What LXC can do:
You can bind specific CPUs and memory to a container, assign a specific percentage of CPU time, IO time, limit the amount of memory that can be used (including memory and swap space), provide device access control, and provide an independent namespace (network, PID, IPC, MNT, UTS).
The default LXC configuration is to isolate PIDs (process) SysV IPC (interprocess communication), and mount points. If you want to run sshd, you must provide a new network stack and hostname, and if you want to avoid file collisions, you need to reload the conflicting files to different places. If you want to avoid all conflicts, you will need to mount a file system again.
Implementation of LXC:
SourceForge has lxc this open source project, but the LXC project itself is a set of tools that provide users with a user space to use and manage LXC containers. The real implementation of LXC is dependent on the characteristics of the Linux kernel, and the LXC project just consolidates it. Container based virtualization technology originates from so-called resource containers and security containers.
LXC relies on the cgroups subsystem of the Linux kernel in resource management, the Cgroups subsystem is a framework for resource management based on process groups provided by the Linux kernel that can qualify resources for specific process groups. LXC relies on the namespace features of the Linux kernel in isolation control, specifically by adding the corresponding flag (newns newpid, etc.) to the clone.
LXC Common commands use:
Lxc-version is used to display the version number of the system LXC (you can use this command to determine if the system has LXC installed)
Usage: lxc-version
For example:
The code is as follows:
Lxc-version
Lxc-checkconfig is used to determine if the Linux kernel supports LXC
Usage: lxc-checkconfig
For example:
The code is as follows:
Lxc-checkconfig
Lxc-create is used to create a container
Usage: lxc-create-n name [f Config_file]
-N followed by the name of the container to be created for example:-n foo
The path to the container configuration file followed by-F
Note: 1. Containers created using lxc-create will not be destroyed after the operation is stopped, and the Lxc-destroy command will be used to destroy
2. Container command space is global, containers with duplicate names are not allowed in the system, and if-n is followed by an already existing container name, the creation fails
For example:
The code is as follows:
Lxc-create--n foo--f foo.conf
Lxc-execute is used to execute an application in a container
Usage: lxc-execute-n name [f Config_file] [-S Key=val]command
-N followed by the container name (the container name is used to administer the container) for example:-n foo
The path to the container configuration file followed by-F (if no configuration file is available, you can specify the configuration option directly with-s, if nothing, the system takes the default policy) for example:-F foo.conf
-S followed by the configuration key value pair
For example: Lxc.cgroup.cpu.shares=512command for the command to be executed
For example:/bin/bash This command will Mount/proc and will automatically create/destroy the container.
Note: 1. If the container does not exist, Lxc-execute will automatically create one, and the container will be automatically destroyed after it stops running
2. Start the application with Lxc-execute, configure priority as follows:
If the-f option is specified, the configuration file that previously created the container (if the container is already present) will not be used
If the-s option is specified, the configuration key-value pairs on the command line overwrite the same configuration as the configuration file, whether previously or-f-specified
For example:
The code is as follows:
Lxc-execute--n foo--s lxc.cgroup.cpu.shares=512/bin/bash
Use the actual example:
The code is as follows:
Lxc-execute-n Test/bin/bash
This will start a lxc and give a similar CMD window, the network is shared with the operating system, where it seems just to create a namespace
If-f is not specified, the default quarantine is used, and this command is required to run the program quickly in an isolated environment. In the physical machine and container will run Lxc-init, on the host, the program used to forward the Lxc-kill signal to the program has been started, in container, the program's PID 1, it will fork to execute the command (PID 2) and execute.
Lxc-start used to execute a given command in a container
Usage: lxc-start-n name [f config_file] [-C Console_file] [-d] [-s Key=val][command]
-D executes the container as a daemon
-F followed by configuration file
-c Specifies a file as the output of the container console and, if not specified, outputs to the terminal
-s Specifies the configuration
If you do not specify a command, Lxc-start will run the/sbin/init
For example:
The code is as follows:
Lxc-start-n foo-f foo.conf-d/bin/bash
Note: 1. If the container does not exist, Lxc-start will automatically create one, and the container will be automatically destroyed after it stops running
2.lxc-start configuration priority is the same as Lxc-execute
Similarities and differences of 3.lxc-start and Lxc.execute:
Both Lxc-start and Lxc-execute can start a process in a container, the difference being that the lxc-start creates the process directly, Lxc-execute creates the lxc-init process, and then lxc-init a process in fork to execute it. (On the 4th, what is the status of Lxc-init?) )
The orphan process group and Daemon are not supported by this command,
Use the Lxc-execute command instead
If No command is specified, Lxc-start'll use the default "/sbin/init"
command to run a system container.
4.lxc-start used in container startup System,lxc-execute for executing applications in containers
Lxc-kill sends a signal to the first user process in the container (process with process number 2 inside the container)
Usage: lxc-kil-n name SIGNUM
-N followed by the container name
SIGNUM signal (optional for this parameter, default Sigkill)
For example:
The code is as follows:
Lxc-kill-n Foo
Lxc-stop is used to stop all processes in the container
Usage: lxc-stop-n Name
-N followed by the name of the container to be stopped
For example:
The code is as follows:
Lxc-stop--n foo
Lxc-destroy used to destroy containers
Usage: lxc-destroy-n Name
-N followed by the name of the container to be stopped
For example:
The code is as follows:
Lxc-destroy--n foo
Lxc-cgroup used to get or adjust Cgroup-related parameters
Usage: Lxc-cgroup-n Name subsystem value
-N followed by the name of the container to be adjusted
For example:
The code is as follows:
Lxc-cgroup-n Foo devices.list
lxc-cgroup-n foo cpuset.cpus "0,3"
Lxc-info user gets the state of a container
Usage: lxc-info-n Name
-N followed by the operation's container name
For example:
The code is as follows:
Lxc-info--n foo
Note: The state of the container is: starting RUNNING stopping STOPPED aborting
Lxc-monitor monitors a change in the state of a container, and when the state of a container changes, this command prints out the state of the container on the screen.
Usage: lxc-monitor-n Name
For example:
The code is as follows:
Lxc-monitor-n Foo
LXC-LS Lists all containers for the current system
Usage: Lxc-ls
For example:
The code is as follows:
Lxc-ls
LXC-PS lists the processes running in a specific container
Usage: lxc-ps
For example:
The code is as follows:
Lxc-ps-n Foo
To view and adjust the priority of a container
The code is as follows:
Lxc-priority-n Name
Lxc-priority-n Name-p Priority
Continuously observe the state and priority changes of the container:
The code is as follows:
Lxc-monitor-n Name
LXC uses the Cgroup file System Management container. Some parts of the Cgroup file system can be read and manipulated by LXC. To manage the use of the CPU for each container, you can do so by reading and adjusting the cpu.shares of the container:
The code is as follows:
Lxc-cgroup-n name Cpu.shares
Lxc-cgroup-n name Cpu.shares Howmany
pausing and resuming
[/code]lxc-freeze-n Name
Lxc-unfreeze-n Name[/code]
Stop it
Stopping a container causes all processes that are started in the container to die and clean the container:
The code is as follows:
Lxc-stop-n Name
Destroyed
Destroying a container means deleting the configuration file and metadata associated with the name through the Lxc-create step:
The code is as follows:
Lxc-destroy-n Name