Mastering Linux Containers: From cgroups & Namespaces to LXC Hands‑On

Isolation and Sharing

In a shared development environment or on a server running multiple logically isolated processes, each environment should not affect the others; a physical machine must virtualize multiple environments or containers. The OS provides a way to create and enter containers so applications run as if on independent machines while sharing many underlying resources.

Virtualization vs Containers

Traditional virtualization emulates hardware or uses OS software, whereas container technology is much more lightweight.

Containers provide isolation while sharing resources, reducing overhead compared to full virtualization. For example, they can share the page cache of common files like glibc because all containers use the same kernel and often the same libc library, extending to other read‑only files.

Compared with traditional virtualization, containers start quickly, allow thousands of instances on a single host, and use image distribution similar to Git, making creation, distribution, and updates easier.

History of Containers

The modern era is dominated by Docker, while its predecessors include the 1982 chroot tool and the later LXC technology, which Docker used before version 0.9.

Linux container functionality is built on cgroups and namespaces, so understanding Linux containers requires first learning about cgroups and namespaces.

cgroups (Control Groups)

cgroups are a kernel feature for grouping processes. They isolate processes and control resource usage (CPU, memory, etc.) at the OS level, acting like containers. CPU resources for a process group are defined by cpuset.

Namespace

Namespaces give each process group its own PID, IPC, and network spaces. They are implemented via the clone system call, where the third argument (flags) sets the desired namespaces. yum install epel-release -y Then install the LXC tools and templates: yum install lxc lxc-templates -y After installation, use lxc-checkconfig to verify OS support for container technology.

LXC Tool Overview

All LXC command‑line APIs are listed here, allowing you to manage LXC containers.

Creating a Container

Use a predefined template to create a container; the template automatically downloads and installs required packages.

lxc-create -n <container_name> -t <template></code>
<code>lxc-create -n mariolu-console -t centos

Templates are provided by the lxc-templates package and reside in /usr/share/lxc/templates/.

Like chroot, after installing the container the host’s root directory is redefined to /var/lib/lxc/mariolu-console.

Starting a Container

After installation, start the container similarly to booting a server:

lxc-start -n mariolu-console

When starting, you may be prompted for a password, but containers created without a password appear to have none.

The root password is not visible; it may be replaced by ‘x’ characters or a hash.

cat /var/lib/lxc/mariolu-console/rootfs/etc/shadow</code>
<code>chroot /var/lib/lxc/mariolu-console/rootfs passwd

Online sources indicate the root password is set as expired and must be changed on first login. To reset it from the host without starting the container:

The root password is set up as expired and will require it to be changed at first login, which you should do as soon as possible. If you lose the root password or wish to change it without starting the container, you can change it from the host by running the following command (which will also reset the expired flag)

chroot /var/lib/lxc/sspl-test/rootfs passwd

Run the reset command, then you can log in with the new password.

Source: https://cloud.tencent.com/developer/article/1539709