From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

LXC Container Overview

LXC (or "linux containers") is a virtualization method that allows linux to launch virtual machines with very minimal overhead. In Untangle, this can be very useful in some scenarios. This allows you to easily instantiate a new virtual host on the network to use for testing. Untangle will process the LXC container's traffic just like any regular host on the Internal network.


Lets say you are offsite and someone calls you and claims that they can not reach a website. Often one of the test I will do is test if the website is reachable at all from that location. I can SSH to Untangle and do a simple wget http://example.com to verify that Untangle itself can reach the website. However, if Untangle can reach the website but the user still can't then you still have to determine where the issue is occuring.

However, there is no easy way to test "from behind" Untangle like the user is doing. So often you end up walking them through how to give you remote access so you can see it for yourself. This will allow you to run tests "from behind" Untangle and see if the sessions are going to the correct policy, and being filter appropriately, etc.

With LXC, you can instantiate an new virtual machine the Untangle server itself, that is effectively an internal host on the network. This allows you to easily processing of network traffic *through* the Untangle server without having to setup remote access to a real internal host.


To start the LXC container simply run:


The first time you run this command it will initialize the LXC disk image from scratch and it will need to download some utilities from the web so Untangle must be online. This will start the VM and start some very basic services (like SSH).

You can SSH to the VM at this point, but you likely haven't set a password. So the easier way to access it is via "attaching" to the terminal. To do this run:


This will give you a shell in the LXC container. Any commands run from here would be just like running from a physical machine on the internal network. As such you can test your Untangle configuration with normal commands:

ping host example.com wget 'http://example.com'

Once your testing is complete the LXC container can be stopped with:


Make sure you stop the LXC container because it is technically a host on the internal network and by default will be reachable by other internal hosts.


The LXC container/VM actually has an address of The Untangle is its default gateway and Untangle has an address of

All sessions from the LXC will appear to be from

The LXC container isn't actually on the "Internal" network - its on its own virtual network internal to the Untangle server. However, for testing of policy and configuration we make the LXC container appear as if its coming from the "Internal" network. There is a setting "lxcInterfaceId" in the network settings that determines which interface the LXC container "lives" on. The default is 0, which is the first non-WAN interface. You can set it to a specific interface if desired.


The ATS suite can leverage the LXC container just like a normal host. The LXC container is configured by default with all the tools necessary to run the test suite.

After starting the LXC container, You can specify the LXC container using the -h argument

/usr/share/untangle/bin/ut-runtest -h is now the default if no host is specified so you can also just run all the tests with: