9.9 Running Application Containers

You can use the lxc-execute command to create a temporary application container in which you can run a command that is effectively isolated from the rest of the system. For example, the following command creates an application container named guest that runs sleep for 100 seconds.

[root@host ~]# lxc-execute -n guest -- sleep 100

While the container is active, you can monitor it by running commands such as lxc-ls --active and lxc-info -n guest from another window.

[root@host ~]# lxc-ls --active
guest
[root@host ~]# lxc-info -n guest
state:   RUNNING
pid:      7021

If you need to customize an application container, you can use a configuration file. For example, you might want to change the container's network configuration or the system directories that it mounts.

The following example shows settings from a sample configuration file where the rootfs is mostly not shared except for mount entries to ensure that lxc-init and certain library and binary directory paths are available.

lxc.utsname = guest
lxc.tty = 1
lxc.pts = 1
lxc.rootfs = /tmp/guest/rootfs
lxc.mount.entry=/lib /tmp/guest/rootfs/lib none ro,bind 0 0
lxc.mount.entry=/usr/libexec /tmp/guest/rootfs/usr/lib none ro,bind 0 0
lxc.mount.entry=/lib64 /tmp/guest/rootfs/lib64 none ro,bind 0 0
lxc.mount.entry=/usr/lib64 /tmp/guest/rootfs/usr/lib64 none ro,bind 0 0
lxc.mount.entry=/bin /tmp/guest/rootfs/bin none ro,bind 0 0
lxc.mount.entry=/usr/bin /tmp/guest/rootfs/usr/bin none ro,bind 0 0
lxc.cgroup.cpuset.cpus=1

The mount entry for /usr/libexec is required so that the container can access /usr/libexec/lxc/lxc-init on the host system.

The example configuration file mounts both /bin and /usr/bin. In practice, you should limit the host system directories that an application container mounts to only those directories that the container needs to run the application.

Note

To avoid potential conflict with system containers, do not use the /container directory for application containers.

You must also configure the required directories under the rootfs directory:

[root@host ~]# TMPDIR=/tmp/guest/rootfs
[root@host ~]# mkdir -p $TMPDIR/lib $TMPDIR/usr/lib $TMPDIR/lib64 $TMPDIR/usr/lib64 \
$TMPDIR/bin $TMPDIR/usr/bin $TMPDIR/dev/pts $TMPDIR/dev/shm $TMPDIR/proc

In this example, the directories include /dev/pts, /dev/shm, and /proc in addition to the mount point entries defined in the configuration file.

You can then use the -f option to specify the configuration file (config) to lxc-execute:

[root@host ~]# lxc-execute -n guest -f config -- ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
0            1     0  0 08:56 ?        00:00:00 /usr/lib/lxc/lxc-init -- ps -ef
0            2     1  0 08:56 ?        00:00:00 ps -ef

This example shows that the ps command runs as a child of lxc-init.

As for system containers, you can set cgroup entries in the configuration file and use the lxc-cgroup command to control the system resources to which an application container has access.

Note

lxc-execute is intended to run application containers that share the host's root file system, and not to run system containers that you create using lxc-create. Use lxc-start to run system containers.

For more information, see the lxc-execute(1) and lxc.conf(5) manual pages.