Linux Containers
Status: Just notes so far
Last changed: Saturday 2015-01-10 18:32 UTC
Abstract:
LXC (Linux Containers) provide lightweight and fast virtualization that lets us isolate processes and system resources without the need to provide instruction interpretation mechanisms and other complexities needed for paravirtualization and/or emulation -- LXC is operating system-level virtualization. The concept is nothing new as it is available for quite some time now -- Linux-VServer and OpenVZ are just two projects in this area. The notable difference between LXC, Linux-VServer and OpenVZ is, LXC is in mainline entirely (i.e. it is part of the Linux kernel) since 2.6.29. In practice, this makes a lot of difference because everything that is maintained out-of-tree (not part of the Linux kernel) creates a lot more work downstream and is probably not as well tested as is code residing in mainline. Investment security also plays a major role here -- it is pretty much guaranteed if code resides in mainline. Linux-VServer and OpenVZ have contributed a lot to LXC and it is therefore all right to think of LXC as a subset (in terms of functionality) of those two projects. LXC provides resource management through cgroups (control groups) also known as process containers and resource isolation through namespaces. LXC aims to use that functionality to provide userspace container objects which provide full resource isolation and resource control for an application and/or an entire operating system.
|
Table of Contents
|
-
Note: This is a place I use to drop links, screendumps etc. Right now,
(June 2010) it is of course super-ugly but will improve a lot over the
course of the next few weeks. There will be a lot of refactoring and
whatnot going on so do not scratch your head even if the current info
looks like the work of a schmuck ;-]
-
I will also monitor various discussions in IRC channels like for
example
#openvz, #kvm and #lxcontainers plus mailing lists such as
http://permalink.gmane.org/gmane.linux.openvz.user
http://www.mail-archive.com/[email protected]/
http://www.mail-archive.com/[email protected]/
-
For now this page is mainly about setting up LXC (Linux Containers)
with Debian (host and containers) and migrating OpenVZ containers to
LXC.
Linux-VServer as well as OpenVZ , both have contributed a lot to the
now common codebase that makes for LXC. I would like to thank anybody
involved in this. In the long run I would love to see getting more
code from each external project into LXC and thus mainline so we all
can benefit from it.
Miscellaneous
info gathered while talking in #lxcontainers
- the
lxc-debian has been changed and it's no longer called directly,
it's a template called by lxc-create, like lxc-create -n foo -f
lxc.conf -t debian. that will be in the >= 0.6.5 version of lxc
- http://www.mail-archive.com/[email protected]/msg00008.html
- I suspect this combination is not supported yet, you may wait for
the 2.6.33 kernel and use the "vepa" mode (lxc.network.macvlan.mode
= vepa).
from /usr/share/doc/lxc/README.Debian
- If you want to make container usable by non-root users, run
lxc-setcap as root, and some capabilities will be set so that
normal users will be able to use the container utils. This is not
done by default, though, and you have to explicitly allow it.
- lxc uses the control groups file system to control the various
container features. In order for this to work the cgroup filesystem
must be mounted somewhere. The exact location doesn't matter, as
lxc will scan the mounted filesystems list to find it
automatically. For example you can create the
/var/local/cgroup
directory and then add this entry to fstab to mount the control
groups filesystem there:
cgroup /var/local/cgroup cgroup defaults 0 0
- http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=tree;f=Documentation/cgroups;h=1a859c8f6163a921ec500a585e29538ce124925e;hb=HEAD
- To summarize,
lxc-execute is for running an application and lxc-start is for running a system.
- It is up to the container to provide a set of available tty
lxc-netstat display network information for a specific container.
