Progress Linux

LXC - Container Virtualization

1. Information

1.1 Version

• Supported Progress Distributions: artax, artax-backports, baureo
• Supported Upstream Versions: 0.7.2 (artax), 0.7.5 (artax-backports, baureo)

1.2 Patched Packages

1.2.1 Host

• Fixed linux-2.6 packages (>= 2.6.32-26atax1, >= 2.6.37-1~artax1, >= 2.6.32-26baureo1):

  • Enabling memory resource controller for control groups (Closes: #534964).

• Fixed lxc packages (>= 0.7.2-1artax13, >= 0.7.2.4-4~artax1, >= 0.7.4.2-4):

  • Adding patch from upstream to support container architecture (Closes: #597875).
  • Adding patch from upstream to support suite in debian template (Closes: #600459).
  • Updating patch from upstream for suite support to default to squeeze (Closes: #600456).
  • Updating patch from upstream for suite support to default to cdn.debian.net (Closes: #600464).
  • Adding patch to create missing tty device nodes in debian template (Closes: #600466).
  • Disabling unneeded checkroot initscript (Closes: #601001).
  • Adding patch to correct include argument when calling debootstrap in debian template (Closes: #607275).
  • Adding patch to correct charset argument when calling locale-gen in debian template (Closes: #607273).
  • Adding patch to disable unneeded umountroot initscript (Closes: #611972).
  • Don't stop containers on upgrade (Closes: #626163).
  • Add an /etc/lxc/auto directory (Closes: #611920).
  • Adding patch for debian template to also disable module-init-tools initscript.
  • Adding patch to remove double check for configuration path in lxc-create (Closes: #633996).
  • Adding adapted patch from upstream to correct architecture setting in debian template (Closes: #622626).
  • Adding patch to extend architecture static fallback list for powerpc in debian template.
  • Replacing my own patch to fix locales generation in debian template with a correct patch from Sylvain Ferriol (Closes: #607273).
  • Adding patch to set default runlevel in debian template to 2 instead of 3.
  • Adding patch to disable services in debian template upgrade proof (Closes: #636851).

• Fixed sysvinit packages (>= 2.88dsf-12artax1, >= 2.88dsf-12baureo1):

  • Automatically mounting cgroup on /sys/fs/cgroup if it is supported (Closes: #601757).

1.2.2 Container

• Fixed ifupdown packages (>= 0.6.10artax1, >= 0.6.10baureo1):

  • Adding explicit depends in ifupdown-clean to avoid checkroot dependency (Closes: #607713).
  • Adding depends to initscripts to allow bootstrapping with ifupdown that has no explicit depends on checkroot script.

• Fixed udev packages (>= 164-3arax1):

  • Also check for cgroups in udev maintainer scripts to support LXC (Closes: #620921).

• Fixed util-linux packages (>= 2.17.2-5artax1, >= 2.17.2-5baureo1):

  • Don't reenable hwclock initscript if it was disabled (Closes: #473202).

2. Installation

• Install LXC

  apt-get install lxc bridge-utils debootstrap

3. Configuration

3.1 Host

3.1.1 Enable IP Forward

echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf
sysctl -p

3.1.2 Bridge Interfaces (dhcp standalone)

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

auto br0
iface br0 inet dhcp
        bridge_ports    eth0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF

3.1.3 Bridge Interfaces (static standalone)

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

# standalone: 192.168.0.2
auto br0
iface br0 inet static
        address         192.168.0.2
        broadcast       192.168.0.255
        gateway         192.168.0.1
        netmask         255.255.255.0
        network         192.168.0.0

        pre-up          ifconfig eth0 down
        pre-up          ifconfig eth0 up
        bridge_ports    eth0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF

3.1.4 Bridge Interface (static subnet)

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

# subnet: 192.168.0.1/24
auto br0
iface br0 inet static
        address         192.168.0.1
        broadcast       192.168.0.255
        netmask         255.255.255.0
        network         192.168.0.0

        pre-up          brctl addbr br0
        post-down       brctl delbr br0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF

3.2 Container

cat > /var/lib/lxc/example.org/config << EOF
# /var/lib/lxc/example.org/config

## Container
lxc.utsname                             = example.org
lxc.rootfs                              = /var/lib/lxc/example.org/rootfs
lxc.tty                                 = 6
lxc.pts                                 = 1024
#lxc.console                            = /var/log/lxc/example.org.console

