π§ Proxmox LXC Deep Dive and Administration Guide
Authorβs Note:
This guide explores Proxmox LXC containers in depth β their creation, management, and advantages.
It is written in a practical, KB-style format, with all commands verified on a real Proxmox setup.
π§ 1. Introduction β What Are LXC Containers
LXC (Linux Containers) are a lightweight virtualization technology that runs multiple isolated Linux systems (containers) on a single host using the same kernel.
They offer OS-level virtualization, meaning containers share the hostβs kernel while maintaining their own filesystem, network stack, and process space.
π LXC vs. KVM Comparison
| Feature | LXC | KVM |
|---|---|---|
| Resource Overhead | Very low | High |
| Boot Time | Seconds | Minutes |
| Kernel | Shared with host | Dedicated per VM |
| Isolation | Process-level | Full OS-level |
| Use Case | Lightweight workloads, automation | Full OS isolation, heavy workloads |
π§ Advantages of LXC in Proxmox
- Fast startup (boot in seconds)
- Low resource usage (minimal RAM and disk)
- Easy cloning, snapshotting, and migration
- Perfect for automation (Terraform + Ansible ready)
- Unprivileged containers provide strong isolation
π‘ Tip: LXC is ideal for internal services, lab setups, and automation pipelines where speed and efficiency matter.
βοΈ 2. LXC Templates and Image Management
Templates are base OS images used to create containers.
Commands
pveam update # Refresh template list
pveam available # Show available templates
pveam download local ubuntu-22.04-standard_22.04-2_amd64.tar.zst
Templates are stored under:
/var/lib/vz/template/cache/
π‘ Tip: Use
local:vztmplor shared NFS storage for template access across nodes.
𧱠3. Creating Containers (CLI + Web UI)
Using Web UI
- Go to Node β Create CT
- Choose template, storage, hostname, password
- Set network, CPU, memory, and privileges
- Finish and start the container
Using CLI
pct create 201 local:vztmpl/ubuntu-22.04-standard_22.04-2_amd64.tar.zst -hostname web01 -storage local-lvm -cores 2 -memory 1024 -rootfs local-lvm:8 -net0 name=eth0,bridge=vmbr0,ip=10.0.10.50/24,gw=10.0.10.1 -unprivileged 1
| Option | Description |
|---|---|
pct |
Proxmox container command |
create |
Create new LXC |
-unprivileged 1 |
Runs as remapped user (safer) |
-net0 |
Sets up network interface |
-storage |
Defines root filesystem backend |
π§ Pro Note: Automate this with Terraform for consistent container provisioning.
𧩠4. Managing LXC Containers
| Command | Description |
|---|---|
pct list |
List containers |
pct start 201 |
Start container |
pct stop 201 |
Stop container |
pct exec 201 bash |
Run shell inside container |
pct config 201 |
Display configuration |
pct destroy 201 |
Delete container |
pct clone 201 202 --hostname=clone01 |
Clone container |
pct mount 201 / pct umount 201 |
Mount or unmount container filesystem |
Example Workflow
pct list
pct start 201
pct exec 201 bash
apt update && apt install nginx -y
π‘ Tip:
pct enter 201gives direct access without SSH.
π 5. Networking for Containers
Example /etc/network/interfaces
auto vmbr0
iface vmbr0 inet static
address 10.0.0.3/24
gateway 10.0.0.1
bridge_ports eno1
bridge_stp off
bridge_fd 0
VLAN Tagging Example
-net0 name=eth0,bridge=vmbr0,tag=20,ip=10.0.20.10/24,gw=10.0.20.1
Useful Commands
pct exec 201 ip a
pct exec 201 ping -c 3 8.8.8.8
pct exec 201 systemctl restart networking
π‘ Use VLAN tags (
tag=) for multi-tenant network isolation.
πΎ 6. Storage and Snapshots
Check Storage and Disk
pvesm status
pct config 201 | grep rootfs
Resize Root Disk
pct resize 201 rootfs +4G
Snapshots
pct snapshot 201 pre-update
pct listsnapshot 201
pct rollback 201 pre-update
βοΈ Snapshots are instantaneous on LVM-Thin or ZFS storage.
