How LXC Works


March 31, 2015 | DevOps | Mikalai Sevastsyanau


LXC containers are built from templates, which are basically shell scripts. If the shell script uses some additional software, you have to have that software installed or the template won’t work. Here are some typical dependencies of common templates:

  • Bridge utils (namely utility brctl) for managing Linux bridges;

  • Debootstrap to install the system based on Debian from an already running an OS. You will need it if you decide to use a template to create a container with Ubuntu or Debian (or any other Debian-based distro);

  • RPM package management needed to create a container running ALT Linux, OpenSuse or OpenMandriva distribution. For Fedora, Oracle Linux and CentOS additionally you need to install Yum package manager;

  • Pacman package management needed to create a container with Arch Linux.

Keep these in mind when you create a new container.

The files in an LXC container are simply the files in /var/lib/lxc/<container-name>, a directory which contains:

  • rootfs – contains files of the guest OS

  • config – configuration file for a container

  • fstab – contains mount information in fstab format

The workflow with LXC proceeds according to the following basic pattern:

  • Start a new LXC container, using a base template.

  • Install software and otherwise configure the container.

  • At checkpoints, clone the container to create “frozen” copies (not be confused with lxc-freeze). This operation does nothing more than create copies of the container filesystem in /var/lib/lxc/<new-container>/rootfs.

  • Once you have a working container, all you have to do is create a tarball of the files. The container can then be launched on a different server by transferring the tarball, unpacking it, and running it using LXC tools.

A Simple Example

Finally, create a first container:

$ sudo lxc-create -t ubuntu -n ubuntu-01

The first time it will be delayed for five minutes, as lxc-create will start ubuntu’s template, which build a new rootfs and copies it to the folder /var/lib/lxc/ubuntu-01. LXC usually uses /var/lib/lxc/ storage containers, /var/cache/lxc/ use as a place to cache (mainly used by lxc-create and templates).

Let’s start it soon (login and password are ubuntu):

$ sudo lxc-start -F -n ubuntu-01

Please note that the guest OS has its own init process, as well there is a running sshd, and in general it is not very different from if it running somewhere on EC2. Running ifconfig you will see that the container has a network interface configured for DHCP Address – This is the default, so you do not need to worry about it. Go back out of the container to your host shell, only shutting down the container, and to achieve this in two ways:

  • Shutdown command in the container: $ sudo shutdown -h now

  • Close the console window.

It happened because you run the container without using a key -d (this’s default behaviour for old versions of LXC) and with option -F (foreground). LXC does not allow detach from the container when it was launched not in the background.


Templates are just an executable file written in bash (but not necessarily), creating the container rootfs. lxc-create invokes a template and performs the rest of the work to create the container. Keep in mind that many template scripts have dependencies  on additional programs, which are mentioned in the beginning of this article. Templates can be found in /usr/share/lxc/templates templates.

 At the moment, there are templates for Alpine Linux, ALT Linux, Arch Linux, CentOS, CirrOS, Debian, Fedora, Gentoo, OpenMandriva, OpenSUSE, Oracle Linux, Plamo Linux, and Ubuntu.

Among the templates are also some unusual finds:

  • busybox Creates minimalist lightweight container, which has installed only busybox

  • sshd normally used to allow untrusted users to be in your private network

  • ubuntu-cloud downloads the OS from image builded by Cannonical, and decompresses and modifies it to work in LXC

  • download LXC team build images primarily adapted for use in unprivileged containers (containers runned by non-root users)

Almost all of the templates have additional options that can be found on with –help option after calling lxc-create. Use — (two dashes) to separate the lxc-create options and the template options:

$ sudo lxc-create -t ubuntu -n ubuntu-02 -- --help

/usr/share/lxc/templates/lxc-ubuntu -h|--help [-a|--arch] [-b|--bindhome <user>] [-d|--debug]

  [-F | –flush-cache] [-r|–release <release>] [ -S | –auth-key <keyfile>]

  [–rootfs <rootfs>] [–packages <packages>] [-u|–user <user>] [–password <password>]

  [–mirror <url>] [–security-mirror <url>]





Keep up-to-date on security best practices, events and webinars.

Share This