Nested lxc

One of the core features of cgmanager is to easily, safely, and transparently support the cgroup requirements of container nesting. Processes can administer cgroups exactly the same way whether inside a container or not. This also makes nested lxc very easy.

To create a container in which you can use cgroups, first create a container as usual (note, do this on an Ubuntu 14.04 system, unless you have enabled all the pieces you need – which I am not covering here):

sudo lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64

Now to bind the cgmanager socket inside the container,

echo " = cgroup" | sudo tee -a /var/lib/lxc/t1/config

If you also want to be able to start nested containers, then you need to use an apparmor profile which allows lxc mounting:

echo "lxc.aa_profile = lxc-container-default-with-nesting" | \
	sudo tee -a /var/lib/lxc/t1/config

Now, simply start the container

sudo lxc-start -n t1

You can run the cgmanager testsuite,

sudo apt-get -y install cgmanager-tests
cd /usr/share/cgmanager/tests
sudo ./

and use the cgm program to interact with cgmanager

cgm ping
sudo cgm create all compile
sudo cgm chown all compile 1000 1000
cgm movepid all compile $$

If you changed the aa_profile to permit nesting, then you can simply create and use containers inside the t1 container.

What I showed here is using privileged (root-owned) containers. In this case, the lxc-container-default-with-nesting profile is actually far less safe than the default profile. However, when using unprivileged containers ( for at least the first layer, nesting works the exact same way, and the profile safety difference becomes moot.

This entry was posted in Uncategorized. Bookmark the permalink.

6 Responses to Nested lxc

  1. Kevin Wilson says:

    Just a little query:
    Can be a state when there will be difference between:
    echo “ = cgroup” | sudo tee -a /var/lib/lxc/t1/config
    echo “ = cgroup” >> /var/lib/lxc/t1/config

  2. Kevin Wilson says:

    I didn’t think about it….
    Now seriously:
    How about sudo echo “ = cgroup” >> /var/lib/lxc/t1/config
    Is there any difference between this command and the command you are using ?

    • s3hh says:

      Yes. When you type ”’sudo echo whatever >> somefile”’, the ‘>>’ is interpreted by your unprivileged shell, not by sudo. Your unprivileged shell doesn’t have the rights to append to /var/lib/lxc/t1/config.

  3. nh says:

    Is it possible, to use this manual in combination with Stéphane Graber’s manual for using gui-apps in unpriviliged containers? And if yes, is this still safer than using Gui-Applications in normal containers? Would you have to make those configurations for pulseaudio, X, and to add sub-uids,sub-gids in both containers (the parent-container and the child-container, in which the Gui-Application would run)?

    • s3hh says:


      without having tried, I suspect the most challenging part will be poking the whole in the uid mapping for your user, but it should all work.

      The container will still run unprivileged, so will be as safe as in the original post. Only the container bring-up will be done with enhanced privileged (running as root).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s