Dobrica Pavlinušić, profile picture
Uploaded byDobrica Pavlinušić
PDF, PPTX2,628 views

Virtualization which isn't: LXC (Linux Containers)

LXC (Linux Containers) provides operating-system-level virtualization without the overhead of full virtualization. It isolates processes into containers using kernel namespaces and control groups. Containers can be limited in their CPU, memory, storage, and network usage. Common commands like lxc-start are used to deploy whole operating systems within containers. LXC provides many of the benefits of virtualization with less overhead since it leverages existing Linux kernel features rather than requiring a separate kernel like traditional virtualization.

Embed presentation

Download as PDF, PPTX
Virtualization which isn't LXC (Linux Containers) Dobrica Pavlinušić http://blog.rot13.org DORS/CLUC, Zagreb, 2011-05-16
Content ● Virtualizations ● Vserver, Xen, OpenVZ, sVirt, LXC ● KVM, VirtualBox, VMWare ● cgroup ● Linux Containers
Virtualization overview ● Xen ● Separate host i guest kernel (dom0, domU) ● Not upstream, massive duplication of kernel code ● Linux Vserver, OpenVZ (Virtuozzo), sVirt (SELinux based) ● Single kernel, out-of-tree patches ● Linux Containers - LXC ● chroot on steroids, based on cgroup Linux support ● Part of standard kernel, based on things you already know! ● Full-system virtualization: KVM, VirtualBox, VMWare ● But you can run LXC inside them! (e.g. EC2)
cgroup ● Process namespace in kernel ● Devices (even X11 in LXC!) ● CPU (sched, cpu account, cpuset) - NUMA ● Memory (not in Debian's kernel) ● Block I/O scheduling, limits ● Linus' 2.6.38 magic patch ● Setsid create new scheduler entry ● Used by Google Chrome, systemd...
Linux containers - LXC dpavlin@klin:~$ lxc-checkconfig dpavlin@klin:/usr/bin$ ls lxc-* Kernel config /proc/config.gz not found, looking in other lxc-checkconfig places... lxc-execute Found kernel config file /boot/config-2.6.38-2-686 lxc-start --- Namespaces --- lxc-stop Namespaces: enabled lxc-info Utsname namespace: enabled Ipc namespace: enabled lxc-console Pid namespace: enabled lxc-create User namespace: enabled lxc-destroy Network namespace: enabled lxc-ls Multiple /dev/pts instances: enabled lxc-ps lxc-netstat --- Control groups --- lxc-restart Cgroup: enabled lxc-cgroup Cgroup namespace: enabled lxc-freeze Cgroup device: enabled lxc-kill Cgroup sched: enabled lxc-monitor Cgroup cpu account: enabled lxc-setcap Cgroup memory controller: missing lxc-setuid Cgroup cpuset: enabled lxc-unfreeze lxc-unshare --- Misc --- Veth pair device: enabled lxc-version Macvlan: enabled Lxc-wait Vlan: enabled lxc-attach File capabilities: missing lxc-checkpoint
LXC: Network ● veth ● Bridge on host, (virtual) device inside container ● vlan ● Select packets by IP address ● macvlan ● Select packets by MAC address ● phys ● Move host interface inside container (routing fun!) ● Empty ● Only loopback
LXC: limit resources ● Cores ● lxc.cgroup.cpuset.cpus=1,2,3 ● CPU share ● lxc.cgroup.cpu.shares=1024 # default ● Memory usage (!Debian) ● lxc.cgroup.memory.limit_in_bytes = 256M ● lxc.cgroup.memory.memsw.limit_in_bytes = 1G ● Disk (blkio) ● Disk space – standard LVM, quota... ● echo 100 > /cgroup/disk1/blkio.weight # XXX < 1000 ! ● echo "3:0 1048576" > /cgroup/disk1/blkio.throttle.read_bps_device
Start LXC container ● Start single process in container ● lxc-execute -n container -- /bin/bash ● Whole operating system ● Mounting filesystems, etc from config file ● Application is /bin/init ● lxc-start -n container ● lxc-console -n container ● lxc-stop -n container
Templates: lxc-create # /usr/lib/lxc/templates/ export MIRROR=http://192.168.1.20:3142/ftp.debian.org export SUITE=lenny cat <<_EOF_ > /tmp/lenny.conf lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up EOF t61p:~# lxc-create -n lenny -t debian -f /tmp/lenny.conf
Container overview ● /var/lib/lxc/container/config ● Familiar commands ● lxc-ls ● lxc-info ● lxc-ps ● lxc-netstat ● htop --enable-group > r192 ● /proc inside contauner isn't fully isolated! ● Depends on namespace support in kernel
Under construction ● Still not in: Linux 2.6.38.2 ● lxc-attach ● Attach process (bash) inside running container ● Needed to set default route outside container ● lxc-checkpoint ● Similar to lxc-(un)freeze with checkpoint to disk ● https://ckpt.wiki.kernel.org/
LXC summary ● Isolate ● one application – lxc-execute ● whole OS – lxc-start ● use templates (lxc-create) ● Familiar Linux networking (bridges) ● Limiting features varies (kernel config/version) ● Ready to use today!

