- Earlier i talked about chroot jails and resource throttling using cgroups.
If you haven’t read them yet, then i strongly suggest to go through them before proceeding ahead.
A vety good presentation by docker team.
This will refresh some of the concepts learned above. This video acts as the bridge between this article and the topic discussed in earlier articles mentioned above. This explains how containers are useful and how chroots and cgroups being used internally.
Introduction to virtualization
Operating-system-level virtualization is a server virtualization method in which the kernel of an operating system allows the existence of multiple isolated user-space instances, instead of just one. Such instances, which are sometimes called containers, software containers,virtualization engines (VEs) or jails (FreeBSD jail or chroot jail), may look and feel like a real server from the point of view of its owners and users.
The above definition sums up the broad idea about containers, but to be more accurate, the traditional Virtual Machines used something called hypervisor that runs on top of kernel. This hypervisor provides virtualization to the applications that run on it by monitoring their resource usage and access patterns. This causes a lot of overhead resulting in unnecessary loss of performance. On the other hand, Operating-system-level virtualization works differently. It uses namespaces and cgroups to restrict application’s capabilities including the use of resources. This is a feature provided by the linux kernel. This has almost no overhead.
This method is so effective that Docker is using these containers internally to provide that isolated environment which is very useful for deploying multiple integrated systems. They are even bound towards creating their own containers library. Google have their own services running on containers on shared hardware.
To install lxc in Ubuntu,
$ sudo apt-get install lxc lxctl lxc-templates
This package installs of LXC’s requirements, some templates and also sets up the network structure for the containers.
Run lxc-checkconfig to check if the kernel configuration is ready.
$ sudo lxc-checkconfig Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-4.4.0-24-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled Bridges: enabled Advanced netfilter: enabled CONFIG_NF_NAT_IPV4: enabled CONFIG_NF_NAT_IPV6: enabled CONFIG_IP_NF_TARGET_MASQUERADE: enabled CONFIG_IP6_NF_TARGET_MASQUERADE: enabled CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled FUSE (for use with lxcfs): enabled --- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
You should also see the output something similar to the above.
lxc provides a lot of ready templates, which are really helpful for fast deployment.
$ ls -l /usr/share/lxc/templates/ total 404 -rwxr-xr-x 1 root root 12973 May 18 14:48 lxc-alpine -rwxr-xr-x 1 root root 13713 May 18 14:48 lxc-altlinux -rwxr-xr-x 1 root root 11090 May 18 14:48 lxc-archlinux -rwxr-xr-x 1 root root 12159 May 18 14:48 lxc-busybox -rwxr-xr-x 1 root root 29503 May 18 14:48 lxc-centos -rwxr-xr-x 1 root root 10374 May 18 14:48 lxc-cirros -rwxr-xr-x 1 root root 19732 May 18 14:48 lxc-debian -rwxr-xr-x 1 root root 17890 May 18 14:48 lxc-download -rwxr-xr-x 1 root root 49600 May 18 14:48 lxc-fedora -rwxr-xr-x 1 root root 28384 May 18 14:48 lxc-gentoo -rwxr-xr-x 1 root root 13868 May 18 14:48 lxc-openmandriva -rwxr-xr-x 1 root root 15932 May 18 14:48 lxc-opensuse -rwxr-xr-x 1 root root 41720 May 18 14:48 lxc-oracle -rwxr-xr-x 1 root root 11205 May 18 14:48 lxc-plamo -rwxr-xr-x 1 root root 19250 May 18 14:48 lxc-slackware -rwxr-xr-x 1 root root 26862 May 18 14:48 lxc-sparclinux -rwxr-xr-x 1 root root 6862 May 18 14:48 lxc-sshd -rwxr-xr-x 1 root root 25602 May 18 14:48 lxc-ubuntu -rwxr-xr-x 1 root root 11439 May 18 14:48 lxc-ubuntu-cloud
We’ll start by creating a new container with name “my_container” with “ubuntu” template.
This will take some time and finish creating a container for you. Yes! its that simple.
Once its completed, the last few lines shows the password for the root user of the container. It would look something similar to this,
$ sudo lxc-create -n my_container -t ubuntu ..... ..... ## # The default user is 'ubuntu' with password 'ubuntu'! # Use the 'sudo' command to run tasks as root in the container. ##
We can check the status of container using lxc-ls. This will show the container to be in stopped state.
$ sudo lxc-ls --fancy NAME STATE IPV4 IPV6 AUTOSTART ---------------------------------------------- my_container STOPPED - - NO
Now to start the container run lxc-start. The -d argument creates it a daemon.
$ sudo lxc-start -n my_container -d
Check the status of container using lxc-ls to verify its running. We can access the console using lxc-console. Use the credentials we received above to get the console access.
$ sudo lxc-console -n my_container
After logging in, run the following command on the container,
And on the host-pc run the following command to see the list of running processes.
$ ps auxf
and somewhere you’ll find a process tree that looks similar to this,
It would be surprising, but, all the process on the container are just simple process on the host pc. The important part is that all are isolated and monitored by kernel. Hence you can think of these as simple processes on the host PC and you can even kill them(only if you have sufficient privileges)
You can exit the console and return to the host by typing Ctrl-A followed by Q.
To get more info about the running container use,
$ sudo lxc-info -n my_container
You can access the root file-system of this container directly from the host machine by accessing. You will need root permission to do so.
$ sudo su $ cd /var/lib/lxc/my_container/rootfs
That’s it. Now this is like a brand new operating system. You can run any service on this container.
Think of containers as separate operating systems, where you can run anything you want. The only thing that makes is special is that all container runs on the same hardware. So, practically, companies/institutions buy a heavy shared machine then deploy containers with resource limits according to the multiple services they want. This makes is scalable and easier to manage.
To stop the container run,
$ sudo lxc-stop -n my_container
To delete the container use,
$ sudo lxc-destroy -n my_container
NOTE: lxc provides a wrapper and easy to use API to use the kernel features. It is not equivalent to containers in any sense.
Read the documentation to get more details on the working of containers. There are a lot of commands that are really helpful and make it easier to setup containers.
This article is contributed by Pinkesh Badjatiya .If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.