Userspace tools for the Linux kernel containers
LXC is a userspace interface for the Linux kernel containment features.
Through a powerful API and simple tools, it lets Linux users easily create and manage system or application containers.
Current LXC uses the following kernel features to contain processes:
- Kernel namespaces (ipc, uts, mount, pid, network and user)
- Apparmor and SELinux profiles
- Seccomp policies
- Chroots (using pivot_root)
- Kernel capabilities
- Control groups (cgroups)
As such, LXC is often considered as something in the middle between a chroot on steroids and a full fledged virtual machine. The goal of LXC is to create an environment as close as possible as a standard Linux installation but without the need for a separate kernel.
While full hardware virtualization such as KVM, Xen or Hyper-V is great at running fully isolated instances of multiple operating systems on a physical host, it comes with various overheads in terms of performance, resource, and provisioning time. Depending on your use cases, full machine virtuailization may actually not be necessary.
An alternative lightweight virtualization approach is so-called Linux Containers (LXC), which provides operating system level virtualization. Without the overhead of running virtual machines, LXC allows you to run multiple instances of full Linux operating system within lightweight container sandbox. Containers can be very useful when you set up a reproducible development/test environment or deploy applications within secure sandboxes.