]>
Commit | Line | Data |
---|---|---|
dc46727f CB |
1 | # LXC |
2 | ||
3 | * Jenkins: [![Build Status](https://jenkins.linuxcontainers.org/job/lxc-github-commit/badge/icon)](https://jenkins.linuxcontainers.org/job/lxc-github-commit/) | |
4 | * Travis: [![Build Status](https://travis-ci.org/lxc/lxc.svg?branch=master)](https://travis-ci.org/lxc/lxc/) | |
5 | ||
6 | LXC is the well-known and heavily tested low-level Linux container runtime. It | |
7 | is in active development since 2008 and has proven itself in critical | |
8 | production environments world-wide. Some of its core contributors are the same | |
9 | people that helped to implement various well-known containerization features | |
10 | inside the Linux kernel. | |
11 | ||
12 | ## System Containers | |
13 | ||
14 | LXC's main focus is system containers. That is, containers which offer an | |
15 | environment as close as possible as the one you'd get from a VM but without the | |
16 | overhead that comes with running a separate kernel and simulating all the | |
17 | hardware. | |
18 | ||
19 | This is achieved through a combination of kernel security features such as | |
20 | namespaces, mandatory access control and control groups. | |
21 | ||
22 | ## Unprivileged Containers | |
23 | ||
24 | Unprivileged containers are containers that are run without any privilege. This | |
25 | requires support for user namespaces in the kernel that the container is run | |
26 | on. LXC was the first runtime to support unprivileged containers after user | |
27 | namespaces were merged into the mainline kernel. | |
28 | ||
29 | In essence, user namespaces isolate given sets of UIDs and GIDs. This is | |
30 | achieved by establishing a mapping between a range of UIDs and GIDs on the host | |
31 | to a different (unprivileged) range of UIDs and GIDs in the container. The | |
32 | kernel will translate this mapping in such a way that inside the container all | |
33 | UIDs and GIDs appear as you would expect from the host whereas on the host | |
34 | these UIDs and GIDs are in fact unprivileged. For example, a process running as | |
35 | UID and GID 0 inside the container might appear as UID and GID 100000 on the | |
36 | host. The implementation and working details can be gathered from the | |
37 | corresponding user namespace man page. | |
38 | ||
39 | Since unprivileged containers are a security enhancement they naturally come | |
40 | with a few restrictions enforced by the kernel. In order to provide a fully | |
41 | functional unprivileged container LXC interacts with 3 pieces of setuid code: | |
42 | ||
43 | - lxc-user-nic (setuid helper to create a veth pair and bridge it on the host) | |
44 | - newuidmap (from the shadow package, sets up a uid map) | |
45 | - newgidmap (from the shadow package, sets up a gid map) | |
46 | ||
47 | Everything else is run as your own user or as a uid which your user owns. | |
48 | ||
49 | In general, LXC's goal is to make use of every security feature available in | |
50 | the kernel. This means LXC's configuration management will allow experienced | |
51 | users to intricately tune LXC to their needs. | |
52 | ||
53 | A more detailed introduction into LXC security can be found under the following link | |
54 | ||
55 | - https://linuxcontainers.org/lxc/security/ | |
56 | ||
57 | ### Removing all Privilege | |
58 | ||
59 | In principle LXC can be run without any of these tools provided the correct | |
60 | configuration is applied. However, the usefulness of such containers is usually | |
61 | quite restricted. Just to highlight the two most common problems: | |
62 | ||
63 | 1. Network: Without relying on a setuid helper to setup appropriate network | |
64 | devices for an unprivileged user (see LXC's `lxc-user-nic` binary) the only | |
65 | option is to share the network namespace with the host. Although this should | |
66 | be secure in principle, sharing the host's network namespace is still one | |
67 | step of isolation less and increases the attack vector. | |
68 | Furthermore, when host and container share the same network namespace the | |
69 | kernel will refuse any sysfs mounts. This usually means that the init binary | |
70 | inside of the container will not be able to boot up correctly. | |
71 | ||
72 | 2. User Namespaces: As outlined above, user namespaces are a big security | |
ac8f64dc CB |
73 | enhancement. However, without relying on privileged helpers users who are |
74 | unprivileged on the host are only permitted to map their own UID into | |
75 | a container. A standard POSIX system however, requires 65536 UIDs and GIDs | |
76 | to be available to guarantee full functionality. | |
dc46727f CB |
77 | |
78 | ## Configuration | |
79 | ||
80 | LXC is configured via a simple set of keys. For example, | |
81 | ||
7a96a068 | 82 | - `lxc.rootfs.path` |
