SlideShare ist ein Scribd-Unternehmen logo

LXC Best Practices: Resource Isolation, Networking, HA Containers

Werner Fischer
Werner Fischer
Technologie
1 von 28
Slide 1/28 Lightweight Virtualization: LXC Best Practices Christoph Mitasch LinuxTag Berlin 2013
Slide 2/28 About ● Based in Freyung, Bavaria ● Selling server systems in Europe ● ~100 employees ● >10.000 customers
Slide 3/28 Agenda 1) Types of Virtualization 2) Control Groups (cgroups) 3) Resource Isolation (namespaces) 4) LXC 5) HA Containers with Pacemaker and DRBD 6) Alternatives to LXC 7) Q&A
Slide 4/28 1) Types of Virtualization ● Hardware Virtualization ● Full: unmodified Guest OS ● VirtualBox, VMware, ... ● Para: modified Guest OS ● Xen, KVM, … ● Software Virtualization ● Application Virtualization – Operating system-level virtualization ● OpenVZ ● Linux VServer ● Linux Containers / LXC ● Solaris Containers/Zones ● FreeBSD Jails Source:: http://www.parallels.com/eu/products/pvc46/info/virtualization/
Slide 5/28 2) Control Groups ● Control groups → cgroups ● Implemented as VFS, since 2.6.24 ● Allows aggregation of tasks and all following children ● Subsystems (z.B.: blkio, cpuset, memory, …) ● Limitation, priorization, accounting ● Can also be used without virtualization ● Included in all major distributions ● No disk quota limitation (→ image file, LVM, XFS directory tree quota, ...)
Slide 6/28 2) Control Groups ● Subsystems # cat /proc/version Linux version 3.2.0-41-generic # cat /proc/cgroups #subsys_name hierarchy num_cgroups enabled cpuset 1 9 1 cpu 2 9 1 cpuacct 3 9 1 memory 4 9 1 devices 5 9 1 freezer 6 9 1 blkio 7 9 1 ... → limit tasks to specific CPUs → CPU shares → CPU accounting → memory/swap limits and accounting → device allow and deny list → suspend/resume tasks → I/O priorization (weight, throttle, …)
Slide 7/28 2) Control Groups ● Memory/CPU limitation and accounting ● memsw = memory + swap # cd /sys/fs/cgroup # cat cpu/cpu.shares 1024 # cat memory/memory.limit_in_bytes 9223372036854775807 # cat memory/memory.memsw.limit_in_bytes 9223372036854775807 # cat memory/memory.usage_in_bytes 1432952832 # cat memory/memory.memsw.usage_in_bytes 1432956928
Slide 8/28 2) Control Groups ● Cgroups Demo
Slide 9/28 3) Resource Isolation ● Kernel Namespaces Source: lxc.sf.net Image Source: http://hobo- geek.blogspot.com.es/2012/08/the-best-linux-distribution- 2012.html
Slide 10/28 4) LXC - Intro ● LXC = userspace tools for Linux containers based on mainline kernel ● Linux containers are based on: ● Kernel namespaces for resource isolation ● Cgroups for limitation and accounting ● Can be used since 2.6.29 ● Latest LXC version: 0.9 Image Source: http://www.linux- magazin.de/var/linux_magazin/storage/images/linux- magazin.de/heft-abo/ausgaben/2011/08/dualstack/po- 22148-fotolia-sculpies_123rf-container.png/617255-1-ger- DE/PO-22148-Fotolia-Sculpies_123RF- Container.png_lightbox.png
Slide 11/28 4) LXC – Distro ● Debian – since Squeeze ● apt-get install lxc ● No special kernel required ● Ubuntu – since Lucid (10.04) ● RHEL – since RHEL 6 as Technology Preview ● Full support with RHEL 7 ● SUSE – since openSUSE 11.2 ● Since SLES 11 SP2 ● Every other Linux kernel starting with 2.6.29 + userspacetools
Slide 12/28 4) LXC – Userspace ● lxc-checkconfig ● checks kernel namespace and cgroups support # lxc-checkconfig Found kernel config file /boot/config-3.2.0-41-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled ...
Slide 13/28 4) LXC – Userspace ● lxc-start / lxc-stop ● lxc-start -n ct0 -f /lxc/ct0/config ● lxc-create / lxc-destroy ● creates/destroys instance of a CT in /var/lib/lxc ● for starting lxc-start required ● „lxc-create -t“ for deployment with template ● lxc-ls – shows running containers ● lxc-attach – execute command inside container ● lxc-console ● lxc-console -n ct0 --tty 1 ● lxc-clone – generates LVM/Btrfs snapshot ● In general: lxc-*
Slide 14/28 4) LXC – Userspace ● Sample: # lxc-start -n ct0 -f /lxc/ct0/config -d # lxc-attach -n ct0 root@ct0 # hostname ct0 # exit # lxc-console -n ct0 -t 3 Type <Ctrl+a q> to exit the console Debian GNU/Linux 6.0 ct0 tty3 ct0 login: # lxc-ls ct0 # lxc-freeze -n ct0 # lxc-info -n ct0 'ct0' is FROZEN # lxc-stop -n ct0
Slide 15/28 4) LXC – Configuration ● Sample container configuration: /lxc/ct0.conf lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = /lxc/ct0/ lxc.mount = /lxc/ct0.fstab lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm ... lxc.utsname = lxctest lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.cgroup.memory.limit_in_bytes = 512M ...
Slide 16/28 4) LXC – Templates ● No precreated templates ● Template-Scripts ● lxc-debian, lxc-fedora, lxc-ubuntu ● Generates configuration file ● Downloads and caches packages in /var/cache/lxc/ ● Supports LVM and filesystem generation # lxc-create -t ubuntu -n test -B lvm --lvname test --vgname vg_lxc --fstype ext4 --fssize 1GB ... No config file specified, using the default config Logical volume "test" created mke2fs 1.42 (29-Nov-2011) ... Checking cache download in /var/cache/lxc/precise/rootfs-amd64 'ubuntu' template installed Unmounting LVM 'test' created
Slide 17/28 4) LXC – Networking ● no entry → interface settings from host ● empty → only loopback ● veth → Virtual Ethernet (bridge) ● vlan → vlan interface ● macvlan → 3 modes: private, vepa, bridge ● phys → dedicated NIC from host passed through
Slide 18/28 4) LXC – Freeze / CPT ● At the moment only freeze/unfreeze per default ● No complete freeze, networking is still working ● lxc-freeze / lxc-unfreeze ● Checkpointing for live migration is planned ● Checkpoint/Restore In Userspace ● http://criu.org/LXC
Slide 19/28 4) LXC – Recommendations ● Libvirt supports Linux Containers ● → LXC tools support more features ● LXC is still in development – see man lxc: ● man lxc „The lxc is still in development, so the command syntax and the API can change. The version 1.0.0 will be the frozen version.“ ● Don't give container root to someone you don't trust ● Future: run containers as unpriviliged user
Slide 20/28 4) LXC – Pittfalls ● echo b > /proc/sysrq-trigger inside container ● Mount /proc and /sys readonly inside container ● Drop sys_admin capability ● Use Ubuntu Apparmor profile „lxc-default“ since 12.04 ● If distribution does not care about Linux Containers → Modify/disable Apparmor/ SELinux ● Deactivate kernel logging in container ● Check Hwclock setting problems Image Source: http://www.grossglockner.at/static/cms/grossglockner/bilder/grossglockner01.jpg
Slide 21/28 5) HA Containers ● Two node High Availability cluster using: ● Pacemaker with „lxc“ resource agent ● DRBD for replicated storage ● LVM for container storage ● LCMC – Linux Cluster Management Console
Slide 22/28 5) HA Containers ● HOWTO (short version) ● Install two servers identically (I used Ubuntu 12.04) ● apt-get install lxc lvm2 screen ● Modify LVM filter http://www.drbd.org/users-guide/s-lvm-drbd-as-pv.html ● Install and configure Pacemaker, Heartbeat and DRBD with LCMC ● Activate dopd – DRBD outdate-peer-daemon http://www.drbd.org/users-guide/s-pacemaker-fencing.html ● Create one LVM VG per server on top of DRBD ● Install latest lxc Resource Agent https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/lxc ● Set „lxc“, „resource-agents“ and „lvm“ package on „hold“ in package management
Slide 23/28 5) HA Containers ● Storage Overview:
Slide 24/28 5) HA Containers ● HOWTO (short version) ● Create replicated configuration space – /lxc1 and /lxc2 – Configure Filesystem resource for that ● Create containers lxc-create -n test -t debian -B lvm --lvname test --vgname vg_wc1 --fstype ext4 --fssize 1GB ● Move create container configuration from /var/lib/lxc to /lxc1 or /lxc2 – e.g. mv /var/lib/lxc/test /lxc1/ ● Create Pacemaker resource for each container ● Long Version of this HOWTO is available in our Wiki: tkurl.de/lxcHA
Slide 25/28 5) HA Containers ● Pacemaker Overview:
Slide 26/28 5) HA Containers ● Recommendations ● Set Resource Limits for Containers ● Ensure that „kill -PWR 1“ initiates a proper shutdown of containers ● Use LVM snapshots for backup ● Use „screen“ command to connect to container ● Increase Pacemaker timeouts to avoid unintended switchovers ● Familiarize yourself with the cluster CLI „crm“ ● Test as much as possible before getting into production
Slide 27/28 6) Alternatives ● OpenVZ ● commercial product „Virtuozzo“ since 2001 ● GPLed in 2005 ● OpenVirtuozzo → OpenVZ ● Kernel patch: – RHEL5: ~4MB uncompressed – RHEL6: ~5,4MB uncompressed ● Parts are continuously merged into mainline ● currently 2.6.32 stable (RHEL6) ● planned to be rebased to 3.6 kernel (RHEL7) ● Linux Vserver
Slide 28/28 7) Q+A ● Questions ● Now ● And later at our booth: hall 7.1c, booth 152

Empfohlen

Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & DockerJumping Bean
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practiceschristophm
 
OpenVZ Linux Containers
OpenVZ Linux ContainersOpenVZ Linux Containers
OpenVZ Linux ContainersKirill Kolyshkin
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
Openvz - a quick introduction
Openvz - a quick introductionOpenvz - a quick introduction
Openvz - a quick introductionOlle E Johansson
 
LAS16-211: Using LAVA V2 for advanced KVM testing
LAS16-211: Using LAVA V2 for advanced KVM testingLAS16-211: Using LAVA V2 for advanced KVM testing
LAS16-211: Using LAVA V2 for advanced KVM testingLinaro
 
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...NETWAYS
 
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningKernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningAnne Nicolas
 

Empfohlen

Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & DockerJumping Bean
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practiceschristophm
 
OpenVZ Linux Containers
OpenVZ Linux ContainersOpenVZ Linux Containers
OpenVZ Linux ContainersKirill Kolyshkin
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
Openvz - a quick introduction
Openvz - a quick introductionOpenvz - a quick introduction
Openvz - a quick introductionOlle E Johansson
 
LAS16-211: Using LAVA V2 for advanced KVM testing
LAS16-211: Using LAVA V2 for advanced KVM testingLAS16-211: Using LAVA V2 for advanced KVM testing
LAS16-211: Using LAVA V2 for advanced KVM testingLinaro
 
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...
OpenNebula Conf 2014 | Using Ceph to provide scalable storage for OpenNebula ...NETWAYS
 
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningKernel Recipes 2016 - Upstream Kernel Graphics is (Finally) Winning
Kernel Recipes 2016 - Upstream Kernel Graphics is (Finally) WinningAnne Nicolas
 
Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois TigeotPorting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeoteurobsdcon
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPivotalOpenSourceHub
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Witold 'Ficio' Kopel
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013ru-fedora-moscow-2013
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
LXD Container Hypervisor
LXD Container HypervisorLXD Container Hypervisor
LXD Container HypervisorDanial Behzadi
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Introduction to RCU
Introduction to RCUIntroduction to RCU
Introduction to RCUKernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- IntroductionLuís Eduardo
 
OpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerOpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerKirill Kolyshkin
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Boden Russell
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandNicola La Gloria
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois TigeotPorting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeoteurobsdcon
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPivotalOpenSourceHub
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013ru-fedora-moscow-2013
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
LXD Container Hypervisor
LXD Container HypervisorLXD Container Hypervisor
LXD Container HypervisorDanial Behzadi
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Introduction to RCU
Introduction to RCUIntroduction to RCU
Introduction to RCUKernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 
OpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerOpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerKirill Kolyshkin
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Boden Russell
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandNicola La Gloria
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 

Was ist angesagt? (20)

Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containers
 
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois TigeotPorting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
Porting the drm/kms graphic drivers to DragonFlyBSD by Francois Tigeot
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3
 
2. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 20132. Vagin. Linux containers. June 01, 2013
2. Vagin. Linux containers. June 01, 2013
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)
 
LXD Container Hypervisor
LXD Container HypervisorLXD Container Hypervisor
LXD Container Hypervisor
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux Containers
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Introduction to RCU
Introduction to RCUIntroduction to RCU
Introduction to RCU
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and Drivers
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
 
OpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerOpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and Docker
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
 

Ähnlich wie LXC Best Practices: Resource Isolation, Networking, HA Containers

Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作kao kuo-tung
 
Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Richard Clark
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...OpenNebula Project
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by DockerTerry Chen
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersVenkat Raman
 
LibCT: one lib to rule them all -- Andrey Vagin
LibCT: one lib to rule them all -- Andrey VaginLibCT: one lib to rule them all -- Andrey Vagin
LibCT: one lib to rule them all -- Andrey VaginOpenVZ
 
Openstack overview thomas-goirand
Openstack overview thomas-goirandOpenstack overview thomas-goirand
Openstack overview thomas-goirandOpenCity Community
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniTheFamily
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
lxc-namespace.pdf
lxc-namespace.pdflxc-namespace.pdf
lxc-namespace.pdf-
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 

Ähnlich wie LXC Best Practices: Resource Isolation, Networking, HA Containers (20)

Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...
OpenNebulaConf2018 - OpenNebula and LXD Containers - Rubén S. Montero - OpenN...
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by Docker
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux Containers
 
LibCT: one lib to rule them all -- Andrey Vagin
LibCT: one lib to rule them all -- Andrey VaginLibCT: one lib to rule them all -- Andrey Vagin
LibCT: one lib to rule them all -- Andrey Vagin
 
Openstack overview thomas-goirand
Openstack overview thomas-goirandOpenstack overview thomas-goirand
Openstack overview thomas-goirand
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
lxc-namespace.pdf
lxc-namespace.pdflxc-namespace.pdf
lxc-namespace.pdf
 
OpenNebula LXD Overview
OpenNebula LXD OverviewOpenNebula LXD Overview
OpenNebula LXD Overview
 
OpenNebula LXD Container Support overview
OpenNebula LXD Container Support overviewOpenNebula LXD Container Support overview
OpenNebula LXD Container Support overview
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganeti
 

Kürzlich hochgeladen

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Kürzlich hochgeladen (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

LXC Best Practices: Resource Isolation, Networking, HA Containers

  • 1. Slide 1/28 Lightweight Virtualization: LXC Best Practices Christoph Mitasch LinuxTag Berlin 2013
  • 2. Slide 2/28 About ● Based in Freyung, Bavaria ● Selling server systems in Europe ● ~100 employees ● >10.000 customers
  • 3. Slide 3/28 Agenda 1) Types of Virtualization 2) Control Groups (cgroups) 3) Resource Isolation (namespaces) 4) LXC 5) HA Containers with Pacemaker and DRBD 6) Alternatives to LXC 7) Q&A
  • 4. Slide 4/28 1) Types of Virtualization ● Hardware Virtualization ● Full: unmodified Guest OS ● VirtualBox, VMware, ... ● Para: modified Guest OS ● Xen, KVM, … ● Software Virtualization ● Application Virtualization – Operating system-level virtualization ● OpenVZ ● Linux VServer ● Linux Containers / LXC ● Solaris Containers/Zones ● FreeBSD Jails Source:: http://www.parallels.com/eu/products/pvc46/info/virtualization/
  • 5. Slide 5/28 2) Control Groups ● Control groups → cgroups ● Implemented as VFS, since 2.6.24 ● Allows aggregation of tasks and all following children ● Subsystems (z.B.: blkio, cpuset, memory, …) ● Limitation, priorization, accounting ● Can also be used without virtualization ● Included in all major distributions ● No disk quota limitation (→ image file, LVM, XFS directory tree quota, ...)
  • 6. Slide 6/28 2) Control Groups ● Subsystems # cat /proc/version Linux version 3.2.0-41-generic # cat /proc/cgroups #subsys_name hierarchy num_cgroups enabled cpuset 1 9 1 cpu 2 9 1 cpuacct 3 9 1 memory 4 9 1 devices 5 9 1 freezer 6 9 1 blkio 7 9 1 ... → limit tasks to specific CPUs → CPU shares → CPU accounting → memory/swap limits and accounting → device allow and deny list → suspend/resume tasks → I/O priorization (weight, throttle, …)
  • 7. Slide 7/28 2) Control Groups ● Memory/CPU limitation and accounting ● memsw = memory + swap # cd /sys/fs/cgroup # cat cpu/cpu.shares 1024 # cat memory/memory.limit_in_bytes 9223372036854775807 # cat memory/memory.memsw.limit_in_bytes 9223372036854775807 # cat memory/memory.usage_in_bytes 1432952832 # cat memory/memory.memsw.usage_in_bytes 1432956928
  • 8. Slide 8/28 2) Control Groups ● Cgroups Demo
  • 9. Slide 9/28 3) Resource Isolation ● Kernel Namespaces Source: lxc.sf.net Image Source: http://hobo- geek.blogspot.com.es/2012/08/the-best-linux-distribution- 2012.html
  • 10. Slide 10/28 4) LXC - Intro ● LXC = userspace tools for Linux containers based on mainline kernel ● Linux containers are based on: ● Kernel namespaces for resource isolation ● Cgroups for limitation and accounting ● Can be used since 2.6.29 ● Latest LXC version: 0.9 Image Source: http://www.linux- magazin.de/var/linux_magazin/storage/images/linux- magazin.de/heft-abo/ausgaben/2011/08/dualstack/po- 22148-fotolia-sculpies_123rf-container.png/617255-1-ger- DE/PO-22148-Fotolia-Sculpies_123RF- Container.png_lightbox.png
  • 11. Slide 11/28 4) LXC – Distro ● Debian – since Squeeze ● apt-get install lxc ● No special kernel required ● Ubuntu – since Lucid (10.04) ● RHEL – since RHEL 6 as Technology Preview ● Full support with RHEL 7 ● SUSE – since openSUSE 11.2 ● Since SLES 11 SP2 ● Every other Linux kernel starting with 2.6.29 + userspacetools
  • 12. Slide 12/28 4) LXC – Userspace ● lxc-checkconfig ● checks kernel namespace and cgroups support # lxc-checkconfig Found kernel config file /boot/config-3.2.0-41-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled ...
  • 13. Slide 13/28 4) LXC – Userspace ● lxc-start / lxc-stop ● lxc-start -n ct0 -f /lxc/ct0/config ● lxc-create / lxc-destroy ● creates/destroys instance of a CT in /var/lib/lxc ● for starting lxc-start required ● „lxc-create -t“ for deployment with template ● lxc-ls – shows running containers ● lxc-attach – execute command inside container ● lxc-console ● lxc-console -n ct0 --tty 1 ● lxc-clone – generates LVM/Btrfs snapshot ● In general: lxc-*
  • 14. Slide 14/28 4) LXC – Userspace ● Sample: # lxc-start -n ct0 -f /lxc/ct0/config -d # lxc-attach -n ct0 root@ct0 # hostname ct0 # exit # lxc-console -n ct0 -t 3 Type <Ctrl+a q> to exit the console Debian GNU/Linux 6.0 ct0 tty3 ct0 login: # lxc-ls ct0 # lxc-freeze -n ct0 # lxc-info -n ct0 'ct0' is FROZEN # lxc-stop -n ct0
  • 15. Slide 15/28 4) LXC – Configuration ● Sample container configuration: /lxc/ct0.conf lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = /lxc/ct0/ lxc.mount = /lxc/ct0.fstab lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm ... lxc.utsname = lxctest lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.cgroup.memory.limit_in_bytes = 512M ...
