SlideShare ist ein Scribd-Unternehmen logo

Linuxcon Barcelon 2012: LXC Best Practices

C
christophm

Lightweight Virtualization: LXC Best Practices Christoph Mitasch - Thomas-Krenn.AG

Technologie
1 von 28
Lightweight Virtualization: LXC Best Practices Christoph Mitasch LinuxCon Barcelona 2012 Slide 1/28
About ● Based in Bavaria, Germany ● Selling server systems in Europe ● ~100 employees ● >10.000 customers Slide 2/28
Agenda 1) Types of Virtualization 2) Control Groups (cgroups) 3) Resource Isolation (namespaces) 4) LXC 5) HA Containers with Pacemaker and DRBD 6) Alternatives to LXC 7) Q&A Slide 3/28
1) Types of Virtualization ● Hardware Virtualization ● Full: unmodified Guest OS ● VirtualBox, VMware, ... ● Para: modified Guest OS ● Xen, KVM, … ● Software Virtualization ● Application Virtualization – Operating system-level virtualization ● OpenVZ ● Linux VServer ● Linux Containers / LXC Source:: http://www.parallels.com/eu/products/pvc46/info/virtualization/ ● Solaris Containers/Zones ● FreeBSD Jails Slide 4/28
2) Control Groups ● Control groups → cgroups ● Implemented as VFS, since 2.6.24 ● Allows aggregation of tasks and all following children ● Subsystems (z.B.: blkio, cpuset, memory, …) ● Limitation, priorization, accounting ● Can also be used without virtualization ● Included in all major distributions ● No disk quota limitation (→ image file, LVM, XFS directory tree quota, ...) Slide 5/28
2) Control Groups ● Subsystems # cat /proc/version Linux version 3.2.0-32-generic # cat /proc/cgroups #subsys_name hierarchy num_cgroups enabled cpuset 1 9 1 → limit tasks to specific CPUs cpu 2 9 1 → CPU shares cpuacct 3 9 1 → CPU accounting memory 4 9 1 → memory/swap limits and accounting devices 5 9 1 → device allow and deny list freezer 6 9 1 → suspend/resume tasks blkio 7 9 1 → I/O priorization (weight, throttle, …) net_cls → network priorization net_prio ... Slide 6/28
2) Control Groups ● Memory/CPU limitation and accounting # cd /sys/fs/cgroup # cat cpu/cpu.shares 1024 # cat memory/memory.limit_in_bytes 9223372036854775807 # cat memory/memory.memsw.limit_in_bytes 9223372036854775807 # cat memory/memory.usage_in_bytes 1432952832 # cat memory/memory.memsw.usage_in_bytes 1432956928 ● memsw = memory + swap Slide 7/28
2) Control Groups ● Cgroups Demo Slide 8/28
3) Resource Isolation ● Kernel Namespaces Source: lxc.sf.net Image Source: http://hobo- geek.blogspot.com.es/2012/08/the-best-linux-distribution- Slide 9/28 2012.html
4) LXC - Intro ● LXC = userspace tools for Linux containers based on mainline kernel ● Linux containers are based on: ● Kernel namespaces for resource isolation ● Cgroups for limitation and accounting Can be used since 2.6.29 Image Source: http://www.linux- magazin.de/var/linux_magazin/storage/images/linux- ● magazin.de/heft-abo/ausgaben/2011/08/dualstack/po- 22148-fotolia-sculpies_123rf-container.png/617255-1-ger- DE/PO-22148-Fotolia-Sculpies_123RF- Latest LXC version: 0.7.5 / 0.8-rc2 Container.png_lightbox.png ● Slide 10/28
4) LXC – Distro ● Debian – since Squeeze ● apt-get install lxc ● No special kernel required ● Ubuntu – since Lucid ● RHEL – since RHEL 6 as Technology Preview ● Full support with RHEL 7 ● SUSE – since openSUSE 11.2 ● Since SLES 11 SP2 ● Every other Linux kernel starting with 2.6.29 + userspacetools Slide 11/28
4) LXC – Userspace ● lxc-start / lxc-stop ● lxc-start -n ct0 -f /lxc/ct0/config ● lxc-create / lxc-destroy ● creates/destroys instance of a CT in /var/lib/lxc ● for starting lxc-start required ● „lxc-create -t“ for deployment with template ● lxc-ls – shows running containers ● lxc-attach – execute command inside container ● lxc-console ● lxc-console -n ct0 --tty 1 ● lxc-clone – generates LVM/Btrfs snapshot ● In general: lxc-* Slide 12/28
4) LXC – Userspace ● Sample: # lxc-start -n ct0 -f /lxc/ct0/config -d # lxc-attach -n ct0 root@ct0 # hostname ct0 # exit # lxc-console -n ct0 -t 3 Type <Ctrl+a q> to exit the console Debian GNU/Linux 6.0 ct0 tty3 ct0 login: # lxc-ls ct0 # lxc-freeze -n ct0 # lxc-info -n ct0 'ct0' is FROZEN # lxc-stop -n ct0 Slide 13/28
4) LXC – Configuration ● Sample container configuration: /lxc/ct0.conf lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = /lxc/vm0/ lxc.mount = /lxc/vm0.fstab lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm ... lxc.utsname = lxctest lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.cgroup.memory.limit_in_bytes = 512M ... Slide 14/28