dc46727f CB |
83 | - `lxc.mount.entry` |
84 | ||
85 | LXC namespaces configuration keys by using single dots. This means complex | |
7fa3f2e9 | 86 | configuration keys such as `lxc.net.0` expose various subkeys such as |
87 | `lxc.net.0.type`, `lxc.net.0.link`, `lxc.net.0.ipv6`, and others for even | |
dc46727f CB |
88 | more fine-grained configuration. |
89 | ||
90 | LXC is used as the default runtime for [LXD](https://github.com/lxc/lxd), | |
91 | a container hypervisor exposing a well-designed and stable REST-api on top of | |
92 | it. | |
93 | ||
94 | ## Kernel Requirements | |
95 | ||
96 | LXC runs on any kernel from 2.6.32 onwards. All it requires is a functional | |
97 | C compiler. LXC works on all architectures that provide the necessary kernel | |
98 | features. This includes (but isn't limited to): | |
99 | ||
100 | - i686 | |
101 | - x86_64 | |
102 | - ppc, ppc64, ppc64le | |
103 | - s390x | |
104 | - armvl7, arm64 | |
105 | ||
106 | LXC also supports at least the following C standard libraries: | |
107 | ||
108 | - glibc | |
109 | - musl | |
110 | - bionic (Android's libc) | |
111 | ||
112 | ## Backwards Compatibility | |
113 | ||
114 | LXC has always focused on strong backwards compatibility. In fact, the API | |
115 | hasn't been broken from release `1.0.0` onwards. Main LXC is currently at | |
116 | version `2.*.*`. | |
117 | ||
118 | ## Reporting Security Issues | |
119 | ||
120 | The LXC project has a good reputation in handling security issues quickly and | |
121 | efficiently. If you think you've found a potential security issue, please | |
122 | report it by e-mail to all of the following persons: | |
123 | ||
124 | - serge.hallyn (at) ubuntu (dot) com | |
125 | - stgraber (at) ubuntu (dot) com | |
126 | - christian.brauner (at) ubuntu (dot) com | |
127 | ||
128 | For further details please have a look at | |
129 | ||
130 | - https://linuxcontainers.org/lxc/security/ | |
131 | ||
132 | ## Becoming Active in LXC development | |
133 | ||
134 | We always welcome new contributors and are happy to provide guidance when | |
135 | necessary. LXC follows the kernel coding conventions. This means we only | |
136 | require that each commit includes a `Signed-off-by` line. The coding style we | |
137 | use is identical to the one used by the Linux kernel. You can find a detailed | |
138 | introduction at: | |
139 | ||
140 | - https://www.kernel.org/doc/html/v4.10/process/coding-style.html | |
141 | ||
142 | and should also take a look at the [CONTRIBUTING](CONTRIBUTING) file in this | |
143 | repo. | |
144 | ||
145 | If you want to become more active it is usually also a good idea to show up in | |
146 | the LXC IRC channel `#lxc-dev` on `Freenode`. We try to do all development out | |
147 | in the open and discussion of new features or bugs is done either in | |
148 | appropriate Github issues or on IRC. | |
149 | ||
150 | When thinking about making security critical contributions or substantial | |
151 | changes it is usually a good idea to ping the developers first and ask whether | |
152 | a PR would be accepted. | |
153 | ||
154 | ## Semantic Versioning | |
155 | ||
156 | LXC and its related projects strictly adhere to a [semantic | |
157 | versioning](http://semver.org/) scheme. | |
158 | ||
159 | ## Downloading the current source code | |
160 | ||
161 | Source for the latest released version can always be downloaded from | |
162 | ||
163 | - https://linuxcontainers.org/downloads/ | |
164 | ||
165 | You can browse the up to the minute source code and change history online | |
166 | ||
167 | - https://github.com/lxc/lxc | |
168 | ||
169 | ## Building LXC | |
170 | ||
171 | Without considering distribution specific details a simple | |
172 | ||
173 | ./autogen.sh && ./configure && make && sudo make install | |
174 | ||
175 | is usually sufficient. | |
176 | ||
177 | In order to test current git master of LXC it is usually a good idea to compile with | |
178 | ||
179 | ./autogen.sh && ./configure && make | |
180 | ||
181 | in a convenient directory and set `LD_LIBRARY_PATH="${BUILD_DIR}"/lxc/src/lxc/.libs`. | |
182 | ||
183 | ## Getting help | |
184 | ||
185 | When you find you need help, the LXC projects provides you with several options. | |
186 | ||
187 | ### Discuss Forum | |
188 | ||
189 | We maintain an discuss forum at | |
190 | ||
191 | - https://discuss.linuxcontainers.org/ | |
192 | ||
193 | where you can get support. | |
194 | ||
195 | ### IRC | |
196 | ||
197 | You can find support by joining `#lxcontainers` on `Freenode`. | |
198 | ||
199 | ### Mailing Lists | |
200 | ||
201 | You can check out one of the two LXC mailing list archives and register if | |
202 | interested: | |
203 | ||
204 | - http://lists.linuxcontainers.org/listinfo/lxc-devel | |
205 | - http://lists.linuxcontainers.org/listinfo/lxc-users |