## Capabilities
lxc.cap.drop                            = sys_admin sys_module mac_admin mac_override

## Devices
# Allow all devices
#lxc.cgroup.devices.allow               = a
# Deny all devices
lxc.cgroup.devices.deny                 = a
# Allow to mknod all devices (but not using them)
lxc.cgroup.devices.allow                = c *:* m
lxc.cgroup.devices.allow                = b *:* m

# /dev/console
lxc.cgroup.devices.allow                = c 5:1 rwm
# /dev/fuse
lxc.cgroup.devices.allow                = c 10:229 rwm
# /dev/null
lxc.cgroup.devices.allow                = c 1:3 rwm
# /dev/ptmx
lxc.cgroup.devices.allow                = c 5:2 rwm
# /dev/pts/*
lxc.cgroup.devices.allow                = c 136:* rwm
# /dev/random
lxc.cgroup.devices.allow                = c 1:8 rwm
# /dev/rtc
lxc.cgroup.devices.allow                = c 254:0 rwm
# /dev/tty
lxc.cgroup.devices.allow                = c 5:0 rwm
# /dev/urandom
lxc.cgroup.devices.allow                = c 1:9 rwm
# /dev/zero
lxc.cgroup.devices.allow                = c 1:5 rwm

## Limits
#lxc.cgroup.cpu.shares                  = 1024
#lxc.cgroup.cpuset.cpus                 = 0
#lxc.cgroup.memory.limit_in_bytes       = 256M
#lxc.cgroup.memory.memsw.limit_in_bytes = 1G

## Filesystem
lxc.mount.entry                         = proc /var/lib/lxc/example.org/rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry                         = sysfs /var/lib/lxc/example.org/rootfs/sys sysfs defaults,ro 0 0
#lxc.mount.entry                        = /srv/share/example.org /var/lib/example.org/rootfs/srv/example.org none defaults,bind 0 0

## Network
lxc.network.type                        = veth
lxc.network.flags                       = up
lxc.network.hwaddr                      = 00:FF:00:00:00:02
lxc.network.link                        = br0
lxc.network.name                        = eth0
lxc.network.veth.pair                   = veth-example
EOF

4. Usage

• Create Container

  lxc-create -n example.org -t debian -f /var/lib/lxc/example.org/config

• Start Container

  lxc-start -n example.org

• Stop Container

  lxc-stop -n example.org

• Pause Container

  lxc-freeze -n example.org

• Unpause Container

  lxc-unfreeze -n example.org

• Remove Container

  lxc-destroy -n example.org

• Autostart Container on boot

  ln -s /var/lib/lxc/example.org/config /etc/lxc/auto/example.org

5. Best Practices

5.1 LXC Directories

• move /var/lib/lxc to /srv/local/lxc/containers and symlink /srv/local/lxc/containers to /var/lib/lxc (lxc does that through a debconf question already).

5.2 LXC Container Data

• move all container data to /srv/share/example.org and mount /srv/share/example.org to /srv/example.org within the container.

5.3 LXC Stuff

Some additional scripts are included in the LXC packages:

• lxc: a convenience wrapper for lxc which allows using commands in the more convenient form of 'lxc COMMAND CONTAINER' rather than 'lxc-COMMAND -n CONTAINER'.
• lxc-list: lists all containers with status (running/stopped, with information about auto start).
• lxc-halt: shut down a container with a proper halt command issued, rather than kill -15 (as lxc-stop does).
• lxc-backup/lxc-restore: simple rootfs backup and restore scripts usefull when prototyping.

6. Known Bugs

6.1 General

• Rebooting a container from within does not work (container stops and does not start again) and needs either kernel patches or a userspace watchdog.

• Using two bridges with lxc on a kernel version before 2.6.36 results in a kernel panic. With kernel versions prior 2.6.36 (e.g. on artax), either use only one bridge or upgrade your kernel (e.g. with artax-backports).

6.2 Applications

• Google Chroome and Chromium browsers require the suid bit for sandboxing (see Issues 31077 for more information). As a workaround the --no-sandbox parameter can be used.

7. Links

7.1 Upstream

• Upstream Homepage
• Upstream Version Control

7.2 Debian

• Debian Bug Tracking System
• Debian Package Tracking System
• Debian Snapshot
• Debian Wiki

7.3 Progress

• Progress Package Archive: artax artax-backports baureo
• Progress Issues Tracker
• Progress Version Control

7.4 Other

• Linux Kernel: Documentation/cgroups/cgroups.txt
• Linux Technical Review (German, subscriber-only content): Duell der Container
• Pro-Linux (German): Ressourcen-Verwaltung mit Control Groups (cgroups)