Linux containers[lxc]

Apr 5, 2016 · 3 min read

About lxc

Linux containers(lxc) are operating system level virtualization technique. You can find more details about virtualization from here.

The building block of lxc is cgroups and namespaces, which are linux kernel level features to resource control/limit and resource isolation of processes. Basically lxc is a user land tool which interface with kernel cgoups and namespaces to create and manage containers.

Anatomy of lxc

Its all about cgroups and namespaces.

Control groups(cgroups)

Cgroups(control groups), are kernel mechanism for controlling/limiting the resources used by a process/group of processes. It also capable to measuring/monitoring the total resources used by a process/group of processes.


Following are the mainly involved resources

  1. CPU
  2. Memory
  3. Disk bandwidth
  4. Network bandwidth

How it control?

For an example consider I want to control resources of an application in following way,

  1. CPU 80% (maximum amount of CPU 80%)
  2. Memory 10 GB (maximum amount of memory 10 GB)
  3. Disk Read/Writes 70% (maximum 70% of disk read/writes)
  4. Network bandwidth 60% (maximum 60% of bandwidth)

In here I can create a group(via cgroup) and assign the above resource limits to that group.

Then I can add the applications(for an example mongodb, httpd etc) to this group. Applications added to this group knows nothing about this limits. It automatically handled outside the applications. Applications in this group cannot use more than 80% CPU, 10 GB of memory, 70% of disk R/W and 60% of network bandwidth.

How it monitor?

We can monitor resource consumption of any application assigned to a group.


Namespaces use to do process isolation(keep different process/group of processes in isolated environment). It gives isolated view of resources to process/group of processes. Linux kernel supports 6 types of namespaces.

1. pid namespaces

Linux kernel has maintained a single process tree. With pid namespace, it allows to have multiple nested process trees. Each process tree can have an entirely isolated set of processes. processes belonging to one process tree don’t know about the existence of parent or sibling process details.

Processes in child namespaces cannot access the details about its parent process. But processes in parent namespace have complete view of the processes in child namespace.

2. mnt namespace

Allow process/group of processes to have separate root and mounts. Its kind of similar to chroot, but its advance(chroot does not provide complete isolation, and its effects are restricted to the root mount point only)

3. net namespace

Allow process/groups of processes to see entirely different set of network interfaces.

4. ipc namespace

IPC namespace gives the process/group of processes to its own inter process communication resources(for an example System V IPC and POSIX messages)

5. uts namespace

UTS namespace isolates two specific identifiers of the system, nodename and domainname

6. user namespace

User namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace.

It provides mechanism to have separate users, groups and capabilities lists for a process/groups of processes.

lxc with cgroups and namespaces

Cgroups and namespaces can apply to any process running on a Linux system(for an example you can limit CPU usage of a process by using a cgroup)

When applying full set of cgroups(cpu, memory, disk r/w, network bw) and namespaces(pid, mnt, net, ipc, uts, user) its ended up with having group of process running on fully isolated environment with in linux system. These isolated environments are the linux containers…




Have less, be more


Written by


Ego = 1/Knowledge


Have less, be more

More From Medium

More on Docker from Rahasak-Labs

More on Docker from Rahasak-Labs

Orchestrate repairs with Cassandra-Reaper

Mar 1 · 9 min read


More on Docker from Rahasak-Labs

More on Docker from Rahasak-Labs

Golang MongoDB client with authentication

Feb 9 · 2 min read

More on Docker from Rahasak-Labs

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade