1

I've been reading many documentations on Linux containers. I also tried it out the CentOS way and the Ubuntu way .

Wikipedia says

it is an operating system–level virtualization.

Linuxcontainers.org says

LXC is a userspace interface for the Linux kernel containment features.

I cant get it clear.

  1. Is LXC just a user interface and there is some other kernel module that provides the container features.
  2. Or is LXC something that gets patched to the kernel when package is installed and it also provides user space utilities.
  3. While trying it out on CentOS, installation lxc package was not required although it is available in the repositories.
  4. On CentOS, without installing lxc the libvirt daemon is able to connect to lxc:/// using the libvirt command utilies. So is there a lxc module already in the kernel? But I didnt find any with lsmod .
  5. BUT, which is that module in the kernel, that provides containerization?
Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55
beginer
  • 279
  • 4
  • 12

2 Answers2

4

This is a confusing topic because there isn't one thing that "provides containerization". Containers are a general concept implemented in the Linux kernel by using namespaces for process isolation, cgroups for resource management, and possibly more — like SELinux for security.

The lxc tools are one possible interface to this — you can think of it as a front-end, although it might be better to think of it as "front-end plus glue". libvirt-lxc is a similarly-named but totally different such tool, and systemd-nspawn yet another.

And linux containers hot-topic Docker is also a layer of user interface and glue, but it can actually sit above several other backends, including any of the above — see this slightly-dated blog post about Docker 0.9, and in particular the graphic explaining libcontainer.

Dan Walsh gave a talk on this at Usenix '13 which might be helpful: https://www.usenix.org/conference/lisa13/secure-linux-containers (Disclaimer: Dan is a co-worker of mine at Red Hat.)

Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55
mattdm
  • 6,550
  • 1
  • 25
  • 48
  • that was perfect. All doubts cleared. Above all Dan's talk was just wow for a *beginer* like me ;) – beginer Jul 23 '14 at 14:30
  • 1
    @beginer You might also be interested in a newer article from Dan, [Docker security with SELinux](http://opensource.com/business/14/7/docker-security-selinux) – mattdm Jul 23 '14 at 14:33
3

  1. Yes and no. LXC is just an user interface but not for a module but for some kernel features. Mainly process, user, network, mounts, uts and ipcs namespaces, as well as cgroups and other stuff.

  2. No.

  3. Correct, you can use the same kernel features or principles using other administration tools.

  4. As I said in my first message, it uses specific features of the Linux kernel that are built-in, it does not require any module.

  5. None. Well, there are certain features that you need to enable when building the kernel but they are not exactly modules. CentOS (that is built from RHEL), has them in its kernel config.

Florin Asăvoaie
  • 6,932
  • 22
  • 35