More Related Content

PPTX
Realizing Linux Containers (LXC)
byBoden Russell
 
PPTX
Containers are the future of the Cloud
byPavel Odintsov
 
PPTX
LXC
byWu Fan-Cheng
 
PDF
Linux cgroups and namespaces
byLocaweb
 
PDF
Lxc- Linux Containers
bysamof76
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
PDF
Linux Containers From Scratch
byjoshuasoundcloud
 
PDF
Lxc- Introduction
byLuís Eduardo
 
Realizing Linux Containers (LXC)
byBoden Russell
 
Containers are the future of the Cloud
byPavel Odintsov
 
LXC
byWu Fan-Cheng
 
Linux cgroups and namespaces
byLocaweb
 
Lxc- Linux Containers
bysamof76
 
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
Linux Containers From Scratch
byjoshuasoundcloud
 
Lxc- Introduction
byLuís Eduardo
 

What's hot

PDF
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
PDF
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
PPTX
Introduction to linux containers
byGoogle
 
PDF
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
PPTX
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
byBoden Russell
 
PDF
Linux Containers From Scratch: Makfile MicroVPS
byjoshuasoundcloud
 
PPTX
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
PDF
Docker storage drivers by Jérôme Petazzoni
byDocker, Inc.
 
PPTX
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
PDF
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
PDF
Namespaces in Linux
byLubomir Rintel
 
PDF
Inside Docker for Fedora20/RHEL7
byEtsuji Nakai
 
PDF
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
PDF
Containers with systemd-nspawn
byGábor Nyers
 
PDF
CoreOS, or How I Learned to Stop Worrying and Love Systemd
byRichard Lister
 
PDF
Docker - container and lightweight virtualization
bySim Janghoon
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
PDF
Introduction to Docker and deployment and Azure
byJérôme Petazzoni
 
PDF
Docker internals
byRohit Jnagal
 
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
Introduction to linux containers
byGoogle
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
byBoden Russell
 
Linux Containers From Scratch: Makfile MicroVPS
byjoshuasoundcloud
 
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
Docker storage drivers by Jérôme Petazzoni
byDocker, Inc.
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
Namespaces in Linux
byLubomir Rintel
 
Inside Docker for Fedora20/RHEL7
byEtsuji Nakai
 
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
Containers with systemd-nspawn
byGábor Nyers
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
byRichard Lister
 
Docker - container and lightweight virtualization
bySim Janghoon
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
byJérôme Petazzoni
 
Docker internals
byRohit Jnagal
 

Viewers also liked

PDF
Virtual Server Virtual Server
bywebhostingguy
 
PDF
Towards an Instructional Design Motivational Framework to Address the Retenti...
byDr Stylianos Mystakidis
 
PDF
Morocco
byguestcf4af9
 
PDF
Playful Blended Digital Storytelling in 3D Immersive eLearning Environments f...
byDr Stylianos Mystakidis
 
PDF
Social Media & Web 2.0 Services for Choirs
byDr Stylianos Mystakidis
 
PPTX
Operation Payback (...is a bitch): Hacktivism at the Dawn of Copyright Contro...
byPaleFire
 