π 7. Privileged vs Unprivileged Containers
| Type | Description | Use Case |
|---|---|---|
| Privileged | Root inside container = root on host | Required for legacy apps or hardware passthrough |
| Unprivileged | Uses UID/GID mapping | Recommended for most workloads |
Switch mode:
pct set 201 -unprivileged 1
π‘ Use unprivileged containers for secure, automation-friendly environments.
π§ 8. Backup and Restore
Manual Backup
vzdump 201 --storage local --compress zstd
Scheduled Backup (CLI)
vzdump --all 1 --compress zstd --storage backups
Restore
pct restore 202 /var/lib/vz/dump/vzdump-lxc-201.tar.zst
Backups are stored in:
/var/lib/vz/dump/
π‘ Backups can be done while containers are running with
--mode snapshot.
βοΈ 9. Performance Tuning
Adjust Resources
pct set 201 -cores 4 -memory 2048
pct set 201 -cpulimit 2 -cpuunits 1024
Monitor Inside LXC
pct exec 201 top
pct exec 201 free -h
pct exec 201 df -h
π§ Pro Tip: Avoid overallocation β containers share the hostβs kernel and resources.
π 10. Security and Isolation
- Use unprivileged containers where possible
- Limit resources:
memory,swap,cpuunits - Enable Proxmox firewall:
pve-firewall enable pve-firewall reload - Disable nesting for higher isolation:
pct set 201 -features nesting=0
β οΈ Privileged LXCs can access host devices β use only in controlled environments.
π€ 11. Automating LXC Creation
Bash Example
for name in web01 app01 db01; do
pct create --hostname $name --cores 2 --memory 1024 ...
done
Terraform Example
resource "proxmox_lxc" "web" {
hostname = "web01"
cores = 2
memory = 1024
vlan = 10
ip = "10.0.10.50/24"
}
π‘ Combine LXC provisioning with Ansible for post-configuration.
π§° 12. Troubleshooting LXC
| Issue | Command / Solution |
|---|---|
| Container wonβt start | pct start <CTID> β check journalctl -xe |
| No network | Verify bridge, VLAN, gateway config |
| Permission denied | Unprivileged mapping missing |
| Disk full | Resize via pct resize or clean /var/lib/vz |
| Failed config | Inspect with pct config <CTID> |
Logs:
cat /var/log/pve/tasks/index
journalctl -u pvedaemon
π 13. LXC Command Reference
| Command | Description |
|---|---|
pct list |
List containers |
pct start <id> |
Start container |
pct stop <id> |
Stop container |
pct exec <id> bash |
Run command inside container |
pct config <id> |
Show configuration |
pct snapshot <id> <name> |
Create snapshot |
pct rollback <id> <name> |
Roll back snapshot |
pct clone <src> <dest> |
Clone container |
pct destroy <id> |
Delete container |
𧩠14. Advantages of LXC in Proxmox
| Benefit | Description |
|---|---|
| Lightweight | Shares host kernel β minimal overhead |
| Fast Boot | Starts within seconds |
| Low Disk & Memory Usage | Optimized for smaller workloads |
| Easy Cloning | Quick to duplicate with minimal storage impact |
| Snapshot Support | Instant backups and restores |
| Automation-Ready | Integrates perfectly with Terraform & Ansible |
| Security (Unprivileged) | Process-level isolation |
π§ Pro Tip: LXCs are excellent for services like Nginx, MySQL, Redis, and internal utilities.
β 15. Conclusion
βLXC containers combine the agility of virtualization with the performance of native Linux.β
They are fast, secure, and resource-efficient, making them ideal for modern DevOps and homelab environments.
When paired with Terraform and Ansible, LXCs become the core building blocks of a fully automated, reproducible infrastructure.
End of Guide β Proxmox LXC Deep Dive and Administration