Saturday, 9 January 2021

Linux Virtualization : Linux Containers (lxc)

Introduction to virtualization

Operating-system-level virtualization is a server virtualization method in which the kernel of an operating system allows the existence of multiple isolated user-space instances, instead of just one. Such instances, which are sometimes called containers, software containers,virtualization engines (VEs) or jails (FreeBSD jail or chroot jail), may look and feel like a real server from the point of view of its owners and users.

Read More: LPIC-OT 701: DevOps Tools Engineer

The above definition sums up the broad idea about containers, but to be more accurate, the traditional Virtual Machines used something called hypervisor that runs on top of kernel. This hypervisor provides virtualization to the applications that run on it by monitoring their resource usage and access patterns. This causes a lot of overhead resulting in unnecessary loss of performance. On the other hand, Operating-system-level virtualization works differently. It uses namespaces and cgroups to restrict application’s capabilities including the use of resources. This is a feature provided by the linux kernel. This has almost no overhead.

Linux Virtualization, Linux Tutorial and Material, Linux Guides, Linux Learning, Linux Exam Prep

This method is so effective that Docker is using these containers internally to provide that isolated environment which is very useful for deploying multiple integrated systems. They are even bound towards creating their own containers library. Google have their own services running on containers on shared hardware.

Installation:


To install lxc in Ubuntu,

$ sudo apt-get install lxc lxctl lxc-templates

This package installs of LXC’s requirements, some templates and also sets up the network structure for the containers.

Run lxc-checkconfig to check if the kernel configuration is ready.

$ sudo lxc-checkconfig
    Kernel configuration not found at /proc/config.gz; searching...
    Kernel configuration found at /boot/config-4.4.0-24-generic
    --- Namespaces ---
    Namespaces: enabled
    Utsname namespace: enabled
    Ipc namespace: enabled
    Pid namespace: enabled
    User namespace: enabled
    Network namespace: enabled
    Multiple /dev/pts instances: enabled

    --- Control groups ---
    Cgroup: enabled
    Cgroup clone_children flag: enabled
    Cgroup device: enabled
    Cgroup sched: enabled
    Cgroup cpu account: enabled
    Cgroup memory controller: enabled
    Cgroup cpuset: enabled

    --- Misc ---
    Veth pair device: enabled
    Macvlan: enabled
    Vlan: enabled
    Bridges: enabled
    Advanced netfilter: enabled
    CONFIG_NF_NAT_IPV4: enabled
    CONFIG_NF_NAT_IPV6: enabled
    CONFIG_IP_NF_TARGET_MASQUERADE: enabled
    CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
    CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
    FUSE (for use with lxcfs): enabled

    --- Checkpoint/Restore ---
    checkpoint restore: enabled
    CONFIG_FHANDLE: enabled
    CONFIG_EVENTFD: enabled
    CONFIG_EPOLL: enabled
    CONFIG_UNIX_DIAG: enabled
    CONFIG_INET_DIAG: enabled
    CONFIG_PACKET_DIAG: enabled
    CONFIG_NETLINK_DIAG: enabled
    File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

You should also see the output something similar to the above.
lxc provides a lot of ready templates, which are really helpful for fast deployment.

$ ls -l /usr/share/lxc/templates/
    total 404
    -rwxr-xr-x 1 root root 12973 May 18 14:48 lxc-alpine
    -rwxr-xr-x 1 root root 13713 May 18 14:48 lxc-altlinux
    -rwxr-xr-x 1 root root 11090 May 18 14:48 lxc-archlinux
    -rwxr-xr-x 1 root root 12159 May 18 14:48 lxc-busybox
    -rwxr-xr-x 1 root root 29503 May 18 14:48 lxc-centos
    -rwxr-xr-x 1 root root 10374 May 18 14:48 lxc-cirros
    -rwxr-xr-x 1 root root 19732 May 18 14:48 lxc-debian
    -rwxr-xr-x 1 root root 17890 May 18 14:48 lxc-download
    -rwxr-xr-x 1 root root 49600 May 18 14:48 lxc-fedora
    -rwxr-xr-x 1 root root 28384 May 18 14:48 lxc-gentoo
    -rwxr-xr-x 1 root root 13868 May 18 14:48 lxc-openmandriva
    -rwxr-xr-x 1 root root 15932 May 18 14:48 lxc-opensuse
    -rwxr-xr-x 1 root root 41720 May 18 14:48 lxc-oracle
    -rwxr-xr-x 1 root root 11205 May 18 14:48 lxc-plamo
    -rwxr-xr-x 1 root root 19250 May 18 14:48 lxc-slackware
    -rwxr-xr-x 1 root root 26862 May 18 14:48 lxc-sparclinux
    -rwxr-xr-x 1 root root  6862 May 18 14:48 lxc-sshd
    -rwxr-xr-x 1 root root 25602 May 18 14:48 lxc-ubuntu
    -rwxr-xr-x 1 root root 11439 May 18 14:48 lxc-ubuntu-cloud

We’ll start by creating a new container with name “my_container” with “ubuntu” template.
This will take some time and finish creating a container for you. Yes! its that simple.
Once its completed, the last few lines shows the password for the root user of the container. It would look something similar to this,

$ sudo lxc-create -n my_container -t ubuntu
    .....
    .....
    ##
    # The default user is 'ubuntu' with password 'ubuntu'!
    # Use the 'sudo' command to run tasks as root in the container.
    ##
We can check the status of container using lxc-ls. This will show the container to be in stopped state.

$ sudo lxc-ls --fancy
    NAME            STATE    IPV4  IPV6  AUTOSTART
    ----------------------------------------------
    my_container    STOPPED  -     -     NO

Now to start the container run lxc-start. The -d argument creates it a daemon.

$ sudo lxc-start -n my_container -d

Check the status of container using lxc-ls to verify its running. We can access the console using lxc-console. Use the credentials we received above to get the console access.

 $ sudo lxc-console -n my_container

After logging in, run the following command on the container,

$ top

And on the host-pc run the following command to see the list of running processes.

$ ps auxf

and somewhere you’ll find a process tree that looks similar to this,

Linux Virtualization, Linux Tutorial and Material, Linux Guides, Linux Learning, Linux Exam Prep

It would be surprising, but, all the process on the container are just simple process on the host pc. The important part is that all are isolated and monitored by kernel. Hence you can think of these as simple processes on the host PC and you can even kill them(only if you have sufficient privileges)

You can exit the console and return to the host by typing Ctrl-A followed by Q.

To get more info about the running container use,

 $ sudo lxc-info -n my_container

You can access the root file-system of this container directly from the host machine by accessing. You will need root permission to do so.

    $ sudo su
    $ cd /var/lib/lxc/my_container/rootfs

That’s it. Now this is like a brand new operating system. You can run any service on this container.

Think of containers as separate operating systems, where you can run anything you want. The only thing that makes is special is that all container runs on the same hardware. So, practically, companies/institutions buy a heavy shared machine then deploy containers with resource limits according to the multiple services they want. This makes is scalable and easier to manage.

To stop the container run,

    $ sudo lxc-stop -n my_container

To delete the container use,

    $ sudo lxc-destroy -n my_container

NOTE: lxc provides a wrapper and easy to use API to use the kernel features. It is not equivalent to containers in any sense.

Related Posts

0 comments:

Post a Comment