Linux Containers
Upcoming SlideShare
Loading in...5
×
 

Linux Containers

on

  • 190 views

 

Statistics

Views

Total Views
190
Views on SlideShare
190
Embed Views
0

Actions

Likes
2
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Linux Containers Linux Containers Presentation Transcript

  • Linux Containers - LXC Marian HackMan Marinov 17 Jun 2014 Marian HackMan Marinov Linux Containers - LXC
  • Why am I speaking about containers? Marian HackMan Marinov Linux Containers - LXC
  • Difference between lxc and docker Docker is for applications Linux Containers are for starting up a whole new Linux distribution instances Marian HackMan Marinov Linux Containers - LXC
  • Implementation limitations LXC is not a VM. . . but it should be :) Our patches for /proc CPU cpuinfo interrupts schedstat softirqs stat timer list zoneinfo irq dir (exposes CPU limit information trough smp affinity) Memory - meminfo Others modules sysrq-trigger fs dir (shows all attached block devices) scsi dir (leaks block device information) sys dir (writes are allowed only in the main cgroup) Uptime Marian HackMan Marinov Linux Containers - LXC
  • Security Drop these capabilities sys module sys boot sys time sys rawio sys pacct sys tty config sys module mac admin mac override audit control audit write mknod setfcap syslog block suspend wake alarm Do not enable kcore/vmcore Secure kallsyms We implemented new capability - CAP LXC ADMIN tasks limit per cgroup RLIMIT NPROC && SIGNALS Limit the namespaces to a single tier instead of hirarchy We made it so, every user that has CAP LINUX IMMUTABLE to be able to actualy chattr files and dirs Marian HackMan Marinov Linux Containers - LXC
  • Security Allow umount from within a namespace Allow mounting devpts, but only with new instance Fix prctl set mm() permisions, so will work from namespaces Allow pivot root() to everyone with CAP LXC ADMIN setns() now requires CAP LXC ADMIN hardened proc permissions GRsecurity http://sw.1h.com/grsecurity Marian HackMan Marinov Linux Containers - LXC
  • Functional changes SHM, SEM, MSQ limits and inheritance Kernel version within the containers Licensing issues with other vendors xt owner match does not work tc does not work in the OOM patches from upstream memcg-kill-alloc-task proc-loadavg fixes Marian HackMan Marinov Linux Containers - LXC
  • Namespaces UTS User IPC Mount PID Network Marian HackMan Marinov Linux Containers - LXC
  • Control Groups Devices CPU cpusets cpu quota cpu shares Memory memory limits memory+swap limits kernel memory limits BlkI/O weighted I/O limiting iops I/O limiting Network priority and classification Note: actually does not work with openvswitch :) Freezer Marian HackMan Marinov Linux Containers - LXC
  • snapshots LVM snapshots work QCOW2 snapshots work(with some small issues) Marian HackMan Marinov Linux Containers - LXC
  • Near live migration CRIU - Checkpoint Restore In Userspace Dump a process(es) with its whole state Copy to the dump to a remote machine Restore the whole dump and continue Marian HackMan Marinov Linux Containers - LXC
  • Network options macvlan veth bridge utils openvswitch Marian HackMan Marinov Linux Containers - LXC
  • Thank You Marian HackMan Marinov Linux Containers - LXC