在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):lxc/lxc开源软件地址(OpenSource Url):https://github.com/lxc/lxc开源编程语言(OpenSource Language):C 90.0%开源软件介绍(OpenSource Introduction):LXCLXC is the well-known and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-wide. Some of its core contributors are the same people that helped to implement various well-known containerization features inside the Linux kernel. Status
System ContainersLXC's main focus is system containers. That is, containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware. This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups. Unprivileged ContainersUnprivileged containers are containers that are run without any privilege. This requires support for user namespaces in the kernel that the container is run on. LXC was the first runtime to support unprivileged containers after user namespaces were merged into the mainline kernel. In essence, user namespaces isolate given sets of UIDs and GIDs. This is achieved by establishing a mapping between a range of UIDs and GIDs on the host to a different (unprivileged) range of UIDs and GIDs in the container. The kernel will translate this mapping in such a way that inside the container all UIDs and GIDs appear as you would expect from the host whereas on the host these UIDs and GIDs are in fact unprivileged. For example, a process running as UID and GID 0 inside the container might appear as UID and GID 100000 on the host. The implementation and working details can be gathered from the corresponding user namespace man page. Since unprivileged containers are a security enhancement they naturally come with a few restrictions enforced by the kernel. In order to provide a fully functional unprivileged container LXC interacts with 3 pieces of setuid code:
Everything else is run as your own user or as a uid which your user owns. In general, LXC's goal is to make use of every security feature available in the kernel. This means LXC's configuration management will allow experienced users to intricately tune LXC to their needs. A more detailed introduction into LXC security can be found under the following link Removing all PrivilegeIn principle LXC can be run without any of these tools provided the correct configuration is applied. However, the usefulness of such containers is usually quite restricted. Just to highlight the two most common problems:
ConfigurationLXC is configured via a simple set of keys. For example,
LXC namespaces configuration keys by using single dots. This means complex
configuration keys such as LXC is used as the default runtime for LXD, a container hypervisor exposing a well-designed and stable REST-api on top of it. Kernel RequirementsLXC runs on any kernel from 2.6.32 onwards. All it requires is a functional C compiler. LXC works on all architectures that provide the necessary kernel features. This includes (but isn't limited to):
LXC also supports at least the following C standard libraries:
Backwards CompatibilityLXC has always focused on strong backwards compatibility. In fact, the API
hasn't been broken from release Reporting Security IssuesThe LXC project has a good reputation in handling security issues quickly and efficiently. If you think you've found a potential security issue, please report it by e-mail to all of the following persons:
For further details please have a look at Becoming Active in LXC developmentWe always welcome new contributors and are happy to provide guidance when
necessary. LXC follows the kernel coding conventions. This means we only
require that each commit includes a and should also take a look at the CONTRIBUTING file in this repo. If you want to become more active it is usually also a good idea to show up in the LXC IRC channel #lxc-dev on irc.libera.chat. We try to do all development out in the open and discussion of new features or bugs is done either in appropriate GitHub issues or on IRC. When thinking about making security critical contributions or substantial changes it is usually a good idea to ping the developers first and ask whether a PR would be accepted. Semantic VersioningLXC and its related projects strictly adhere to a semantic versioning scheme. Downloading the current source codeSource for the latest released version can always be downloaded from You can browse the up to the minute source code and change history online Building LXCWithout considering distribution specific details a simple
is usually sufficient. Getting helpWhen you find you need help, the LXC projects provides you with several options. Discuss ForumWe maintain an discuss forum at where you can get support. IRCYou can find us in #lxc on irc.libera.chat. Mailing ListsYou can check out one of the two LXC mailing list archives and register if interested:
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论