LXC application container


(Sakis Hrist) #1

Hello,

Excuse the simple question, but could someone point me to the right direction as to what exactly application containers are?

I am asking because I decided to create a simple app container throught virt-manager by just going with the defaults. I started the container and was greeted with the configured sh shell. I ran a few commads and saw that the FS was my laptop’s FS. So I made an experiment: I wrote a simple file and the write passed just fine. I checked my real FS and there the file was.

Should’t this be a separate FS or an overlayFS at the least?

What am I missing here?

Thanks in advance! :slight_smile:

Sakis


#2

Hi!

You mainly use virt-manager to create virtual machines (VMs). You can also use it to create LXC containers, and when you use it in that way, you are asked in what directory to put the root filesystem of the container. If you select / as the directory, then the LXC container will have the same root filesystem with your Linux installation. It is not a typical thing to do, because with containers you want to separate their filesystems from your host’s filesystem. That is, just select a subdirectory instead.

The difference between Virtual Machines and containers, is that with Virtual machines you boot a separate new Linux kernel for each VM. With containers, you reuse the running Linux kernel of your Linux distro.

There are two main types of containers, the application containers and the system containers.
People use Docker to create application containers, and the idea is that in the container you run one application.

On the other hand, system containers look and feel like virtual machines, but in fact they are made of containers. The advantages are that they need much less resources than VMs, it is much faster to manage them and are more versatile.

In this discussion forum, we focus both on LXC (standard Linux Containers) and LXD (much easier to use and better packaged Linux containers).


#3

In the following example, we launch a system container called deleteme, based on Ubuntu 18.04.
Then, we get a shell in the system container to run commands.
Next, we try to rm -fr / and we succeed doing it. Note, this is just a container and is confined from the host.
Subsequently, we exit and stop (with --force because the container is now in a bit of a mess).
Finally, we delete the container. That’s the full circle.

$ lxc launch ubuntu:18.04 deleteme
Creating deleteme
Starting deleteme

$ lxc exec deleteme -- bash
root@deleteme:~# rm -fr /
rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe
root@deleteme:~# rm -fr --no-preserve-root /
root@deleteme:~# exit
Exit 130

$ lxc stop --force deleteme
$ lxc delete deleteme

(Sakis Hrist) #4

Hey Simo,

Thanks for taking the time to explain in such detail.

Thing is though, that I don’t get such prompt for the application container when creating from virt manager. I only get a prompt for what command to start. And in fact, that command has access to my real FS. I think I have a bit of grasp as to what containers are, but I don’t get what’s the purpose of them when created in such a manner by the virt-manager.

Here’s a demonstration of what’s going on:

virt manager

Ευχαριστώ ξανά :grin:


#5

Thanks for showing what you get with libvirt-manager with the video. :slight_smile:

This is the relevant documentation on the libvirt LXC containers, https://libvirt.org/drvlxc.html
Specifically, the page says:

The libvirt LXC driver manages “Linux Containers”. At their simplest, containers can just be thought of as a collection of processes, separated from the main host processes via a set of resource namespaces and constrained via control groups resource tunables. The libvirt LXC driver has no dependency on the LXC userspace tools hosted on sourceforge.net. It directly utilizes the relevant kernel features to build the container environment.

The term Linux Containers/LXC is used for the set of security features in the Linux kernel that are used to start processes constrained/isolated from the host processes. Such a constrained/isolated process tree is a container. Wikipedia has a page on that as well.

However, LXC is also used for a set of user-space tools (like lxc-create, lxc-start) that was initially hosted on Sourceforge and now migrated here on linuxcontainers.org. Most users equate Linux Containers with these user-space tools.

Therefore, these are two different/independent user-space implementations using Linux Containers, the LXC at virt-manager and the LXC at linuxcontainers.org.