PDF
The Constellation Query Language
byClifford Heath
 
PDF
Web scale monitoring
byDobrica Pavlinušić
 
PPTX
Hacktivism in Virtual Worlds
byPaleFire
 
PPT
Ppt Demo Slideshare
by1LifelongLearner
 
PDF
The Attack of the Learning Clones
byDr Stylianos Mystakidis
 
PPTX
Re-Negotiating Narrative: Emergent Storytelling
byPaleFire
 
PDF
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
byDr Stylianos Mystakidis
 
PPTX
Εκπαίδευση Web 2.0 στο Δημόσιο
byDr Stylianos Mystakidis
 
PDF
Oslobodimo Hardware
byDobrica Pavlinušić
 
PPT
Χριστούγεννα χωρίς Χριστό
byDr Stylianos Mystakidis
 
PPTX
Spectacular Subcultures: From luz to hacktivism
byPaleFire
 
PPTX
Poaching LG15: ARG-style
byPaleFire
 
PPTX
Test
byPaleFire
 
PDF
Open Education in Virtual Worlds
byDr Stylianos Mystakidis
 
Virtual Server Virtual Server
bywebhostingguy
 
Towards an Instructional Design Motivational Framework to Address the Retenti...
byDr Stylianos Mystakidis
 
Morocco
byguestcf4af9
 
Playful Blended Digital Storytelling in 3D Immersive eLearning Environments f...
byDr Stylianos Mystakidis
 
Social Media & Web 2.0 Services for Choirs
byDr Stylianos Mystakidis
 
Operation Payback (...is a bitch): Hacktivism at the Dawn of Copyright Contro...
byPaleFire
 
The Constellation Query Language
byClifford Heath
 
Web scale monitoring
byDobrica Pavlinušić
 
Hacktivism in Virtual Worlds
byPaleFire
 
Ppt Demo Slideshare
by1LifelongLearner
 
The Attack of the Learning Clones
byDr Stylianos Mystakidis
 
Re-Negotiating Narrative: Emergent Storytelling
byPaleFire
 
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
byDr Stylianos Mystakidis
 
Εκπαίδευση Web 2.0 στο Δημόσιο
byDr Stylianos Mystakidis
 
Oslobodimo Hardware
byDobrica Pavlinušić
 
Χριστούγεννα χωρίς Χριστό
byDr Stylianos Mystakidis
 
Spectacular Subcultures: From luz to hacktivism
byPaleFire
 
Poaching LG15: ARG-style
byPaleFire
 
Test
byPaleFire
 
Open Education in Virtual Worlds
byDr Stylianos Mystakidis
 

Similar to Virtualization which isn't: LXC (Linux Containers)

PDF
LXC on Ganeti
bykawamuray
 
PDF
Lightweight Virtualization: LXC Best Practices
byWerner Fischer
 
PPTX
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
PDF
Lightweight Virtualization in Linux
bySadegh Dorri N.
 
PDF
LXC Containers and AUFs
byDocker, Inc.
 
PDF
Evolution of Linux Containerization
byWSO2
 
PDF
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
PDF
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
PDF
Docker 原理與實作
bykao kuo-tung
 
PDF
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
PDF
Linux Containers (LXC)
byVladimir Melnic
 
PDF
Revolutionizing the cloud with container virtualization
byWSO2
 
PDF
Scale11x lxc talk
bydotCloud
 
PDF
LXC
byJiang Yan-Ting
 
DOCX
Isolating an applications using LXC – Linux Containers
byVenkat Raman
 
PPTX
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 
PDF
SiteGround Tech TeamBuilding
byMarian Marinov
 
PPTX
First steps on CentOs7
byMarc Cortinas Val
 
PDF
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
PDF
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
LXC on Ganeti
bykawamuray
 
Lightweight Virtualization: LXC Best Practices
byWerner Fischer
 
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
Lightweight Virtualization in Linux
bySadegh Dorri N.
 
LXC Containers and AUFs
byDocker, Inc.
 
