The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
You can use the lxc-execute command to create a
temporary application container in which you can run a command
that is effectively isolated from the rest of the system. For
example, the following command creates an application container
named guest
that runs sleep
for 100 seconds.
[root@host ~]# lxc-execute -n guest -- sleep 100
While the container is active, you can monitor it by running commands such as lxc-ls --active and lxc-info -n guest from another window.
[root@host ~]#lxc-ls --active
guest [root@host ~]#lxc-info -n guest
state: RUNNING pid: 7021
If you need to customize an application container, you can use a configuration file. For example, you might want to change the container's network configuration or the system directories that it mounts.
The following example shows settings from a sample configuration
file where the rootfs
is mostly not shared
except for mount entries to ensure that
lxc-init
and certain library and binary
directory paths are available.
lxc.utsname = guest lxc.tty = 1 lxc.pts = 1 lxc.rootfs = /tmp/guest/rootfs lxc.mount.entry=/lib /tmp/guest/rootfs/lib none ro,bind 0 0 lxc.mount.entry=/usr/libexec /tmp/guest/rootfs/usr/lib none ro,bind 0 0 lxc.mount.entry=/lib64 /tmp/guest/rootfs/lib64 none ro,bind 0 0 lxc.mount.entry=/usr/lib64 /tmp/guest/rootfs/usr/lib64 none ro,bind 0 0 lxc.mount.entry=/bin /tmp/guest/rootfs/bin none ro,bind 0 0 lxc.mount.entry=/usr/bin /tmp/guest/rootfs/usr/bin none ro,bind 0 0 lxc.cgroup.cpuset.cpus=1
The mount entry for /usr/libexec
is required so
that the container can access
/usr/libexec/lxc/lxc-init
on the host system.
The example configuration file mounts both /bin
and /usr/bin
. In practice, you should limit the
host system directories that an application container mounts to
only those directories that the container needs to run the
application.
To avoid potential conflict with system containers, do not use
the /container
directory for application
containers.
You must also configure the required directories under the
rootfs
directory:
[root@host ~]#TMPDIR=/tmp/guest/rootfs
[root@host ~]#mkdir -p $TMPDIR/lib $TMPDIR/usr/lib $TMPDIR/lib64 $TMPDIR/usr/lib64 \ $TMPDIR/bin $TMPDIR/usr/bin $TMPDIR/dev/pts $TMPDIR/dev/shm $TMPDIR/proc
In this example, the directories include
/dev/pts
, /dev/shm
, and
/proc
in addition to the mount point entries
defined in the configuration file.
You can then use the -f option to specify the
configuration file (config
) to
lxc-execute:
[root@host ~]# lxc-execute -n guest -f config -- ps -ef
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 08:56 ? 00:00:00 /usr/lib/lxc/lxc-init -- ps -ef
0 2 1 0 08:56 ? 00:00:00 ps -ef
This example shows that the ps command runs as
a child of lxc-init
.
As for system containers, you can set cgroup
entries in the configuration file and use the
lxc-cgroup command to control the system
resources to which an application container has access.
lxc-execute is intended to run application containers that share the host's root file system, and not to run system containers that you create using lxc-create. Use lxc-start to run system containers.
For more information, see the lxc-execute(1)
and lxc.conf(5)
manual pages.