What happens behind "lxc exec [container] bash"

I’m new with lxd and i don’t know whats happens behind “lxd exec [container] bash” because i don’t see any ssh connection to container and if i would want make an ssh connection, before i must change the sshd config and establish a password (or insert a public key into authorized_keys.

I would like what really happens behind this command and how system gets a shell with root into container.


The root filesystem of a container is mounted on the LXD host, so I see it as doing a chroot to that container filesystem and so no ssh needed

“lxc exec NAME – bash” will send a request to the LXD daemon, either locally or remotely using LXD’s REST API. The LXD daemon will then spawn the command directly inside the container by attaching to the contianer’s namespaces and spawning the requested binary. stdin, stdout and stderr for the process are then bridged to websockets that are returned to the client over the REST API.

So the client tool only does HTTP requests to get the command executed, the server talks to the kernel, spawns the process in the container, makes sure all resource limits and security restrictions are applied and then connects the console devices.

Since that all happens directly through kernel APIs, there’s no need for any daemon to run inside the container (like sshd) and you can use “lxc exec” even against containers which aren’t reachable over the network (so long as you can talk to the LXD daemon on the host).

This interesting, because, (i don’t know how) the session doesn’t have the same properties like a ssh session. For example, if I run a netstat like run using “lxc exec container bash”, does not recognize me as root.

root@container:~# netstat -antlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      -               
tcp        0      0*               LISTEN      -               
tcp        0      0    *               LISTEN      5696/nginx -g daemo
tcp        0      0    *               LISTEN      348/sshd        
tcp        0      0*               LISTEN      13413/postgres  
tcp6       0      0 :::22                   :::*                    LISTEN      348/sshd        
root@container:~# id
uid=0(root) gid=0(root) groups=0(root)

Do you have any idea why this happens?

The fact that netstat doesn’t recognize you as root doesn’t have anything to do with “lxc exec” but with the fact that you’re using an unprivileged container. Root in an unprivileged isn’t real (kernel) root, so netstat is absolutely right here.

Sorry for the (short out of the topic question).

I want to do : lxc exec apt upgrade -y but i can’t do it.
I receive — > Error: unknown shorthand flag: ‘y’ in -y

Is that possible , or i am trying something that can’t be done ?

lxc exec <instance name> -- apt upgrade -y

1 Like

thanks a lot once again :slight_smile:

Does the lxc console command also use HTTP REST Api?

Yes, everything that lxc does is over the REST API.

1 Like