  • 16. Slide 16/28 4) LXC – Templates ● No precreated templates ● Template-Scripts ● lxc-debian, lxc-fedora, lxc-ubuntu ● Generates configuration file ● Downloads and caches packages in /var/cache/lxc/ ● Supports LVM and filesystem generation # lxc-create -t ubuntu -n test -B lvm --lvname test --vgname vg_lxc --fstype ext4 --fssize 1GB ... No config file specified, using the default config Logical volume "test" created mke2fs 1.42 (29-Nov-2011) ... Checking cache download in /var/cache/lxc/precise/rootfs-amd64 'ubuntu' template installed Unmounting LVM 'test' created
  • 17. Slide 17/28 4) LXC – Networking ● no entry → interface settings from host ● empty → only loopback ● veth → Virtual Ethernet (bridge) ● vlan → vlan interface ● macvlan → 3 modes: private, vepa, bridge ● phys → dedicated NIC from host passed through
  • 18. Slide 18/28 4) LXC – Freeze / CPT ● At the moment only freeze/unfreeze per default ● No complete freeze, networking is still working ● lxc-freeze / lxc-unfreeze ● Checkpointing for live migration is planned ● Checkpoint/Restore In Userspace ● http://criu.org/LXC
  • 19. Slide 19/28 4) LXC – Recommendations ● Libvirt supports Linux Containers ● → LXC tools support more features ● LXC is still in development – see man lxc: ● man lxc „The lxc is still in development, so the command syntax and the API can change. The version 1.0.0 will be the frozen version.“ ● Don't give container root to someone you don't trust ● Future: run containers as unpriviliged user
  • 20. Slide 20/28 4) LXC – Pittfalls ● echo b > /proc/sysrq-trigger inside container ● Mount /proc and /sys readonly inside container ● Drop sys_admin capability ● Use Ubuntu Apparmor profile „lxc-default“ since 12.04 ● If distribution does not care about Linux Containers → Modify/disable Apparmor/ SELinux ● Deactivate kernel logging in container ● Check Hwclock setting problems Image Source: http://www.grossglockner.at/static/cms/grossglockner/bilder/grossglockner01.jpg
  • 21. Slide 21/28 5) HA Containers ● Two node High Availability cluster using: ● Pacemaker with „lxc“ resource agent ● DRBD for replicated storage ● LVM for container storage ● LCMC – Linux Cluster Management Console
  • 22. Slide 22/28 5) HA Containers ● HOWTO (short version) ● Install two servers identically (I used Ubuntu 12.04) ● apt-get install lxc lvm2 screen ● Modify LVM filter http://www.drbd.org/users-guide/s-lvm-drbd-as-pv.html ● Install and configure Pacemaker, Heartbeat and DRBD with LCMC ● Activate dopd – DRBD outdate-peer-daemon http://www.drbd.org/users-guide/s-pacemaker-fencing.html ● Create one LVM VG per server on top of DRBD ● Install latest lxc Resource Agent https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/lxc ● Set „lxc“, „resource-agents“ and „lvm“ package on „hold“ in package management
  • 23. Slide 23/28 5) HA Containers ● Storage Overview:
  • 24. Slide 24/28 5) HA Containers ● HOWTO (short version) ● Create replicated configuration space – /lxc1 and /lxc2 – Configure Filesystem resource for that ● Create containers lxc-create -n test -t debian -B lvm --lvname test --vgname vg_wc1 --fstype ext4 --fssize 1GB ● Move create container configuration from /var/lib/lxc to /lxc1 or /lxc2 – e.g. mv /var/lib/lxc/test /lxc1/ ● Create Pacemaker resource for each container ● Long Version of this HOWTO is available in our Wiki: tkurl.de/lxcHA
  • 25. Slide 25/28 5) HA Containers ● Pacemaker Overview:
  • 26. Slide 26/28 5) HA Containers ● Recommendations ● Set Resource Limits for Containers ● Ensure that „kill -PWR 1“ initiates a proper shutdown of containers ● Use LVM snapshots for backup ● Use „screen“ command to connect to container ● Increase Pacemaker timeouts to avoid unintended switchovers ● Familiarize yourself with the cluster CLI „crm“ ● Test as much as possible before getting into production
  • 27. Slide 27/28 6) Alternatives ● OpenVZ ● commercial product „Virtuozzo“ since 2001 ● GPLed in 2005 ● OpenVirtuozzo → OpenVZ ● Kernel patch: – RHEL5: ~4MB uncompressed – RHEL6: ~5,4MB uncompressed ● Parts are continuously merged into mainline ● currently 2.6.32 stable (RHEL6) ● planned to be rebased to 3.6 kernel (RHEL7) ● Linux Vserver
  • 28. Slide 28/28 7) Q+A ● Questions ● Now ● And later at our booth: hall 7.1c, booth 152