Linux Virtualization : Linux Containers (lxc)

2

Pre-requisites:

  • Earlier i talked about chroot jails and resource throttling using cgroups.
    If you haven’t read them yet, then i strongly suggest to go through them before proceeding ahead.
  • https://www.youtube.com/watch?v=sK5i-N34im8
    A vety good presentation by docker team.
    This will refresh some of the concepts learned above. This video acts as the bridge between this article and the topic discussed in earlier articles mentioned above. This explains how containers are useful and how chroots and cgroups being used internally.
  • Introduction to virtualization:

    Operating-system-level virtualization is a server virtualization method in which the kernel of an operating system allows the existence of multiple isolated user-space instances, instead of just one. Such instances, which are sometimes called containers, software containers,virtualization engines (VEs) or jails (FreeBSD jail or chroot jail), may look and feel like a real server from the point of view of its owners and users.

    The above definition sums up the broad idea about containers, but to be more accurate, the traditional Virtual Machines used something called hypervisor that runs on top of kernel. This hypervisor provides virtualization to the applications that run on it by monitoring their resource usage and access patterns. This causes a lot of overhead resulting in unnecessary loss of performance. On the other hand, Operating-system-level virtualization works differently. It uses namespaces and cgroups to restrict application’s capabilities including the use of resources. This is a feature provided by the linux kernel. This has almost no overhead.

    Traditional Virtualization vs Containers

    This method is so effective that Docker is using these containers internally to provide that isolated environment which is very useful for deploying multiple integrated systems. They are even bound towards creating their own containers library. Google have their own services running on containers on shared hardware.

    Installation:

    To install lxc in Ubuntu,

    $ sudo apt-get install lxc lxctl lxc-templates
    

    This package installs of of LXC’s requirements, some templates and also sets up the network structure for the containers.
    Run lxc-checkconfig to check if the kernel configuration is ready.

    $ sudo lxc-checkconfig
        Kernel configuration not found at /proc/config.gz; searching...
        Kernel configuration found at /boot/config-4.4.0-24-generic
        --- Namespaces ---
        Namespaces: enabled
        Utsname namespace: enabled
        Ipc namespace: enabled
        Pid namespace: enabled
        User namespace: enabled
        Network namespace: enabled
        Multiple /dev/pts instances: enabled
    
        --- Control groups ---
        Cgroup: enabled
        Cgroup clone_children flag: enabled
        Cgroup device: enabled
        Cgroup sched: enabled
        Cgroup cpu account: enabled
        Cgroup memory controller: enabled
        Cgroup cpuset: enabled
    
        --- Misc ---
        Veth pair device: enabled
        Macvlan: enabled
        Vlan: enabled
        Bridges: enabled
        Advanced netfilter: enabled
        CONFIG_NF_NAT_IPV4: enabled
        CONFIG_NF_NAT_IPV6: enabled
        CONFIG_IP_NF_TARGET_MASQUERADE: enabled
        CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
        CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
        FUSE (for use with lxcfs): enabled
    
        --- Checkpoint/Restore ---
        checkpoint restore: enabled
        CONFIG_FHANDLE: enabled
        CONFIG_EVENTFD: enabled
        CONFIG_EPOLL: enabled
        CONFIG_UNIX_DIAG: enabled
        CONFIG_INET_DIAG: enabled
        CONFIG_PACKET_DIAG: enabled
        CONFIG_NETLINK_DIAG: enabled
        File capabilities: enabled
    

    Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

    You should also see the output something similar to the above.
    lxc provides a lot of ready templates, which are really helpful for fast deployment.

