Home  >  Edison  >  Building

LXC and Docker containers

Debian images

We have dropped the scripts for building Debian images directly as well as the associated documentation. Instead we have added support for running lxc and docker containers.

This has the advantage of running all the hardware related stuff (gpio, usb gadgets) in Poky (the Yocto reference distribution) that acts as the host. Inside the container you can install your favorite distribution (Ubuntu, Debian and what not) without the need to build it.

Currently we can build lxc and docker support for i686, but it is useless. You will not find i686 containers and would need to build them yourself. This means that if you want containers you will get only get something useful if you checkout scarthgap and not master, unless you manually set to build x86_64.

Containers

LXC

You will find lxc instructions at Linux Containers. And there is quite a selection of container images to choose from.

A quick summury to get you started followes below.

Create Unprivileged Containers as Root with Shared UID and GID Ranges

If you skip this step UID and GID in the container will be the same as on the host. This is not secure as you do not need to be root on the host to create a container, and you do do not need to be root to share Edison’s root file system with the container. So, an unprivileged user can share the root fs with the container, go into the container as root and then modify Edison’s passwd file to become root on Edison.

Better is at minimum to create system-wide unprivileged containers (that is, unprivileged containers created and started by root) where the containers root is mapped to an ordinary user on Edison. It requires only a few extra steps to organize subordinate user IDs (uid) and subordinate group IDs (gid).

Specifically, you need to manually allocate the subordinate uid and gid ranges to root in /etc/subuid and /etc/subgid and then set those ranges in /etc/lxc/default.conf using lxc.idmap entries.

echo "root:100000:65536" >>/etc/subuid
echo "root:100000:65536" >>/etc/subgid
echo "lxc.idmap = u 0 100000 65536" >>/etc/lxc/default.conf
echo "lxc.idmap = g 0 100000 65536" >>/etc/lxc/default.conf

Installing Ubuntu container with LXC

root@edison:~# lxc-create --name mycontainer --template download -- --dist ubuntu --release noble --arch amd64

You can find your containers with

root@edison:~# lxc-ls
mycontainer 

and their state

root@edison:~# lxc-info mycontainer
Name:           mycontainer
State:          STOPPED

Start and enter the container

To start it

root@edison:~# lxc-start --name mycontainer
root@edison:~# lxc-info mycontainer
Name:           mycontainer
State:          RUNNING
PID:            2508
IP:             10.0.3.101
Link:           vethTo9zi9
 TX bytes:      1.67 KiB
 RX bytes:      8.35 KiB
 Total bytes:   10.02 KiB

and enter a shell in the container

root@edison:~# lxc-attach --name mycontainer

Havoc you can do inside the container

You can install nmap and scan the network:

root@mycontainer:~# apt-get install nmap

root@mycontainer:~# routel  
Dst             Gateway         Prefsrc         Protocol Scope   Dev              Table
default         10.0.3.1        10.0.3.101      dhcp             eth0             
10.0.3.0/24                     10.0.3.101      kernel   link    eth0             
10.0.3.1                        10.0.3.101      dhcp     link    eth0             
10.0.3.101                      10.0.3.101      kernel   host    eth0             local
10.0.3.255                      10.0.3.101      kernel   link    eth0             local
127.0.0.0/8                     127.0.0.1       kernel   host    lo               local
127.0.0.1                       127.0.0.1       kernel   host    lo               local
127.255.255.255                 127.0.0.1       kernel   link    lo               local

root@mycontainer:~# nmap 10.0.3.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-16 19:57 UTC
Nmap scan report for _gateway (10.0.3.1)
Host is up (0.00023s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http
MAC Address: 00:16:3E:00:00:00 (Xensource)

Nmap scan report for mycontainer (10.0.3.101)
Host is up (0.00014s latency).
All 1000 scanned ports on mycontainer (10.0.3.101) are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Nmap done: 256 IP addresses (2 hosts up) scanned in 3.61 seconds

And of course, since we haven’t secured Edison (known as _gateway inside the container) you can

root@mycontainer:~# ssh root@10.0.3.1
The authenticity of host '10.0.3.1 (10.0.3.1)' can't be established.
...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.3.1' (ED25519) to the list of known hosts.
Last login: Wed Apr 16 21:56:04 2025 from 2a02:a466:68ed:1:5a91:3fda:4869:9678
root@edison:~# logout
Connection to 10.0.3.1 closed.

And even, you can have nmap scan the upstream network of Edison. So, beware.

Finally to shut it down:

root@edison:~# lxc-stop --name mycontainer

Installing Ubuntu container with Docker

First checkout if docker is working correctly

root@yuna:~# docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

And to start

root@edison:~# docker run -it ubuntu bash