LXC container

1. LXC Brief

Linux container is a resource isolation mechanism, rather than virtualization technology. VMM (VMM Virtual Machine Monitor) is a standard or called Hypervisor virtualization technology, which through a virtual layer (which is called Hypervisor or VMM), the main role first, allow multiple operating systems and applications to share hardware resources, and the second is converting virtual machine instructions into instructions upper host operating system underlying knowledge, which means that in the windows system can run on Linux, container and chroot between the VM techniques, its "virtual machine" or the same as the host operating system and very similar, namely under Linux architecture Linux are not installed windows virtual machine. cgroup is a resource limiter, does not provide isolation, the real isolation kernel namespace implemented, which means that the inter-module cgroup resource constraints affect much larger than the container.

LXC future goals official given is:

The goal of LXC is to create an environment as close as possible as a standard Linux installation but without the need for a separate kernel.

1.1 LXC relationship with the docker's

The LXC Linux sandboxed processes, such isolated, and can control the distribution of resources among processes between processes. lxc way container of simulated operational experience a similar virtual machine, and to avoid additional load on the system virtual machine. lxc use cgroup and namespace in linux application layer to create a "virtual machine" (isolated bare file system), can not effectively support vessel between the cross-host migration, complex management (lxd solve these problems). and in that the different parts of the docker lxc lxc contains a complete operating system, the system is a container.

Docker uses LXC underlayer achieved, but on the docker lxc package, providing better portability and operability. Docker containers will depend on the application and its environment, all packaged into a single object, you can run common applications in the case of an operating system that does not contain a complete, more lightweight and more portable. So it became the cornerstone of PaaS (such as Kubernates) platform.

In addition to underlying lxc addition, Docker also provides advanced tools with the following powerful features:

Portable across machine deployments. Docker defines an application and all bind to rely on a single object format, the object can be transmitted to any docker-enabled machine, and there performing, guaranteed exposed to the application execution environment is the same of. Lxc implements the process sandbox, which is an important prerequisite for the deployment of a portable, but this alone is not enough for portable deployment of. If you send a copy of the application installed in the self-definition of lxc configuration, then it almost certainly will not like our machines that run on your machine as it relates to your specific computer configuration related to me: network, storage, logging, release, and so on. Docker defines an abstract machine for those specific settings, so that identical containers docker can run on many different machines, even if different hosts have many different configurations.

Application-centric. Docker is optimized for deploying applications, not machines. This is reflected in its API, user interface, design and documentation. In contrast, lxc assistant script container as a lightweight machine - basically start faster, less memory server. We believe that the vessel does not stop there.

Automated build. Docker comprising a tool for automatically assembling a developer container from the source code, full control of the application dependencies, build tools, packaging and the like. They are free to use the make, maven, chef, puppet, salt, debian package, rpms, source tarballs, or any combination of the above, regardless of the configuration of the machine.

Version retroactive. Docker comprising a container for tracking successive versions, versions of the difference between the inspection, similar git submitted new version rollback functions. History also includes how to assemble a container and by whom, so you can all the way back to the upstream developers from the production server. Docker also achieve incremental uploads and downloads, similar to "git pull", so the new version of the container can only be transmitted by sending a difference.

Component reuse. Any container can be used as a "base image" to create a more professional components. This can be done as part of an automatic or manual build. For example, you can prepare the ideal environment python, and use it as the basis of 10 different applications. Postgresql your ideal settings can be reused for all your future projects.

shared. Docker access to a public registry (http://index.docker.io), thousands of users upload useful container: From redis, couchdb, postgres to irc safe to rails application server to issue a variety of create a base image version. Registration also includes official "standard library" useful container maintained by the Working Group on the pier. Registry itself is open source, so anyone can deploy their own private registry to store and transport containers, such as for internal server deployment.

Tools ecosystem. Docker define an API for creating and deploying automation and custom container. There are a large number of integrated tools and docker to extend its functionality. (Dokku, Deis, Flynn), multi-node arrangement (maestro, salt, mesos, openstack nova), dashboards (docker-ui, OpenStack Horizo n , shipyards), configuration management (Cook, Puppet), continuous integration (jenkins, strider, travis) and so on. Docker is quickly positioning itself as a standard container-based tools.

2. Common Commands

2.1 Common operation command

LXC can create two different containers:

· Privileged mode - lxc run various commands as root, create privileges container;
• Normal mode - lxc run various commands as a normal user, create a non-privileged container

Ordinary container has a lot of restrictions (such as not to create device nodes), but also more secure (not jeopardize the host), because the root user of such a container, in fact, is mapped to a common user on the host.

