Linux containers isolate applications from the host system that they run on and from other containers. Containers behave much like virtual machines, but unlike virtual machines, containers include only the software components they need to operate rather than an entire operating system. This improves performance and reduces the size of the application.
I am going to show you how to create a privileged container. Privileged containers are containers created by root and running as root.
Prerequisites
A physical Linux machine with at least one Ethernet port, or a virtual machine with bridged network connection. I’m using an Ubuntu VM.
Installing LXC
On an Ubuntu system, install LXC:
$ sudo apt-get install lxc lxc-templates
LXC Networking
There are five types of container networking. We will try two of them: veth and vlan. First, we want to disable the default bridge “lxcbr0“ that is created as part of LXC installation.
$ sudo nano /etc/default/lxc-net
Set “USE_LXC_BRIDGE” to “false”.
Creating a Container with veth Network Type
The veth network type veth connects the container to a Linux bridge, therefore you need to configure a bridge first. Start by editing the file “/etc/network/interfaces/” to add a bridge name of your choice.
$ sudo nano /etc/network/interfaces
auto lo iface lo inet loopback auto br1 iface br1 inet dhcp bridge_ports ens33 bridge_stp off bridge_fd 9
Restart the networking service or reboot your system.
Note that in the above configuration, we attached interface ens33 to the bridge. Your system may have a different interface available, such as eth0. Edit the file “/etc/lxc/default.conf” to include the name of the bridge that you’ve defined.
lxc.network.type = veth lxc.network.link = br1 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:xx:xx:xx
Now you can create a container from an Ubuntu template (there are also other templates to choose from):
$ sudo lxc-create -n cont_a -t ubuntu
Executing the command for the first time takes a few minutes. Once the container is created, take note of the username and password that are displayed. You will need these to access your container.
... Current default time zone: 'Etc/UTC' Local time is now: Sun Jan 14 20:22:42 UTC 2018. Universal Time is now: Sun Jan 14 20:22:42 UTC 2018. ## # The default user is 'ubuntu' with password 'ubuntu'! # Use the 'sudo' command to run tasks as root in the container. ##
Issue the following command to check everything is okay to run containers.
$ sudo lxc-checkconfig
Start the container using the command:
$ sudo lxc-start -n cont_a -F
Once inside the container, you can exit using:
ubuntu@cont_a:~$sudo poweroff
Following the above steps allows the container to obtain its address via DHCP. To change this behavior, edit the file “/var/lib/lxc/cont_a/config” to add static IP address configuration:
# Network configuration lxc.network.type = veth lxc.network.link = cbridge lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:8b:4d:92 lxc.network.ipv4 = 192.168.4.201/4 lxc.network.ipv4.gateway = 192.168.4.1
Creating a Container with VLAN Network Type
Using the vlan network type allows the network traffic from the container to be tagged with a VLAN ID. If you create multiple containers, each of them can have a different VLAN ID. You will need to connect your physical interface to a managed switch to separate the VLANs traffic.
Edit the file “/etc/lxc/default.conf” to change the network type:
xc.network.type = vlan lxc.network.link = ens33 lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:xx:xx:xx
After you create the container, you may want to edit the file /var/lib/lxc/cont_a/config to add static IP address configuration or changing the VLAN ID before starting the container.
# Network configuration lxc.network.type = vlan lxc.network.link = ens33 lxc.network.vlan.id = 10 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:f4:4b:0a lxc.network.ipv4 = 10.10.10.10/24 lxc.network.ipv4.gateway = 10.10.10.1
You can find more information about containers, including useful LXC commands in the Ubuntu documentation.