Evolution of Linux Containerization
byWSO2
 
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
Docker 原理與實作
bykao kuo-tung
 
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
Linux Containers (LXC)
byVladimir Melnic
 
Revolutionizing the cloud with container virtualization
byWSO2
 
Scale11x lxc talk
bydotCloud
 
LXC
byJiang Yan-Ting
 
Isolating an applications using LXC – Linux Containers
byVenkat Raman
 
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 
SiteGround Tech TeamBuilding
byMarian Marinov
 
First steps on CentOs7
byMarc Cortinas Val
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 

More from Dobrica Pavlinušić

PDF
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
byDobrica Pavlinušić
 
PDF
Linux+sensor+device-tree+shell=IoT !
byDobrica Pavlinušić
 
PDF
bro - what is in my network?
byDobrica Pavlinušić
 
PDF
Let's hack cheap hardware 2016 edition
byDobrica Pavlinušić
 
PDF
Raspberry Pi - best friend for all your GPIO needs
byDobrica Pavlinušić
 
PDF
Cheap, good, hackable tools from China: AVR component tester
byDobrica Pavlinušić
 
PDF
Ganeti - build your own cloud
byDobrica Pavlinušić
 
PDF
FSEC 2014 - I can haz your board with JTAG
byDobrica Pavlinušić
 
PDF
Hardware hacking for software people
byDobrica Pavlinušić
 
PDF
Gnu linux on arm for $50 - $100
byDobrica Pavlinušić
 
PDF
This is an interesting metadata source. Can I import it into Koha?
byDobrica Pavlinušić
 
PDF
SysAdmin cookbook
byDobrica Pavlinušić
 
PDF
Printing on Linux, simple right?
byDobrica Pavlinušić
 
PPT
KohaCon11: Integrating Koha with RFID system
byDobrica Pavlinušić
 
PDF
Deploy your own P2P network
byDobrica Pavlinušić
 
PDF
Free Libre Open Source Software at FFZG library
byDobrica Pavlinušić
 
PDF
Post-relational databases: What's wrong with web development? v3
byDobrica Pavlinušić
 
PDF
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
byDobrica Pavlinušić
 
PDF
Post-relational databases: What's wrong with web development?
byDobrica Pavlinušić
 
PDF
Mojo Facets – so, you have data and browser?
byDobrica Pavlinušić
 
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
byDobrica Pavlinušić
 
Linux+sensor+device-tree+shell=IoT !
byDobrica Pavlinušić
 
bro - what is in my network?
byDobrica Pavlinušić
 
Let's hack cheap hardware 2016 edition
byDobrica Pavlinušić
 
Raspberry Pi - best friend for all your GPIO needs
byDobrica Pavlinušić
 
Cheap, good, hackable tools from China: AVR component tester
byDobrica Pavlinušić
 
Ganeti - build your own cloud
byDobrica Pavlinušić
 
FSEC 2014 - I can haz your board with JTAG
byDobrica Pavlinušić
 
Hardware hacking for software people
byDobrica Pavlinušić
 
Gnu linux on arm for $50 - $100
byDobrica Pavlinušić
 
This is an interesting metadata source. Can I import it into Koha?
byDobrica Pavlinušić
 
SysAdmin cookbook
byDobrica Pavlinušić
 
Printing on Linux, simple right?
byDobrica Pavlinušić
 
KohaCon11: Integrating Koha with RFID system
byDobrica Pavlinušić
 
Deploy your own P2P network
byDobrica Pavlinušić
 
Free Libre Open Source Software at FFZG library
byDobrica Pavlinušić
 
Post-relational databases: What's wrong with web development? v3
byDobrica Pavlinušić
 
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
byDobrica Pavlinušić
 
Post-relational databases: What's wrong with web development?
byDobrica Pavlinušić
 
Mojo Facets – so, you have data and browser?
byDobrica Pavlinušić
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
December Patch Tuesday
byIvanti
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
December Patch Tuesday
byIvanti
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 

Virtualization which isn't: LXC (Linux Containers)

