| Linux Containers | |
|---|---|
 | |
| Developers | |
| Initial release | August 6, 2008; 17 years ago (2008-08-06)[1] |
| Stable release | |
| Repository | |
| Written in | C,Shell |
| Operating system | Linux |
| Platform | x86,IA-64,PowerPC,SPARC,Itanium,ARM |
| Type | OS-level virtualization |
| License | GNU LGPL v.2.1 (some components underGNU GPL v2 andBSD) |
| Website | linuxcontainers |
Linux Containers (LXC) is anoperating system-level virtualization method for running multiple isolatedLinux systems (containers) on a control host using a single Linux kernel.
TheLinux kernel provides thecgroups functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting anyvirtual machines, and also thenamespace isolation functionality that allows complete isolation of an application's view of the operating environment, includingprocess trees,networking,user IDs andmountedfile systems.[3]
LXC combines the kernel's cgroups and support for isolatednamespaces to provide an isolated environment for applications.[4] Early versions ofDocker used LXC as the container execution driver,[4] though LXC was made optional in v0.9 and support was dropped in Docker v1.10.[5][6]
LXC was initially developed byIBM, as part of a collaboration between several parties looking to add namespaces to the kernel.[7] It provides operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledgedvirtual machine. LXC relies on theLinux kernelcgroups functionality[8] that was released in version 2.6.24. It also relies on other kinds of namespace isolation functionality, which were developed and integrated into the mainline Linux kernel.
Originally, LXC containers were not as secure as other OS-level virtualization methods such asOpenVZ: in Linux kernels before 3.8, theroot user of the guest system could run arbitrary code on the host system with root privileges, just as they can inchroot jails.[9] Starting with the LXC 1.0 release, it is possible to run containers as regular users on the host using "unprivileged containers".[10] Unprivileged containers are more limited in that they cannot access hardware directly. However, even privileged containers should provide adequate isolation in the LXC 1.0 security model, if properly configured.[10]
LXC is similar to other OS-level virtualization technologies on Linux such asOpenVZ andLinux-VServer, as well as those on other operating systems such asFreeBSD jails,AIXWorkload Partitions andSolaris Containers. In contrast to OpenVZ, LXC works in thevanilla Linux kernel requiring no additional patches to be applied to the kernel sources. Version 1 of LXC, which was released on 20 February 2014 as a long-term supported version, was supported for five years.[11] Version 4.0 of LXC 4.0 was supported until June 1, 2025 and LXC 5.0 will be until June 1, 2027.[12]
LXD is an alternative Linux container manager, written inGo. It is built on top of LXC and aims to provide a better user experience.[13] It is a containerhypervisor providing anAPI to manage LXC containers.[14] The LXD project was started in 2015 and was sponsored from the start byCanonical Ltd., the company behindUbuntu. On 4 July 2023, the LinuxContainers project announced that Canonical had decided to take over the LXD project but a fork called Incus had been created.[15][16] On August 25, 2023, LXD version 5.17 was officially released under the control of Canonical, providing support for OpenZFS 2.2 delegation capabilities.[17]
However, at least in Ubuntu, our default containers ship with what we think is a pretty good configuration of both the cgroup access and an extensive apparmor profile which prevents all attacks that we are aware of. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he'd find himself having the privileges of a regular user on the host