    $ ls -l /usr/share/lxc/templates/
        total 404
        -rwxr-xr-x 1 root root 12973 May 18 14:48 lxc-alpine
        -rwxr-xr-x 1 root root 13713 May 18 14:48 lxc-altlinux
        -rwxr-xr-x 1 root root 11090 May 18 14:48 lxc-archlinux
        -rwxr-xr-x 1 root root 12159 May 18 14:48 lxc-busybox
        -rwxr-xr-x 1 root root 29503 May 18 14:48 lxc-centos
        -rwxr-xr-x 1 root root 10374 May 18 14:48 lxc-cirros
        -rwxr-xr-x 1 root root 19732 May 18 14:48 lxc-debian
        -rwxr-xr-x 1 root root 17890 May 18 14:48 lxc-download
        -rwxr-xr-x 1 root root 49600 May 18 14:48 lxc-fedora
        -rwxr-xr-x 1 root root 28384 May 18 14:48 lxc-gentoo
        -rwxr-xr-x 1 root root 13868 May 18 14:48 lxc-openmandriva
        -rwxr-xr-x 1 root root 15932 May 18 14:48 lxc-opensuse
        -rwxr-xr-x 1 root root 41720 May 18 14:48 lxc-oracle
        -rwxr-xr-x 1 root root 11205 May 18 14:48 lxc-plamo
        -rwxr-xr-x 1 root root 19250 May 18 14:48 lxc-slackware
        -rwxr-xr-x 1 root root 26862 May 18 14:48 lxc-sparclinux
        -rwxr-xr-x 1 root root  6862 May 18 14:48 lxc-sshd
        -rwxr-xr-x 1 root root 25602 May 18 14:48 lxc-ubuntu
        -rwxr-xr-x 1 root root 11439 May 18 14:48 lxc-ubuntu-cloud

    We’ll start by creating a new container with name “my_container” with “ubuntu” template.
    This will take some time and finish creating a container for you. Yes! its that simple.
    Once its completed, the last few lines shows the password for the root user of the container. It would look something similar to this,

    $ sudo lxc-create -n my_container -t ubuntu
        .....
        .....
        ##
        # The default user is 'ubuntu' with password 'ubuntu'!
        # Use the 'sudo' command to run tasks as root in the container.
        ##

    We can check the status of container using lxc-ls. This will show the container to be in stopped state.

    $ sudo lxc-ls --fancy
        NAME            STATE    IPV4  IPV6  AUTOSTART
        ----------------------------------------------
        my_container    STOPPED  -     -     NO

    Now to start the container run lxc-start. The -d argument creates it a daemon.

    $ sudo lxc-start -n my_container -d

    Check the status of container using lxc-ls to verify its running. We can access the console using lxc-console. Use the credentials we received above to get the console access.

     $ sudo lxc-console -n my_container

    After logging in, run the following command on the container,

    $ top

    And on the host-pc run the following command to see the list of running processes.

    $ ps auxf

    and somewhere you’ll find a process tree that looks similar to this,
    Process tree for container

    It would be surprising, but, all the process on the container are just simple process on the host pc. The important part is that all are isolated and monitored by kernel. Hence you can think of these as simple processes on the host PC and you can even kill them(only if you have sufficient privileges)

    You can exit the console and return to the host by typing Ctrl-A followed by Q.

    To get more info about the running container use,

     $ sudo lxc-info -n my_container

    You can access the root file-system of this container directly from the host machine by accessing. You will need root permission to do so.

        $ sudo su
        $ cd /var/lib/lxc/my_container/rootfs

    That’s it. Now this is like a brand new operating system. You can run any service on this container.
    Think of containers as separate operating systems, where you can run anything you want. The only thing that makes is special is that all container runs on the same hardware. So, practically, companies/institutions buy a heavy shared machine then deploy containers with resource limits according to the multiple services they want. This makes is scalable and easier to manage.

    To stop the container run,

        $ sudo lxc-stop -n my_container

    To delete the container use,

        $ sudo lxc-destroy -n my_container

    NOTE: lxc provides a wrapper and easy to use API to use the kernel features. It is not equivalent to containers in any sense.
    Read the documentation to get more details on the working of containers. There are a lot of commands that are really helpful and make it easier to setup containers.

    References:

    https://www.youtube.com/watch?v=sK5i-N34im8
    https://wiki.archlinux.org/index.php/Linux_Containers
    https://linuxcontainers.org/lxc/introduction/
    http://www.ubuntu.com/cloud/lxd

    This article is contributed by Pinkesh Badjatiya .If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

    Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.

    GATE CS Corner    Company Wise Coding Practice

    Recommended Posts:



    2 Average Difficulty : 2/5.0
    Based on 1 vote(s)










    Writing code in comment? Please use ide.geeksforgeeks.org, generate link and share the link here.