Lxc-linux Containers Introduction

Linux containers,linux containers, containers, it can be imagined as a large jar of things, the jar mouth is large, it can be installed in many of the same shape, but small jars of different sizes. Professional words, called a container-based operating system-level virtualization technology.

In this large container, there can be a lot of small containers, each container has a complete operating environment, such as a specific CPU, memory node, the allocated CPU time, IO time, limited memory size (including memory and swap), provide access to the underlying device, Independent namespace (network, PID, IPC, MMT, and UTS).

LXC Project Address: https://linuxcontainers.org/

LXC on GitHub address: HTTPS://GITHUB.COM/LXC/LXC

An example of LXC, which we call container, is analogous to virtual box and VMware on a PC machine.

LXC Concrete Composition

LXC Project on SourceForge, it has a Linux kernel patch and some user-space tools, where kernel patches provide the underlying new features, the upper tools use these new features, and provide a simplified set of tools to maintain the container.

LXC relies on the cgroups subsystem, which is closely related to the Linux kernel, which is a process group-based resource management framework provided by the Linux kernel that can qualify the resources that can be used for a particular process group, with the help of the cgroups subsystem, Implement a lightweight virtual machine in the current Linux environment.

LXC relies on the namespace feature provided by the Linux kernel in isolation control, specifically by adding the corresponding flag at clone.

Advantages of LXC

LXC is an operating system-level virtualization technology that has the following advantages over traditional HAL-level virtualization technologies:

1. Smaller virtualization overhead. Many of the features of the LXC are basically provided by the kernel

2. Rapid deployment. To install LXC, you can create and launch containers using LXC's related commands to provide virtual execution for your application. Traditional virtualization technology requires creating a virtual machine, then installing the system, and then deploying the application.

3. The rootfs of the virtual machine is/var/lib/lxc/container_name, and the container file system can be easily modified on the host.

4. LXC uses AppArmor, the application access control system to ensure that the host is not affected by the malicious behavior of instances within the container.

Disadvantages of LXC

1. Lack of support for disk quota, currently using LVM to qualify support.

2. The lack of support for copy on write, for each container, is a copy of the operating system of the user state instance, has its own system library function files and other necessary files. In the case of a system with multiple containers, this can result in wasted disk space. Here you can draw on the concept of copy-on-write, for the file shared by the container, before writing to the shared file, you can save only one copy, the other containers are hard-linked way to share, when there is a container to write to the shared file, create a separate copy for it.

3. The dynamic association between processes and containers is not perfect

Ideally, processes and containers are dynamically correlated, and processes can migrate between containers. In LXC, resource management is implemented through cgroups, and processes can have conditional migrations between cgroup. Namespace isolation is implemented through namespace, where the kernel currently supports only a limited number of namespace namespaces for process changes.

4. Checkpoint not supported

Checkpoint technology can temporarily frozen all the processes in the container, storing the full state of the container at that time on disk, similar to the VMware snapshot, currently LXC does not support checkpoint technology, Just with Cgroups's freezer subsystem, the process is temporarily frozen and resume, without the state of the complete storage container.

5. Dynamic migration of containers is not supported

Dynamic migration refers to migrating a running container from one machine to another, in which the process in the container does not have to stop, and this technology can be used to optimize the resource configuration of the server cluster. Currently LXC does not support dynamic migrations.

LXC Installation and use

Under the Ubuntu system, you can use the APT command to install or use the source code to install, it is recommended to use apt to install, this way in the installation process will automatically install the LXC depend on the other software.

Before using LXC correctly, it is necessary to make a brief introduction of its configuration file in order to better understand how LXC works.

A./etc/lxc/lxc.conf the default configuration file used when creating the LXC container, the default content is as follows.

B./usr/lib/lxc/templates/This directory saves the Linux template profiles for the various distributions supported by the current LXC

C./var/lib/lxc/The directory holds each container instance created, and only the root user has access to its contents

D./var/cache/lxc This directory holds the cache for the container instance, speeding up the container instance creation speed.

Lxc varies depending on the container type, one is the system container, and the other is the application container. The system container is similar to a virtual machine,

Lxc-start–n name Init, run the INIT program.

The application container simply creates a separate namespace for isolating an application, similar to the command, lxc-execute–n name cmd

LXC Common Commands

1. Lxc-checkconfig is used to determine if the Linux kernel supports LXC

2. Lxc-create used to create a container

Lxc-create–n name [–f Config_file]

Name of the container to create

Config_file path to the container configuration file

Note: The container name is global, that is, the system does not allow containers with duplicate names. The container created by Lxc-create is not automatically destroyed after it has stopped running.

3. Lxc-destroy for destroying a container

4. Lxc-execute for executing applications in one container

Lxc-execute–n name [–f config_file] [–s key=val] Command

Name container names

Config_file Container configuration file path

-S followed by the formulation of key value pairs such as Lxc.cgroup.cpu.shares = 512

Command commands pending execution

Note: If the name container does not exist, Lxc-execute automatically creates one, which is automatically destroyed when the container stops running.

During execution, a limited selection of the configuration file parameters specified by –f. The-s option can specifically change an item parameter value in a configuration file.

Lxc-execute first creates the lxc-init process and then fork one in Lxc-init to execute the command, often used to execute the application in the container.

5. Lxc-start for executing a given command in a container

Lxc-start–n name [-F config_file] [-C Console_file] [-d] [-s key=val] [command]

-D: Execute the container as a daemon

-C: Specifies a file as the console output of the container, which defaults to terminal

Note: If the container does not already exist, Lxc-start will automatically create one, and the container will be automatically destroyed when it is allowed to stop. It is the direct creation process to run the command.

Lxc-start used to start the system in a container

6. Lxc-kill is used to send signals to the first user process in the container (the container internal process number 1 is init, the process number is 2 for the first user process), and the default signal is Sigkill.

Lxc-kill–n name [SIGNUM]

7. Lxc-stop to stop all processes in the container

Lxc-stop–n Name

8. Lxc-destroy for destroying containers

Lxc-destroy–n Name

9. Other orders, wait until the time needed to add.

Using the above command requires root permission to execute.

In the Chengcheng virtual machine container, there is a config configuration file, where you can add various resource limits for this virtual machine.

Experience Summary

1. Creating a virtual machine requires root permission to create and execute the above related commands

2. When attempting to execute a command in a container, the following error occurs.

Since LXC uses Cgroup to manage the container, you must perform Mount None–t cgroup/cgroup to mount the Cgroup system before actually using LXC, or write this command to/etc/fstab so that every time the system starts, Automatically mounts the Cgroup.

Workaround: Https://groups.google.com/forum/#!topic/ns-3-users/brjBDmGU4PE

The Cgroup section is configured with Lxc.cgroup. [In the form of subsystem name].key=value. For example:

lxc.cgroup.cpu.shares=512

lxc.cgroup.cpuset.cpus=1.2

Cgroup below have CPU subsystem, CPUSET subsystem, memory subsystem, BLKIO subsystem, network part, Rootfs part of these to set.

Lxc-linux Containers Introduction