LXC-checkconfig 1. : container inspection system meets the environmental requirements.

The Create-lxc 2. : Creating lxc container;

lxc-create -n NAME -t TEMPLATE_NAME

Start-LXC 3. : starting container;

lxc-start -n foo [-f config] /bin/bash

lxc-start -n NAME -d

-d way to start the daemon container. If no command is specified, lxc-start the run / sbin / init.

Container lxc-create created after stopping operation requires the use of lxc-destroy destroyed.

Execute-LXC 4. : Run

lxc-execute -n foo [-f config] /bin/bash

lxc-execute by the intermediate process that the lxc-init command is run in a container.

If the container does not exist, lxc-execute automatically create one, after stops will be automatically destroyed.

lxc-execute launch the application, priority of the following configuration:

If you perform the -f option, then create the container profiles before will not be used. If you specify the -s option, the configuration of key-value pairs in the command line will overwrite the configuration file (whether before or -f specified) of the same configuration.

STOP-LXC 5. The : stop the container; (slow stop command)

lxc-stop -n NAME -d

LXC-Destory 6. The : Remove the container in a stopped state;

lxc-destroy -n NAME

LXC-info 7. The : view information related to the container;

lxc-info -n NAME

LS-LXC 8. The : List container

lxc-ls --fancy lists details

Monitor-LXC 9. The : monitoring container

lxc-monitor -n "foo|bar"

lxc-monitor -n "*."; monitor all vessels

When a change in the state of the container, lxc-monitor state of the container will be printed on the screen.

The wait-LXC 10. The : specific container after listening state exit

lxc-wait -n foo -s STOPPED &

LXC-cgroup 11. The : Gets or sets the parameters associated with cgroup (control group subsystem)

lxc-cgroup -n foo cpuset.cpus

lxc-cgroup -n foo cpu.shares 512

LXC-Snapshot 11. : create and restore snapshots;

2.2 into the container

There are three ways to enter the container: lxc-attach, lxc-console, and SSH.

1. lxc-attach

lxc-attach -n Name

lxc-attach -n Name -- command

Elevated privileges, and specify the name space, useful when testing software on the host:

lxc-attach -n ubuntu1 -e -s 'NETWORK|UTSNAME'

2. lxc panel

lxc-console -n Name Login container, requires a user name and password

3. ssh

ssh username @IP

2.3 Cloning of the container

"Clone" is either a copy of other containers, or other containers is a snapshot.

Copy: complete copy of the original container, as large as the space occupied by the original container

Snapshot: using the snapshot feature back file system, create a new container a small, replication occurs when a write operation

To have this snapshot copy-on-write characteristics, it requires a special storage system that supports storage snapshots are: aufs, btrfs, LVM, overlayfs, zfs, etc., each have their own storage characteristics.

lxc-clone is used to create and copy snapshots before creating the need to stop the container:

sudo lxc-stop -n Name

sudo lxc-copy -n Name -N clone_Name; copy

sudo lxc-copy -s -n Name -N snapshot_Name ；快照

sudo lxc-snapshot -n Name {-r snapshot_Name -N nawName; create a snapshot or restore

Snapshot creation located under / var / lib / lxc / container directory name, the name of the snapshot is snap0, snap1 ...

3. Install

1. Lxc and install the template package comes with lxc

sudo add-apt-repository ppa:ubuntu-lxc/lxc-stable

sudo apt-get update

sudo apt install lxc lxc-templates

2. Adding Bridge

lxc not processing vessel network, the network needs to be configured (in Ubuntu via apt installed, the bridge has been configured).

sudo apt install bridge-utils -y

brctl addbr virbr0 # Adding Bridge

brctl addif virbr0 ens33; # ens33 the bridge associated with this card \

ip addr del dev ens33 192.168.253.128/24; # ip deleted on the card \

ifconfig virbr0 192.168.253.128/24 up # bridge to configure ip \

route add default gw 192.168.253.2 # Set the default gateway

4. LXC template

The so-called template is a prototype, the prototype can be created based on a series of similar LXC virtual machine, if you use lxc own template, then the prototype provides only the most basic configuration, if you want to use vim, gcc, mysql need to produce their own. The concept of templates to create here, just a simple production of the most basic, somewhat similar to the minimum system embedded systems, retaining only the most basic application, in this basis, add the appropriate application.

The template is to create a script of the container, the container contains a variety of sources (or components) address, and download and a step by step method of making a container, is essentially a shell script.

After creating ubuntu container, the container file system directory as follows: