lxc-checkconfig

Check the current kernel for LXC support

$ lxc-checkconfig

$ CONFIG=/[path/to/configuration] lxc-checkconfig

lxc-checkconfig

lxc-checkconfig is a crucial diagnostic utility within the Linux Containers (LXC) framework. Its primary purpose is to assess the currently running Linux kernel's configuration for features and capabilities essential for the proper functioning of LXC containers. It meticulously checks for the presence and enablement of various kernel components, including cgroup filesystems (such as cpu, memory, devices, freezer, pid, blkio), different namespace types (pid, uts, ipc, net, user, cgroup), as well as security modules like AppArmor or SELinux support, and swap accounting.

By executing this command, users can quickly identify if their kernel is adequately configured to support LXC's full feature set. This prevents common issues where containers fail to start or operate correctly due to missing kernel support. The output clearly indicates which features are ENABLED (green), DISABLED (red), or UNKNOWN (yellow), providing actionable insights into potential kernel-related hurdles for LXC deployment. It serves as a vital first step in troubleshooting containerization problems, guiding users on whether a custom kernel compilation or specific kernel module loading might be necessary.

The output of lxc-checkconfig reflects the kernel build options, not necessarily the runtime activation or correct mounting of certain features (e.g., cgroup filesystems might be compiled in but not mounted).
Some critical features might be available as loadable kernel modules rather than being built directly into the kernel; this tool primarily verifies the kernel's ability to support them rather than confirming module load status.
A feature marked as DISABLED does not always render LXC unusable, but it often limits functionality (e.g., a disabled user_namespaces prevents unprivileged containers).
The tool relies on kernel configuration files, typically found in /proc/config.gz or /boot/config-<kernel_version>, which might not always be perfectly aligned with highly customized or older kernels.

Each line in the output corresponds to a specific kernel feature or configuration:

• ENABLED (often in green): The feature is compiled into your kernel or is readily available and active. This is the desired state.
• DISABLED (often in red): The feature is not present or enabled in your kernel. This might prevent certain LXC functionalities or types of containers (e.g., unprivileged containers if user_namespaces is disabled).
• UNKNOWN (often in yellow): The tool could not determine the status of the feature. This might occur if /proc/config.gz is missing or if the kernel's configuration is highly unconventional.

If lxc-checkconfig reports DISABLED for essential features:

• Recompile Kernel: For critical features like certain cgroups or namespaces, you might need to recompile your Linux kernel with the necessary options enabled (e.g., CONFIG_NAMESPACES, CONFIG_CGROUP_FREEZER).
• Load Modules: Ensure relevant kernel modules are loaded (e.g., modprobe overlay).
• Mount Cgroups: Verify that cgroup filesystems are correctly mounted (e.g., mount -t cgroup -o memory none /sys/fs/cgroup/memory). Most modern distributions handle this automatically via systemd.
• User Namespaces: If user_namespaces is DISABLED, you won't be able to run unprivileged containers, which are often preferred for security. Enabling this usually requires a kernel recompile.

The Linux Containers (LXC) project was initiated around 2008, predating other prominent containerization technologies like Docker. lxc-checkconfig emerged as a core utility within the LXC toolset from its early stages. Its development was driven by the necessity to provide users with a simple, standardized way to verify kernel compatibility for container operations. In the nascent days of container technology, debugging kernel configuration was a significant hurdle, and this command played a crucial role in streamlining the diagnostic process, helping users ensure their system had the fundamental components for efficient and secure container deployment.

lxc(7), lxc-create(1), lxc-start(1), lxc-ls(1), grep(1)