Getting started with LXC


March 5, 2015 | DevOps | Mikalai Sevastsyanau


LXC is a unified management toolkit that allows you to run multiple isolated instances of Linux (containers) on a single computer.

LXC is related to, but different than, virtualization engines like Xen and KVM. Unlike full-fledged virtual machines, LXC containers share one OS kernel. However, the processes that are running in one of the containers are completely isolated from processes running in another container. This isolation is achieved through the use of

 Linux kernel features such as:

  • cgroups provide for groups of processes limits, accounts for and isolates the resource usage, such as CPU, memory, disk I / O, network. LXC creates cgroup for each container, i.e. you can agile control every container independently.

  • namespaces provide insulation core namespaces (ipc, uts, mount, pid, network, user), making sure that each container cannot “see” or affect other containers. From user’s viewpoint it will look like init process in each container will have PID 1 and ifconfig command will show only a container’s network interfaces and etc.

  • capabilities provide fine-grained control over superuser permissions, allowing use of the root user for launching applications to be avoided.

  • Apparmor and SELinux expand the traditional Unix discretionary access control (DAC) model by mandatory access control (MAC) model, mainly used to protect your host system against the software running in containers. For example, it controls what devices will be accessible from a container or what kernel features will be accessible from it.

  • seccomp provides very low level a sandbox mechanism for applications, basically allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except few about reading and writing to already opened files. In latests kernel it allow to select which syscall will be allowed.

It’s alright if you don’t know much about these kernel features. LXC provides a user-friendly way to take advantage of all of them, with sensible defaults, without sacrificing low-level control if you actually need it.

Another cousin of LXC is Docker. While Docker started as a layer on top of LXC, it’s now built on its own container engine called libcontainer. The good way to understand how Docker differs from LXC is to understand the concept of a 12 factor application. 12 factor applications are composed of disposable, stateless processes. And, it happens that this is exactly what Docker provides. A Docker container is designed to run a single process only, rather than a fully fledged machine like full virtualization or LXC. A Docker container must have fully externalized configuration (especially for secrets), and it’s also designed to share data with the host environment through linked volumes.

So, think of it this way. LXC containers are lightweight VM’s: you can install your OS, login, install applications and services and it will work as expected. It will have proper init process, running services and daemons and etc.

Intrigued? Let’s show how to get started.


In modern distributions, such as Ubuntu Trusty (14.04), Utopic (14.10) or later, Debian Jessie, delivered packages of stable LXC 1.x version. In these distros, you can install LXC directly from the repository and start using it. For OS X users: LXC, like Docker, will not run natively, since it uses technologies implemented only in the Linux kernel. So you have to use a full-weight virtual machine like VirtualBox to run LXC inside a modern Linux distribution. Of course, this is also an option for users of other platforms as well.

We use Ubuntu Trusty as our workstation and server operating system. It’s working great for us, so we recommend that you use it too!


Trusty or Utopic users can just install packages from the repository:

$ sudo apt-get install lxc

If you are using older distributions or maybe you want to use a newer version of LXC on a fresh distro then you have the choice of two PPA:

Adding a PPA and installing packages from it is always simple:

$ sudo apt-get install -y python-software-properties
$ sudo add-apt-repository -y ppa:ubuntu-lxc/stable # or ppa:ubuntu-lxc/daily for those who have strong spirit
$ sudo apt-get update
$ sudo apt-get install -y lxc

Brctl program is in the bridge-utils package. debootstrap, rpm, yum, pacman are contained in the corresponding packages.


You can use VirtualBox ( to run Ubuntu Utopic (it’s free!). Just download the installation image from and install it inside a VirtualBox virtual machine.

If you are a Vagrant user then just copy this listing to a new Vagrantfile and run in a terminal:

$ vagrant up

Listing: Vagrantfile

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| = "utopic64"
  config.vm.box_url = ""
  config.vm.provision :shell, :inline => "apt-get update -qq && apt-get install -yqq lxc bridge-utils" :private_network, ip: "" :public_network

A few minutes later, you can execute this command to get inside a fully configured system with installed LXC:

$ vagrant ssh

After installation

Running the program lxc-checkconfig, you can be sure that everything works as it should. In each case, the word “enabled” show be green:

$ sudo lxc-checkconfig 
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.19.0-031900rc6-generic

— Namespaces —

Namespaces: enabled

Utsname namespace: enabled

Ipc namespace: enabled

Pid namespace: enabled

User namespace: enabled

Network namespace: enabled

Multiple /dev/pts instances: enabled

— Control groups —

Cgroup: enabled

Cgroup clone_children flag: enabled

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled

— Misc —

Veth pair device: enabled

Macvlan: enabled

Vlan: enabled

File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

The same system will be a new network interface, which will incorporate all containers such as iron and the switch to release them to the Internet:

$ sudo ifconfig | grep lxc
lxcbr0    Link encap:Ethernet  HWaddr e2:0a:c8:95:d0:b3

Have questions about this?  Feel free to leave a comment below and I will respond in the thread.  Stay tuned for my next blog post that will further examine LXC and provide an example.




Keep up-to-date on security best practices, events and webinars.

Share This