How to LXC?

Just want some input on the way I’m using LXC and hopefully gain a little more knowledge on how best to use containers on *SUSE.

So I’ve installed the libvirt LXC daemon using YaST and installed LXC via zypper. I usually create containers using “-t download” and have several setup this way. I then use to virt-manager to start/stop etc…

I’ve so far been unable to start containers using lxc-start. I’m not unhappy about this setup - using lxc-create to create the container because libvirt-lxc can only point to a directory tree. I prefer the gui to the equivalent lxc-* command…

…but is this a terrible way to use LXC on *SUSE? Am I creating holes in the security?

Can anyone shed some light on how they managed to get LXC to work in its entirety without using virt-manager to control the container? Is there anything in the pipeline to completely integrate LXC and libvirt.

Taking an opportunity to see what is new in LXC (I’ve off and on used LXC for many years, but when I found it impossible to create different OS containers in LXC, I shifted over to Docker).

As expected, LXC is now managed by Libvirt instead of its own manager, and this is installed (optionally) along with a bridge device (not critically necessary since you can easily create it with virt manager).

I’m not sure what you mean by pointing to your container by some other method than a directory tree. Historically, I’ve found that to be the most basic way to point to an LXC container, only within a manager can you map names. Or, if you mean something else perhaps you can describe in more detail. I’m also not sure what you mean by " I prefer the gui to the equivalent lxc-* command" – And maybe that’s related to your previous statement about unable to start a container using lxc-start…

On general principles using libvirt (virt-create and virt-manager),
Although the underlying technology that is being managed has its own language, those commands are there only for managing the technology without using libvirt (ie typically command line only). If you do anything that is intended to be seen in virt-manager, you generally need to use the virsh commands. So, don’t assume that any machine will be imported and manageable by virt-manager if you use only “lxc-” commands.

I haven’t looked more closely at LXC, but for all other technologies I know when managed by libvirt, the “machine” is defined in an xml description file somewhere. If you don’t create or import a container correctly, I don’t see how you’d be creating the description properly.

It doesn’t look like there is much in the openSUSE documentation about using LXC, but maybe the section on libvirt general use might be helpful to you
https://doc.opensuse.org/documentation/leap/virtualization/html/book.virt/index.html

Unfortunately, the SLES 11 SP4 documentation is sparse and only describes the “old way” using “lxc-” commands and the old YaST LXC management

This slightly older LEAP documentation looks like it has what you need to import your containers so they’re managed by libvirt
https://doc.opensuse.org/documentation/leap/virtualization/html/book.virt/cha.lxc2libvirt.html

As far as security…
Because every LXC container is a directory tree, unless you chroot the container, it’s not really secure. In fact, in one of my Wiki pages long ago, I described how to inject what was needed for my solution into the running container. Docker avoids this by installing the container in a loopback backing file, similar to how most virtualization technologies work by default, and then the file system in the file is less accessible (needs to be mounted on a loop mount point).

And, it makes no sense to say you want to use libvirt without using virt-manager… Libvirt includes the supporting libraries, and its applications <are> virt-manager and virt-install.

HTH,
TSU