An example installation on Debian using lxc-debian:
1 wks:/var/lib/lxc# zcat /usr/share/doc/lxc/examples/lxc-debian.gz > /home/sa/0/bash/lxc-debian && chmod 700 /home/sa/0/bash/lxc-debian
2 wks:/var/lib/lxc# mkdir cgroups
3 wks:/var/lib/lxc# mount -t cgroup cgroup /var/lib/lxc/cgroups
4 wks:/var/lib/lxc# grep cgroup /etc/fstab
5 cgroup /var/lib/lxc/cgroups cgroup defaults 0 0
6 ks:/var/lib/lxc# lxc-debian create
7 What is the name for the container ? [debian]
8 What hostname do you wish for this container ? [debian]
9 What IP address do you wish for this container ? [172.20.0.21]
10 What is the gateway IP address ? [172.20.0.1]
11 What is the MTU size ? [1500]
12 Specify the location of the rootfs [./rootfs.debian]
13 Specify the location for an extra fstab file [(none)]
14 Choose your architecture
15 1) amd64
16 2) i386
17 #? 1
18 Architecture amd64 selected
19 Checking cache download...not cached
20 Downloading debian minimal...
21 I: Retrieving Release
22
23
24 [skipping a lot of lines... pick en_US.UTF-8 ]
25
26
27 Generating locales (this might take a while)...
28 en_US.UTF-8... done
29 Generation complete.
30 update-rc.d: using dependency based boot sequencing
31 update-rc.d: using dependency based boot sequencing
32 update-rc.d: using dependency based boot sequencing
33 Done.
34
35 You can run your container with the 'lxc-start -n debian'
36
37 wks:/var/lib/lxc#
Utils
FAQs
This section has frequently asked questions about all kinds of things
related to linux containers.
Where can I get help?
We have two IRC channels on freenode, #lxcontainers and #lxc-devel.
There are also two mailing lists (lxc-users and lxc-devel) plus there
is the project support page at sourceforge. The mailing list archives
can be found here and here as well as on Gmane.
Where can I get more information about how to contribute?
Go to http://sourceforge.net/projects/lxc/develop
Configuration
cgroup
- The container is tied with the control groups, when a container is
started a control group is created and associated with it. The
control group properties can be read and modified when the
container is running by using the lxc-cgroup command.
Helpers
sa@wks:/usr/share/doc/lxc$ type ll
ll is aliased to `ls -lh'
sa@wks:/usr/share/doc/lxc$ ll /usr/share/doc/lxc/examples/
total 52K
-rw-r--r-- 1 root root 696 Jan 16 18:08 lxc-complex-config
-rw-r--r-- 1 root root 3.2K Jan 16 18:08 lxc-debian.gz
-rw-r--r-- 1 root root 122 Jan 16 18:08 lxc-empty-netns.conf
-rw-r--r-- 1 root root 3.4K Jan 16 18:08 lxc-fedora.gz
-rw-r--r-- 1 root root 283 Jan 16 18:08 lxc-macvlan.conf
-rw-r--r-- 1 root root 61 Jan 16 18:08 lxc-no-netns.conf
-rw-r--r-- 1 root root 299 Jan 16 18:08 lxc-phys.conf
-rw-r--r-- 1 root root 20K Jan 16 18:08 lxc-sshd.gz
-rw-r--r-- 1 root root 326 Jan 16 18:08 lxc-veth.conf
sa@wks:/usr/share/doc/lxc$
Note that ll is just an alias in my ~/.bashrc.
Subsystems
sysctl
do not forget system control settings; those are basically the same as for OpenVZ
Hostname
lxc.utsname = myhostname
Networking
Having a pipe-like connection from containers to the host system
(called venet in OpenVZ):
lxc.network.type = macvlan pipe-like connection between container and host
lxc.network.flags = up
lxc.network.link = eth0 interface on the host
lxc.network.name = eth0 interface inside container (defaults to eth0)
Debootstrap
using /usr/share/doc/lxc/examples/lxc-debian.gz
Install Packages
sa@wks:/usr/share/doc/lxc$ aptitude search ~pimportant | wc -l
56
sa@wks:/usr/share/doc/lxc$ aptitude search ~pstandard | wc -l
91
sa@wks:/usr/share/doc/lxc$
aptitude install $(aptitude search ~pstandard -F '%p')
Go here for more information.
Check if we can run LXC
sa@wks:/usr/share/doc/lxc$ lxc-checkconfig
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-2.6.32-trunk-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: disabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
File capabilities: enabled
sa@wks:/usr/share/doc/lxc$
Networking
- bridge-utils
- ifupdown-extra
- ifupdown-scripts-zg2
- iproute
|
