{"id":13401382,"url":"https://github.com/lxc/lxc","last_synced_at":"2025-05-12T20:49:30.910Z","repository":{"id":4579231,"uuid":"5720995","full_name":"lxc/lxc","owner":"lxc","description":"LXC - Linux Containers","archived":false,"fork":false,"pushed_at":"2025-05-10T16:42:28.000Z","size":35842,"stargazers_count":4860,"open_issues_count":160,"forks_count":1133,"subscribers_count":211,"default_branch":"main","last_synced_at":"2025-05-10T17:37:46.818Z","etag":null,"topics":["c","containers","hacktoberfest","lxc"],"latest_commit_sha":null,"homepage":"https://linuxcontainers.org/lxc","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lxc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2012-09-07T18:50:27.000Z","updated_at":"2025-05-10T17:05:42.000Z","dependencies_parsed_at":"2023-09-26T22:56:00.765Z","dependency_job_id":"e935da6c-0b4a-40a2-b9bc-2d966b1d28c3","html_url":"https://github.com/lxc/lxc","commit_stats":{"total_commits":9444,"total_committers":547,"mean_commits":"17.265082266910422","dds":0.6135112240576027,"last_synced_commit":"9c1d70ef8b393d42fc089e89b16a3ec7d8769ff1"},"previous_names":[],"tags_count":131,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxc%2Flxc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxc%2Flxc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxc%2Flxc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lxc%2Flxc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lxc","download_url":"https://codeload.github.com/lxc/lxc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253820332,"owners_count":21969503,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","containers","hacktoberfest","lxc"],"created_at":"2024-07-30T19:01:02.124Z","updated_at":"2025-05-12T20:49:30.888Z","avatar_url":"https://github.com/lxc.png","language":"C","readme":"![Linux Containers logo](https://linuxcontainers.org/static/img/containers.png)\n# LXC\n\nLXC is the well-known and heavily tested low-level Linux container runtime. It\nis in active development since 2008 and has proven itself in critical\nproduction environments world-wide. Some of its core contributors are the same\npeople that helped to implement various well-known containerization features\ninside the Linux kernel.\n\n## Status\nType            | Service               | Status\n---             | ---                   | ---\nCI (Linux)      | GitHub                | [![Build Status](https://github.com/lxc/lxc/actions/workflows/build.yml/badge.svg)](https://github.com/lxc/lxc/actions)\nCI (Linux)      | Jenkins               | [![Build Status](https://jenkins.linuxcontainers.org/job/lxc-github-commit/badge/icon)](https://jenkins.linuxcontainers.org/job/lxc-github-commit/)\nProject status  | CII Best Practices    | [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1087/badge)](https://bestpractices.coreinfrastructure.org/projects/1087)\nFuzzing         | OSS-Fuzz              | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/lxc.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#lxc)\nFuzzing         | CIFuzz                | [![CIFuzz](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml)\n\n## System Containers\n\nLXC's main focus is system containers. That is, containers which offer an\nenvironment as close as possible as the one you'd get from a VM but without the\noverhead that comes with running a separate kernel and simulating all the\nhardware.\n\nThis is achieved through a combination of kernel security features such as\nnamespaces, mandatory access control and control groups.\n\n## Unprivileged Containers\n\nUnprivileged containers are containers that are run without any privilege. This\nrequires support for user namespaces in the kernel that the container is run\non. LXC was the first runtime to support unprivileged containers after user\nnamespaces were merged into the mainline kernel.\n\nIn essence, user namespaces isolate given sets of UIDs and GIDs. This is\nachieved by establishing a mapping between a range of UIDs and GIDs on the host\nto a different (unprivileged) range of UIDs and GIDs in the container. The\nkernel will translate this mapping in such a way that inside the container all\nUIDs and GIDs appear as you would expect from the host whereas on the host\nthese UIDs and GIDs are in fact unprivileged. For example, a process running as\nUID and GID 0 inside the container might appear as UID and GID 100000 on the\nhost. The implementation and working details can be gathered from the\ncorresponding user namespace man page.\n\nSince unprivileged containers are a security enhancement they naturally come\nwith a few restrictions enforced by the kernel. In order to provide a fully\nfunctional unprivileged container LXC interacts with 3 pieces of setuid code:\n\n- lxc-user-nic (setuid helper to create a veth pair and bridge it on the host)\n- newuidmap (from the shadow package, sets up a uid map)\n- newgidmap (from the shadow package, sets up a gid map)\n\nEverything else is run as your own user or as a uid which your user owns.\n\nIn general, LXC's goal is to make use of every security feature available in\nthe kernel. This means LXC's configuration management will allow experienced\nusers to intricately tune LXC to their needs.