1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
|
Linux Container - LXC:
----------------------
This document provides a quick help to use the linux container.
Contents:
---------
0) Quick start
1) Overview
2) Requirements
3) Functional Specification
4) Future work
0) Quick start
--------------
You are in a hurry, and you don't want to read this README. Ok,
without warranty, here are the commands to launch a shell inside a
container with a predefined configuration template, it may work.
lxc-create -n foo -f /etc/lxc/lxc-macvlan.conf
lxc-execute -n foo /bin/bash
When your bash exits, you don't have to create 'foo' again, just call
lxc-execute again.
1) Overview
-----------
The container technology is actively being pushed into the mainstream
linux kernel. It provides the resource management through the control
groups aka process containers and resource isolation through the
namespaces.
The LXC aims to use these new functionnalities to provide an userspace
container object which provides full resource isolation and resource
control for an applications or a system.
The first objective of this project is to make the life easier for the
kernel developers involved in the containers project and especially
to continue working on the Checkpoint/Restart new features. The LXC is
small enough to easily manage a container with simple command lines
and complete enough to be used for other purposes.
2) Requirements
---------------
The LXC relies on a set of functionnalies provided by the kernel which
needs to be active. Depending of the missing functionnalities the LXC
will work with a restricted number of functionnalities or will simply
fails.
This is the list of the kernel features which needs to be compiled in:
* General
* Control Group support
-> namespace cgroup subsystem
-> cpuset support
-> Group CPU scheduler
-> control group freeze subsystem
-> Basis for grouping tasks (Control Groups)
-> Simple CPU accounting
-> Resource counters
-> Memory resource controllers for Control Groups
-> Namespace support
-> UTS namespace
-> IPC namespace
-> User namespace
-> Pid namespace
* Network support
-> Networking options
-> Network namespace support
For the moment the easiest way to have all the features in the kernel
is to use the git tree at:
git://git.kernel.org/pub/scm/linux/kernel/git/daveh/linux-2.6-lxc.git
Otherwise the latest version of 2.6.26 kernel is usable with LXC but
without sysfs if the network namespace is activated and without the
freezer subsystem.
Before using LXC, the system should be configured as followed:
* Control group file system must be mounted
mount -t cgroup cgroup /cgroup
* You must have root privileges
3) Functional Specification
---------------------------
A container is an object where the configuration is persistent. The
application will be launched inside this container and it will
use the configuration which was previously created.
3.1 Container life cycle
------------------------
When the container is created, it contains the configuration
information. When a process is launched, the container will be
starting and running. When the last process running inside the
container exits, the container is stopped.
In case of failure when the container is initialized, it will pass
through the aborting state.
---------
| STOPPED |<---------------
--------- |
| |
start |
| |
V |
---------- |
| STARTING |--error- |
---------- | |
| | |
V V |
--------- ---------- |
| RUNNING | | ABORTING | |
--------- ---------- |
| | |
no process | |
| | |
V | |
---------- | |
| STOPPING |<------- |
---------- |
| |
---------------------
3.2 Configuration file
----------------------
The configuration file has the following format:
--------------------------------------------------------------------------------
# the fstab mount file.
lxc.mount = ./fstab
# the hostname to be set into the container
lxc.utsname = virtnode
# the rootfs if needed for the running application
lxc.rootfs = /mnt/root
# The network has several of kind of configuration:
#
# * veth : the network will use the veth virtual device, the
# specified link must be a bridge
# * macvlan : the network will use the macvlan device, the specified
# link should be an existing interface, usually it is
# eth0
# * phys : the network will use a physical network device, the
# specified link should be an existing interface
# * empty : the network namespace will be empty, only the default network
# devices will be created (loopback, gre, ...)
lxc.network.type = macvlan
# specify the flags to be used for the network, actually only <up> is
# allowed which mean the network should be set up when created. If the
# network is set up, the loopback is automatically set up too.
lxc.network.flags = up
# specify the physical network device which will communicate with the
# outside world
lxc.network.link = eth0
# NIC ethernet mac address
lxc.network.hwaddr = 4a:49:43:49:79:bd
# specify the ipv4 address of the container. Several lines are allowed
# and will mean several addresses will be assigned to the interface
lxc.network.ipv4 = 1.2.3.5/24
# specify the ipv6 address of the container. Several lines are allowed
# and will mean several addresses will be assigned to the interface
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
# specify the a cgroup value
lxc.cgroup.cpu.shares = 512
lxc.cgroup.cpuset.cpu = 0,1
--------------------------------------------------------------------------------
All fields are optional.
3.3 Container creation
----------------------
The container is created via the 'lxc-create' command. The command
specifies the container name and the container configuration file.
lxc-create -n foo -f <config>
3.4 Starting a container
------------------------
As the container has been created with the lxc-create command, it is
possible now to start an application inside.
lxc-execute -n foo /bin/bash
When the application has exited, it is possible to continue using the
container configuration to launch another application.
3.5 Stopping a container
------------------------
Usually, a container stops when the last process exits but in some
cases, it is usefully to wipe out such application. The following
command will kill the processes.
lxc-stop -n foo
3.6 Freezing/Unfreezing a container
-----------------------------------
All the processes belonging to a container can be stopped and resumed.
lxc-freeze -n foo
lxc-unfreeze -n foo
3.7 Sending a signal to a container
-----------------------------------
A signal can be sent to all processes running inside the container.
lxc-kill -n foo -s <signal>
3.8 Monitoring container states
-------------------------------
A container has a life cycle and passes though different states as
defined in section 3.1. The following command allows to watch such
states for a specific container.
lxc-monitor -n foo
3.9 Getting container information
----------------------------------
At any time, the following command will retrieve informations of the
container.
lxc-info -n foo
3.10 Showing processes list for a container
-------------------------------------------
The following command will show all the processes for all the running
container.
lxc-ps
3.11 Using the control group for a container
--------------------------------------------
Each time a container is created, a cgroup is associated to it.
If the command is specified without value, the specified key is
retrieved otherwise it is set.
lxc-cgroup -n foo cpuset.cpu 1
lxc-cgroup -n foo cpu.shares
4) Future work
--------------
* change the lxc-execute to have the first process to exec
* man pages
* improve monitoring support
* and more :)
|
GitWeb