  • 1.
    Virtualization which isn't LXC (Linux Containers) Dobrica Pavlinušić http://blog.rot13.org DORS/CLUC, Zagreb, 2011-05-16
  • 2.
    Content ● Virtualizations ● Vserver, Xen, OpenVZ, sVirt, LXC ● KVM, VirtualBox, VMWare ● cgroup ● Linux Containers
  • 3.
    Virtualization overview ● Xen ● Separate host i guest kernel (dom0, domU) ● Not upstream, massive duplication of kernel code ● Linux Vserver, OpenVZ (Virtuozzo), sVirt (SELinux based) ● Single kernel, out-of-tree patches ● Linux Containers - LXC ● chroot on steroids, based on cgroup Linux support ● Part of standard kernel, based on things you already know! ● Full-system virtualization: KVM, VirtualBox, VMWare ● But you can run LXC inside them! (e.g. EC2)
  • 4.
    cgroup ● Process namespace in kernel ● Devices (even X11 in LXC!) ● CPU (sched, cpu account, cpuset) - NUMA ● Memory (not in Debian's kernel) ● Block I/O scheduling, limits ● Linus' 2.6.38 magic patch ● Setsid create new scheduler entry ● Used by Google Chrome, systemd...
  • 5.
    Linux containers -LXC dpavlin@klin:~$ lxc-checkconfig dpavlin@klin:/usr/bin$ ls lxc-* Kernel config /proc/config.gz not found, looking in other lxc-checkconfig places... lxc-execute Found kernel config file /boot/config-2.6.38-2-686 lxc-start --- Namespaces --- lxc-stop Namespaces: enabled lxc-info Utsname namespace: enabled Ipc namespace: enabled lxc-console Pid namespace: enabled lxc-create User namespace: enabled lxc-destroy Network namespace: enabled lxc-ls Multiple /dev/pts instances: enabled lxc-ps lxc-netstat --- Control groups --- lxc-restart Cgroup: enabled lxc-cgroup Cgroup namespace: enabled lxc-freeze Cgroup device: enabled lxc-kill Cgroup sched: enabled lxc-monitor Cgroup cpu account: enabled lxc-setcap Cgroup memory controller: missing lxc-setuid Cgroup cpuset: enabled lxc-unfreeze lxc-unshare --- Misc --- Veth pair device: enabled lxc-version Macvlan: enabled Lxc-wait Vlan: enabled lxc-attach File capabilities: missing lxc-checkpoint
  • 6.
    LXC: Network ● veth ● Bridge on host, (virtual) device inside container ● vlan ● Select packets by IP address ● macvlan ● Select packets by MAC address ● phys ● Move host interface inside container (routing fun!) ● Empty ● Only loopback
  • 7.
    LXC: limit resources ● Cores ● lxc.cgroup.cpuset.cpus=1,2,3 ● CPU share ● lxc.cgroup.cpu.shares=1024 # default ● Memory usage (!Debian) ● lxc.cgroup.memory.limit_in_bytes = 256M ● lxc.cgroup.memory.memsw.limit_in_bytes = 1G ● Disk (blkio) ● Disk space – standard LVM, quota... ● echo 100 > /cgroup/disk1/blkio.weight # XXX < 1000 ! ● echo "3:0 1048576" > /cgroup/disk1/blkio.throttle.read_bps_device
  • 8.
    Start LXC container ● Start single process in container ● lxc-execute -n container -- /bin/bash ● Whole operating system ● Mounting filesystems, etc from config file ● Application is /bin/init ● lxc-start -n container ● lxc-console -n container ● lxc-stop -n container
  • 9.
    Templates: lxc-create # /usr/lib/lxc/templates/ exportMIRROR=http://192.168.1.20:3142/ftp.debian.org export SUITE=lenny cat <<_EOF_ > /tmp/lenny.conf lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up EOF t61p:~# lxc-create -n lenny -t debian -f /tmp/lenny.conf
  • 10.
    Container overview ● /var/lib/lxc/container/config ● Familiar commands ● lxc-ls ● lxc-info ● lxc-ps ● lxc-netstat ● htop --enable-group > r192 ● /proc inside contauner isn't fully isolated! ● Depends on namespace support in kernel
  • 11.
    Under construction ● Still not in: Linux 2.6.38.2 ● lxc-attach ● Attach process (bash) inside running container ● Needed to set default route outside container ● lxc-checkpoint ● Similar to lxc-(un)freeze with checkpoint to disk ● https://ckpt.wiki.kernel.org/
  • 12.
    LXC summary ● Isolate ● one application – lxc-execute ● whole OS – lxc-start ● use templates (lxc-create) ● Familiar Linux networking (bridges) ● Limiting features varies (kernel config/version) ● Ready to use today!