib /home/root/sshd/rootfs/lib none ro,bind 0 0
/bin /home/root/sshd/rootfs/bin none ro,bind 0 0
/usr /home/root/sshd/rootfs/usr none ro,bind 0 0
/sbin /home/root/sshd/rootfs/sbin none ro,bind 0 0
How to run a system in a container ?
Running a system inside a container is paradoxically easier than
running an application. Why ? Because you don’t have to care about the
resources to be isolated, everything need to be isolated, the other
resources are specified as being isolated but without configuration
because the container will set them up. eg. the ipv4 address will be
setup by the system container init scripts. Here is an example of the
mount points file:
[root@lxc debian]$ cat fstab
/dev /home/root/debian/rootfs/dev none bind 0 0
/dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0
More information can be added to the container to facilitate the
configuration. For example, make accessible from the container the
resolv.conf file belonging to the host.
/etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0
CONTAINER LIFE CYCLE
When the container is created, it contains the configuration
information. When a process is launched, the container will be starting
and running. When the last process running inside the container exits,
the container is stopped.
In case of failure when the container is initialized, it will pass
through the aborting state.
| STOPPED |<---------------
| STARTING |--error- |
---------- | |
| | |
V V |
--------- ---------- |
| RUNNING | | ABORTING | |
--------- ---------- |
| | |
no process | |
| | |
V | |
---------- | |
| STOPPING |<------- |
The container is configured through a configuration file, the format of
the configuration file is described in lxc.conf(5)
CREATING / DESTROYING THE CONTAINERS
The container is created via the lxc-create command. It takes a
container name as parameter and an optional configuration file. The
name is used by the different commands to refer to this container. The
lxc-destroy command will destroy the container object.
lxc-create -n foo
lxc-destroy -n foo
STARTING / STOPPING A CONTAINER
When the container has been created, it is ready to run an application
/ system. When the application has to be destroyed the container can be
stopped, that will kill all the processes of the container.
Running an application inside a container is not exactly the same thing
as running a system. For this reason, there is two commands to run an
application into a container:
lxc-execute -n foo [-f config] /bin/bash
lxc-start -n foo [/bin/bash]
lxc-execute command will run the specified command into a container but
it will mount /proc and autocreate/autodestroy the container if it does
not exist. It will furthermore create an intermediate process, lxc-
init, which is in charge to launch the specified command, that allows
to support daemons in the container. In other words, in the container
lxc-init has the pid 1 and the first process of the application has the
lxc-start command will run the specified command into the container
doing nothing else than using the configuration specified by lxc-
create. The pid of the first process is 1. If no command is specified
lxc-start will run /sbin/init.
To summarize, lxc-execute is for running an application and lxc-start
is for running a system.
If the application is no longer responding, inaccessible or is not able
to finish by itself, a wild lxc-stop command will kill all the
processes in the container without pity.
lxc-stop -n foo
CONNECT TO AN AVAILABLE TTY
If the container is configured with the ttys, it is possible to access
it through them. It is up to the container to provide a set of
available tty to be used by the following command. When the tty is
lost, it is possible to reconnect it without login again.
lxc-console -n foo -t 3
FREEZE / UNFREEZE A CONTAINER
Sometime, it is useful to stop all the processes belonging to a
container, eg. for job scheduling. The commands:
lxc-freeze -n foo
will put all the processes in an uninteruptible state and
lxc-unfreeze -n foo
will resume all the tasks.
This feature is enabled if the cgroup freezer is enabled in the kernel.
GETTING INFORMATION ABOUT THE CONTAINER
When there are a lot of containers, it is hard to follow what has been
created or destroyed, what is running or what are the pids running into
a specific container. For this reason, the following commands give this
lxc-ps --name foo
lxc-info -n foo
lxc-ls lists the containers of the system. The command is a script
built on top of ls, so it accepts the options of the ls commands, eg:
will display the containers list in one column or:
will display the containers list and their permissions.
lxc-ps will display the pids for a specific container. Like lxc-ls,
lxc-ps is built on top of ps and accepts the same options, eg:
lxc-ps --name foo --forest
will display the processes hierarchy for the processes belonging the
will display all the containers and their processes.
lxc-info gives informations for a specific container, at present time,
only the state of the container is displayed.
Here is an example on how the combination of these commands allow to
list all the containers and retrieve their state.
for i in $(lxc-ls -1); do
lxc-info -n $i
And displaying all the pids of all the containers:
for i in $(lxc-ls -1); do
lxc-ps -n $i --forest
lxc-netstat display network information for a specific container. This
command is built on top of the netstat command and will accept its
The following command will display the socket informations for the
lxc-netstat -n foo -tano
MONITORING THE CONTAINERS
It is sometime useful to track the states of a container, for example
to monitor it or just to wait for a specific state in a script.
lxc-monitor command will monitor one or several containers. The
parameter of this command accept a regular expression for example:
lxc-monitor -n "foo|bar"
will monitor the states of containers named ’foo’ and ’bar’, and:
lxc-monitor -n ".*"
will monitor all the containers.
For a container ’foo’ starting, doing some work and exiting, the output
will be in the form:
’foo’ changed state to [STARTING]
’foo’ changed state to [RUNNING]
’foo’ changed state to [STOPPING]
’foo’ changed state to [STOPPED]
lxc-wait command will wait for a specific state change and exit. This
is useful for scripting to synchronize the launch of a container or the
end. The parameter is an ORed combination of different states. The
following example shows how to wait for a container if he went to the
# launch lxc-wait in background
lxc-wait -n foo -s STOPPED &
# this command goes in background
lxc-execute -n foo mydaemon &
# block until the lxc-wait exits
# and lxc-wait exits when the container
# is STOPPED
echo "’foo’ is finished"
SETTING THE CONTROL GROUP FOR A CONTAINER
The container is tied with the control groups, when a container is
started a control group is created and associated with it. The control
group properties can be read and modified when the container is running
by using the lxc-cgroup command.
lxc-cgroup command is used to set or get a control group subsystem
which is associated with a container. The subsystem name is handled by
the user, the command won’t do any syntax checking on the subsystem
name, if the subsystem name does not exists, the command will fail.
lxc-cgroup -n foo cpuset.cpus
will display the content of this subsystem.
lxc-cgroup -n foo cpu.shares 512
will set the subsystem to the specified value.
The lxc is still in development, so the command syntax and the API can
change. The version 1.0.0 will be the frozen version.
lxc(1), lxc-create(1), lxc-destroy(1), lxc-start(1), lxc-stop(1), lxc-
execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1),
lxc-ls(1), lxc-ps(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1),
Daniel Lezcano <firstname.lastname@example.org>