Linux Containers and the Future Cloud
LXC Container Management
First, you should verify that your host supports LXC by running
lxc-checkconfig. If everything is okay, you can create a container by using
one of several ready-made templates for creating containers. In lxc-0.9,
there are 11 such templates, mostly for popular Linux distributions. You
easily can tailor these templates according to your requirements, if
needed. So, for example, you can create a Fedora container called fedoraCT
lxc-create -t fedora -n fedoraCT
The container will be created by default under
/var/lib/lxc/fedoraCT. You can set a different path for
the generated container by adding the
--lxcpath PATH option.
-t option specifies the name of the template to be used,
fedora in this case), and the
specifies the name of the container (
fedoraCT in this
case). Note that you also can create containers of other distributions
on Fedora, for example of Ubuntu (you need the
package for it). Not all combinations are guaranteed to work.
You can pass parameters to
lxc-create after adding
--. For example, you can create an older release of
several distributions with the
option, depending on the distribution template. To create an older Fedora
container on a host running Fedora 20, you can run:
lxc-create -t fedora -n fedora19 -- -R 19
You can remove the installation of an LXC container from the filesystem with:
lxc-destroy -n fedoraCT
For most templates, when a template is used for the first time, several required package files are downloaded and cached on disk under /var/cache/lxc. These files are used when creating a new container with that same template, and as a result, creating a container that uses the same template will be faster next time.
You can start the container you created with:
lxc-start -n fedoraCT
And stop it with:
lxc-stop -n fedoraCT
The signal used by
lxc-stop is SIGPWR by default. In order to use SIGKILL
in the earlier example, you should add
lxc-stop -n fedoraCT -k
You also can start a container as a dæmon by adding
-d, and then log
on into it with
lxc-console, like this:
lxc-start -d -n fedoraCT lxc-console -n fedoraCT
lxc-console that you run for a given container
will connect you to tty1. If tty1 already is in use (because that's
the second lxc-console that you run for that container), you will be
connected to tty2 and so on. Keep in mind that the maximum number of
ttys is configured by the
lxc.tty entry in the container
You can make a snapshot of a non-running container with:
lxc-snapshot -n fedoraCT
This will create a snapshot under /var/lib/lxcsnaps/fedoraCT.
The first snapshot you create will be called
second one will be called
snap1 and so on. You can
time-restore the snapshot at a later time with the
lxc-snapshot -n fedoraCT -r snap0 restoredFdoraCT
You can list the snapshots with:
lxc-snapshot -L -n fedoraCT
You can display the running containers by running:
Managing containers also can be done via scripts, using scripting languages. For example, this short Python script starts the fedoraCT container:
#!/usr/bin/python3 import lxc container = lxc.Container("fedoraCT") container.start()
A default config file is generated for every newly created
container. This config file is created, by default, in
/var/lib/lxc/<containerName>/config, but you can alter that
--lxcpath PATH option. You can configure various
container parameters, such as network parameters, cgroups parameters,
device parameters and more.
Here are some examples
of popular configuration items for the container config file:
You can set various cgroups parameters by setting values to the
lxc.cgroup.[subsystem name]entries in the config file. The subsystem name is the name of the cgroup controller. For example, configuring the maximum memory a container can use to be 256MB is done by setting
lxc.cgroup.memory.limit_in_bytesto be 256MB.
You can configure the container hostname by setting
There are five types of network interfaces that you can set with the
vethis very common in order to be able to connect a container to the outside world. By using
phys, you can move network interfaces from the host network namespace to the container network namespace.
There are features that can be used for hardening the security of LXC containers. You can avoid some specified system calls from being called from within a container by setting a secure computing mode, or
seccomp, policy with the
lxc.seccompentry in the configuration file. You also can remove capabilities from a container with the
lxc.cap.dropentry. For example, setting
lxc.cap.drop = sys_modulewill create a container without the CAP_SYS_MDOULE capability. Trying to run
insmodfrom inside this container will fail. You also can define Apparmor and SELinux profiles for your container. You can find examples in the LXC README and in
man 5 lxc.conf.
Free DevOps eBooks, Videos, and more!
Regardless of where you are in your DevOps process, Linux Journal can help!
- Linux Journal
- October 2014 Issue of Linux Journal: Embedded
- Give new life to old phones and tablets with these tips!
- Encrypt Your Dog (Mutt and GPG)
- Practical Tiny Core in the Fire Service
- DevOps for Dummies
- Tech Tip: Really Simple HTTP Server with Python
- Cooking with Linux - Serious Cool, Sysadmin Style!
- Download "Build a Private Cloud for Less Than $10,000!"
- Returning Values from Bash Functions
- New Products