4) LXC – Userspace ● lxc-checkconfig ● checks kernel namespace and cgroups support # lxc-checkconfig Found kernel config file /boot/config-3.2.0-32-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled ... Slide 15/28
4) LXC – Templates ● No precreated templates ● Template-Scripts ● lxc-debian, lxc-fedora, lxc-ubuntu ● Generates configuration file ● Downloads and caches packages in /var/cache/lxc/ ● Supports LVM and filesystem generation # lxc-create -t ubuntu -n test -B lvm --lvname test --vgname vg_lxc --fstype ext4 --fssize 1GB ... No config file specified, using the default config Logical volume "test" created mke2fs 1.42 (29-Nov-2011) ... Checking cache download in /var/cache/lxc/precise/rootfs-amd64 'ubuntu' template installed Unmounting LVM Slide 16/28 'test' created
4) LXC – Networking ● no entry → interface settings from host ● empty → only loopback ● veth → Virtual Ethernet (bridge) ● vlan → vlan interface ● macvlan → 3 modes: private, vepa, bridge ● phys → dedicated NIC from host passed through Slide 17/28
4) LXC – Freeze / CPT ● At the moment only freeze/unfreeze per default ● No complete freeze, networking is still working ● lxc-freeze / lxc-unfreeze ● Checkpointing for live migration is planned ● Checkpoint/Restore In Userspace ● http://criu.org/LXC Slide 18/28
4) LXC – Recommendations ● Libvirt supports Linux Containers ● → LXC tools support more features ● LXC is still in development – see man lxc: ● man lxc „The lxc is still in development, so the command syntax and the API can change. The version 1.0.0 will be the frozen version.“ ● Don't give container root to someone you don't trust Slide 19/28
4) LXC – Pittfalls ● echo b > /proc/sysrq-trigger inside container ● Mount /proc and /sys readonly inside container ● Drop sys_admin capability ● Use Ubuntu Apparmor profile „lxc-default“ since 12.04 ● If distribution does not care about Linux Containers → Modify/disable Apparmor/ SELinux Image Source: http://www.grossglockner.at/static/cms/grossglockner/bilder/grossglockner01.jpg ● Deactivate kernel logging in container ● Check Hwclock setting problems Slide 20/28
5) HA Containers ● Two node High Availability cluster using: ● Pacemaker with „lxc“ resource agent ● DRBD for replicated storage ● LVM for container storage ● LCMC – Linux Cluster Management Console Slide 21/28
5) HA Containers ● HOWTO (short version) ● Install two servers identically (I used Ubuntu 12.04) ● apt-get install lxc lvm2 screen ● Modify LVM filter http://www.drbd.org/users-guide/s-lvm-drbd-as-pv.html ● Install and configure Pacemaker, Heartbeat and DRBD with LCMC ● Activate dopd – DRBD outdate-peer-daemon http://www.drbd.org/users-guide/s-pacemaker-fencing.html ● Create one LVM VG per server on top of DRBD ● Install latest lxc Resource Agent https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/lxc ● Set „lxc“ and „resource-agents“ package on „hold“ Slide 22/28
5) HA Containers ● Storage Overview: Slide 23/28
5) HA Containers ● HOWTO (short version) ● Create replicated configuration space – /lxc1 and /lxc2 – Configure Filesystem resource for that ● Create containers lxc-create -n test -t debian -B lvm --lvname test --vgname vg_wc1 --fstype ext4 --fssize 1GB ● Move create container configuration from /var/lib/lxc to /lxc1 or /lxc2 – e.g. mv /var/lib/lxc/test /lxc1/ ● Create Pacemaker resource for each container ● Long Version of this HOWTO is coming to our Wiki: tkurl.de/wikiEN Slide 24/28
5) HA Containers ● Pacemaker Overview: Slide 25/28
5) HA Containers ● Recommendations ● Set Resource Limits for Containers ● Ensure that „kill -PWR 1“ initiates a proper shutdown of containers ● Use LVM snapshots for backup ● Use „screen“ command to connect to container ● Increase Pacemaker timeouts to avoid unintended switchovers ● Familiarize yourself with the cluster CLI „crm“ ● Test as much as possible before getting into production Slide 26/28
6) Alternatives ● OpenVZ ● commercial product „Virtuozzo“ since 2001 ● GPLed in 2005 ● OpenVirtuozzo → OpenVZ ● Kernel patch: – RHEL5: ~4MB uncompressed – RHEL6: ~5,4MB uncompressed ● Parts are continuously merged into mainline ● currently 2.6.32 stable (RHEL6) ● will be rebased to 3.6 kernel (RHEL7) ● Linux Vserver Slide 27/28
7) Q+A ● Questions ● Now ● And later at our booth ... Slide 28/28

Empfohlen

Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Boden Russell
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 

Empfohlen

Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Boden Russell
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- IntroductionLuís Eduardo
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in LinuxLubomir Rintel
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013ru-fedora-moscow-2013
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7Marc Cortinas Val
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1sprdd
 
Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesWerner Fischer
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 

Weitere ähnliche Inhalte

Was ist angesagt?

Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013ru-fedora-moscow-2013
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1sprdd
 

Was ist angesagt? (20)

Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containers
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme Petazzoni
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel Developers
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in Linux
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a Container
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1
 

Ähnlich wie Linuxcon Barcelon 2012: LXC Best Practices

Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesWerner Fischer
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & DockerJumping Bean
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作kao kuo-tung
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersVenkat Raman
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by DockerTerry Chen
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!All Things Open
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 

Ähnlich wie Linuxcon Barcelon 2012: LXC Best Practices (20)

Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best Practices
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & Docker
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganeti
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux Containers
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by Docker
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 

Kürzlich hochgeladen

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Linuxcon Barcelon 2012: LXC Best Practices

  • 1. Lightweight Virtualization: LXC Best Practices Christoph Mitasch LinuxCon Barcelona 2012 Slide 1/28
  • 2. About ● Based in Bavaria, Germany ● Selling server systems in Europe ● ~100 employees ● >10.000 customers Slide 2/28
  • 3. Agenda 1) Types of Virtualization 2) Control Groups (cgroups) 3) Resource Isolation (namespaces) 4) LXC 5) HA Containers with Pacemaker and DRBD 6) Alternatives to LXC 7) Q&A Slide 3/28
  • 4. 1) Types of Virtualization ● Hardware Virtualization ● Full: unmodified Guest OS ● VirtualBox, VMware, ... ● Para: modified Guest OS ● Xen, KVM, … ● Software Virtualization ● Application Virtualization – Operating system-level virtualization ● OpenVZ ● Linux VServer ● Linux Containers / LXC Source:: http://www.parallels.com/eu/products/pvc46/info/virtualization/ ● Solaris Containers/Zones ● FreeBSD Jails Slide 4/28
  • 5. 2) Control Groups ● Control groups → cgroups ● Implemented as VFS, since 2.6.24 ● Allows aggregation of tasks and all following children ● Subsystems (z.B.: blkio, cpuset, memory, …) ● Limitation, priorization, accounting ● Can also be used without virtualization ● Included in all major distributions ● No disk quota limitation (→ image file, LVM, XFS directory tree quota, ...) Slide 5/28
  • 6. 2) Control Groups ● Subsystems # cat /proc/version Linux version 3.2.0-32-generic # cat /proc/cgroups #subsys_name hierarchy num_cgroups enabled cpuset 1 9 1 → limit tasks to specific CPUs cpu 2 9 1 → CPU shares cpuacct 3 9 1 → CPU accounting memory 4 9 1 → memory/swap limits and accounting devices 5 9 1 → device allow and deny list freezer 6 9 1 → suspend/resume tasks blkio 7 9 1 → I/O priorization (weight, throttle, …) net_cls → network priorization net_prio ... Slide 6/28
  • 7. 2) Control Groups ● Memory/CPU limitation and accounting # cd /sys/fs/cgroup # cat cpu/cpu.shares 1024 # cat memory/memory.limit_in_bytes 9223372036854775807 # cat memory/memory.memsw.limit_in_bytes 9223372036854775807 # cat memory/memory.usage_in_bytes 1432952832 # cat memory/memory.memsw.usage_in_bytes 1432956928 ● memsw = memory + swap Slide 7/28
  • 8. 2) Control Groups ● Cgroups Demo Slide 8/28
  • 9. 3) Resource Isolation ● Kernel Namespaces Source: lxc.sf.net Image Source: http://hobo- geek.blogspot.com.es/2012/08/the-best-linux-distribution- Slide 9/28 2012.html
  • 10. 4) LXC - Intro ● LXC = userspace tools for Linux containers based on mainline kernel ● Linux containers are based on: ● Kernel namespaces for resource isolation ● Cgroups for limitation and accounting Can be used since 2.6.29 Image Source: http://www.linux- magazin.de/var/linux_magazin/storage/images/linux- ● magazin.de/heft-abo/ausgaben/2011/08/dualstack/po- 22148-fotolia-sculpies_123rf-container.png/617255-1-ger- DE/PO-22148-Fotolia-Sculpies_123RF- Latest LXC version: 0.7.5 / 0.8-rc2 Container.png_lightbox.png ● Slide 10/28
  • 11. 4) LXC – Distro ● Debian – since Squeeze ● apt-get install lxc ● No special kernel required ● Ubuntu – since Lucid ● RHEL – since RHEL 6 as Technology Preview ● Full support with RHEL 7 ● SUSE – since openSUSE 11.2 ● Since SLES 11 SP2 ● Every other Linux kernel starting with 2.6.29 + userspacetools Slide 11/28
  • 12. 4) LXC – Userspace ● lxc-start / lxc-stop ● lxc-start -n ct0 -f /lxc/ct0/config ● lxc-create / lxc-destroy ● creates/destroys instance of a CT in /var/lib/lxc ● for starting lxc-start required ● „lxc-create -t“ for deployment with template ● lxc-ls – shows running containers ● lxc-attach – execute command inside container ● lxc-console ● lxc-console -n ct0 --tty 1 ● lxc-clone – generates LVM/Btrfs snapshot ● In general: lxc-* Slide 12/28
  • 13. 4) LXC – Userspace ● Sample: # lxc-start -n ct0 -f /lxc/ct0/config -d # lxc-attach -n ct0 root@ct0 # hostname ct0 # exit # lxc-console -n ct0 -t 3 Type <Ctrl+a q> to exit the console Debian GNU/Linux 6.0 ct0 tty3 ct0 login: # lxc-ls ct0 # lxc-freeze -n ct0 # lxc-info -n ct0 'ct0' is FROZEN # lxc-stop -n ct0 Slide 13/28
  • 14. 4) LXC – Configuration ● Sample container configuration: /lxc/ct0.conf lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = /lxc/vm0/ lxc.mount = /lxc/vm0.fstab lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm ... lxc.utsname = lxctest lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.cgroup.memory.limit_in_bytes = 512M ... Slide 14/28
  • 15. 4) LXC – Userspace ● lxc-checkconfig ● checks kernel namespace and cgroups support # lxc-checkconfig Found kernel config file /boot/config-3.2.0-32-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled ... Slide 15/28
  • 16. 4) LXC – Templates ● No precreated templates ● Template-Scripts ● lxc-debian, lxc-fedora, lxc-ubuntu ● Generates configuration file ● Downloads and caches packages in /var/cache/lxc/ ● Supports LVM and filesystem generation # lxc-create -t ubuntu -n test -B lvm --lvname test --vgname vg_lxc --fstype ext4 --fssize 1GB ... No config file specified, using the default config Logical volume "test" created mke2fs 1.42 (29-Nov-2011) ... Checking cache download in /var/cache/lxc/precise/rootfs-amd64 'ubuntu' template installed Unmounting LVM Slide 16/28 'test' created
  • 17. 4) LXC – Networking ● no entry → interface settings from host ● empty → only loopback ● veth → Virtual Ethernet (bridge) ● vlan → vlan interface ● macvlan → 3 modes: private, vepa, bridge ● phys → dedicated NIC from host passed through Slide 17/28
  • 18. 4) LXC – Freeze / CPT ● At the moment only freeze/unfreeze per default ● No complete freeze, networking is still working ● lxc-freeze / lxc-unfreeze ● Checkpointing for live migration is planned ● Checkpoint/Restore In Userspace ● http://criu.org/LXC Slide 18/28
  • 19. 4) LXC – Recommendations ● Libvirt supports Linux Containers ● → LXC tools support more features ● LXC is still in development – see man lxc: ● man lxc „The lxc is still in development, so the command syntax and the API can change. The version 1.0.0 will be the frozen version.“ ● Don't give container root to someone you don't trust Slide 19/28
  • 20. 4) LXC – Pittfalls ● echo b > /proc/sysrq-trigger inside container ● Mount /proc and /sys readonly inside container ● Drop sys_admin capability ● Use Ubuntu Apparmor profile „lxc-default“ since 12.04 ● If distribution does not care about Linux Containers → Modify/disable Apparmor/ SELinux Image Source: http://www.grossglockner.at/static/cms/grossglockner/bilder/grossglockner01.jpg ● Deactivate kernel logging in container ● Check Hwclock setting problems Slide 20/28
  • 21. 5) HA Containers ● Two node High Availability cluster using: ● Pacemaker with „lxc“ resource agent ● DRBD for replicated storage ● LVM for container storage ● LCMC – Linux Cluster Management Console Slide 21/28
  • 22. 5) HA Containers ● HOWTO (short version) ● Install two servers identically (I used Ubuntu 12.04) ● apt-get install lxc lvm2 screen ● Modify LVM filter http://www.drbd.org/users-guide/s-lvm-drbd-as-pv.html ● Install and configure Pacemaker, Heartbeat and DRBD with LCMC ● Activate dopd – DRBD outdate-peer-daemon http://www.drbd.org/users-guide/s-pacemaker-fencing.html ● Create one LVM VG per server on top of DRBD ● Install latest lxc Resource Agent https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/lxc ● Set „lxc“ and „resource-agents“ package on „hold“ Slide 22/28
  • 23. 5) HA Containers ● Storage Overview: Slide 23/28
  • 24. 5) HA Containers ● HOWTO (short version) ● Create replicated configuration space – /lxc1 and /lxc2 – Configure Filesystem resource for that ● Create containers lxc-create -n test -t debian -B lvm --lvname test --vgname vg_wc1 --fstype ext4 --fssize 1GB ● Move create container configuration from /var/lib/lxc to /lxc1 or /lxc2 – e.g. mv /var/lib/lxc/test /lxc1/ ● Create Pacemaker resource for each container ● Long Version of this HOWTO is coming to our Wiki: tkurl.de/wikiEN Slide 24/28
  • 25. 5) HA Containers ● Pacemaker Overview: Slide 25/28
  • 26. 5) HA Containers ● Recommendations ● Set Resource Limits for Containers ● Ensure that „kill -PWR 1“ initiates a proper shutdown of containers ● Use LVM snapshots for backup ● Use „screen“ command to connect to container ● Increase Pacemaker timeouts to avoid unintended switchovers ● Familiarize yourself with the cluster CLI „crm“ ● Test as much as possible before getting into production Slide 26/28
  • 27. 6) Alternatives ● OpenVZ ● commercial product „Virtuozzo“ since 2001 ● GPLed in 2005 ● OpenVirtuozzo → OpenVZ ● Kernel patch: – RHEL5: ~4MB uncompressed – RHEL6: ~5,4MB uncompressed ● Parts are continuously merged into mainline ● currently 2.6.32 stable (RHEL6) ● will be rebased to 3.6 kernel (RHEL7) ● Linux Vserver Slide 27/28
  • 28. 7) Q+A ● Questions ● Now ● And later at our booth ... Slide 28/28