\n\nA more detailed introduction into LXC security can be found under the following link\n\n- https://linuxcontainers.org/lxc/security/\n\n### Removing all Privilege\n\nIn principle LXC can be run without any of these tools provided the correct\nconfiguration is applied. However, the usefulness of such containers is usually\nquite restricted. Just to highlight the two most common problems:\n\n1. Network: Without relying on a setuid helper to setup appropriate network\n   devices for an unprivileged user (see LXC's `lxc-user-nic` binary) the only\n   option is to share the network namespace with the host. Although this should\n   be secure in principle, sharing the host's network namespace is still one\n   step of isolation less and increases the attack vector.\n   Furthermore, when host and container share the same network namespace the\n   kernel will refuse any sysfs mounts. This usually means that the init binary\n   inside of the container will not be able to boot up correctly.\n\n2. User Namespaces: As outlined above, user namespaces are a big security\n   enhancement. However, without relying on privileged helpers users who are\n   unprivileged on the host are only permitted to map their own UID into\n   a container. A standard POSIX system however, requires 65536 UIDs and GIDs\n   to be available to guarantee full functionality.\n\n## Configuration\n\nLXC is configured via a simple set of keys. For example,\n\n- `lxc.rootfs.path`\n- `lxc.mount.entry`\n\nLXC namespaces configuration keys by using single dots. This means complex\nconfiguration keys such as `lxc.net.0` expose various subkeys such as\n`lxc.net.0.type`, `lxc.net.0.link`, `lxc.net.0.ipv6.address`, and others for\neven more fine-grained configuration.\n\nLXC is used as the default runtime for [Incus](https://github.com/lxc/incus),\na container hypervisor exposing a well-designed and stable REST-api on top of\nit.\n\n## Kernel Requirements\n\nLXC runs on any kernel from 2.6.32 onwards. All it requires is a functional\nC compiler. LXC works on all architectures that provide the necessary kernel\nfeatures. This includes (but isn't limited to):\n\n- i686\n- x86_64\n- ppc, ppc64, ppc64le\n- riscv64\n- s390x\n- armv7l, arm64\n- loongarch64\n\nLXC also supports at least the following C standard libraries:\n\n- glibc\n- musl\n\n## Backwards Compatibility\n\nLXC has always focused on strong backwards compatibility. In fact, the API\nhasn't been broken from release `1.0.0` onwards.\n\n## Reporting Security Issues\n\nThe LXC project has a good reputation in handling security issues quickly and\nefficiently. If you think you've found a potential security issue, please\nreport it by e-mail to security (at) linuxcontainers (dot) org.\n\nFor further details please have a look at\n\n- https://linuxcontainers.org/lxc/security/\n\n## Becoming Active in LXC development\n\nWe always welcome new contributors and are happy to provide guidance when\nnecessary. LXC follows the kernel coding conventions. This means we only\nrequire that each commit includes a `Signed-off-by` line. The coding style we\nuse is identical to the one used by the Linux kernel. You can find a detailed\nintroduction at:\n\n- https://www.kernel.org/doc/html/v4.10/process/coding-style.html\n\nand should also take a look at the [CONTRIBUTING](CONTRIBUTING) file in this\nrepo.\n\nIf you want to become more active it is usually also a good idea to show up in\nthe LXC IRC channel [#lxc-dev](https://kiwiirc.com/client/irc.libera.chat/#lxc-dev) on irc.libera.chat. We try to do all development out\nin the open and discussion of new features or bugs is done either in\nappropriate GitHub issues or on IRC.\n\nWhen thinking about making security critical contributions or substantial\nchanges it is usually a good idea to ping the developers first and ask whether\na PR would be accepted.\n\n## Semantic Versioning\n\nLXC and its related projects strictly adhere to a [semantic\nversioning](http://semver.org/) scheme.\n\n## Downloading the current source code\n\nSource for the latest released version can always be downloaded from\n\n- https://linuxcontainers.org/lxc/downloads/\n\nYou can browse the up to the minute source code and change history online\n\n- https://github.com/lxc/lxc\n\n## Building LXC\n\nWithout considering distribution specific details a simple\n\n    meson setup -Dprefix=/usr build\n    meson compile -C build\n\nis usually sufficient.\n\n## Getting help\n\nWhen you find you need help, the LXC projects provides you with several options.\n\n### Discuss Forum\n\nWe maintain a discuss forum at\n\n- https://discuss.linuxcontainers.org/\n\nwhere you can get support.\n\n### IRC\nYou can find us in [#lxc](https://kiwiirc.com/client/irc.libera.chat/#lxc) on irc.libera.chat.\n\n### Mailing Lists\n\nYou can check out one of the two LXC mailing list archives and register if\ninterested:\n\n- http://lists.linuxcontainers.org/listinfo/lxc-devel\n- http://lists.linuxcontainers.org/listinfo/lxc-users\n","funding_links":[],"categories":["Official projects","C","Container Operations","c","Containers","\u003ca id=\"1d9dec1320a5d774dc8e0e7604edfcd3\"\u003e\u003c/a\u003e工具-新添加的"],"sub_categories":["Runtime","\u003ca id=\"8f1b9c5c2737493524809684b934d49a\"\u003e\u003c/a\u003e文章\u0026\u0026视频"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flxc%2Flxc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flxc%2Flxc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flxc%2Flxc/lists"}