Progress Linux

wiki.progress-linux.org

LXC - Container Virtualization

1. Information

1.1 Version

  • Supported Progress Distributions: artax, artax-backports, baureo
  • Supported Upstream Versions: 0.7.2 (artax), 0.7.5 (artax-backports, baureo)

1.2 Patched Packages

1.2.1 Host
1.2.2 Container

2. Installation

  • Install LXC

    apt-get install lxc bridge-utils debootstrap

3. Configuration

3.1 Host

3.1.1 Enable IP Forward
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf
sysctl -p
3.1.2 Bridge Interfaces (dhcp standalone)
cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

auto br0
iface br0 inet dhcp
        bridge_ports    eth0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF
3.1.3 Bridge Interfaces (static standalone)
cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

# standalone: 192.168.0.2
auto br0
iface br0 inet static
        address         192.168.0.2
        broadcast       192.168.0.255
        gateway         192.168.0.1
        netmask         255.255.255.0
        network         192.168.0.0

        pre-up          ifconfig eth0 down
        pre-up          ifconfig eth0 up
        bridge_ports    eth0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF
3.1.4 Bridge Interface (static subnet)
cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

# subnet: 192.168.0.1/24
auto br0
iface br0 inet static
        address         192.168.0.1
        broadcast       192.168.0.255
        netmask         255.255.255.0
        network         192.168.0.0

        pre-up          brctl addbr br0
        post-down       brctl delbr br0

        bridge_fd       0
        bridge_hello    0
        bridge_maxwait  0
        bridge_stp      0
EOF

3.2 Container

cat > /var/lib/lxc/example.org/config << EOF
# /var/lib/lxc/example.org/config

## Container
lxc.utsname                             = example.org
lxc.rootfs                              = /var/lib/lxc/example.org/rootfs
lxc.tty                                 = 6
lxc.pts                                 = 1024
#lxc.console                            = /var/log/lxc/example.org.console

## Capabilities
lxc.cap.drop                            = sys_admin sys_module mac_admin mac_override

## Devices
# Allow all devices
#lxc.cgroup.devices.allow               = a
# Deny all devices
lxc.cgroup.devices.deny                 = a
# Allow to mknod all devices (but not using them)
lxc.cgroup.devices.allow                = c *:* m
lxc.cgroup.devices.allow                = b *:* m

# /dev/console
lxc.cgroup.devices.allow                = c 5:1 rwm
# /dev/fuse
lxc.cgroup.devices.allow                = c 10:229 rwm
# /dev/null
lxc.cgroup.devices.allow                = c 1:3 rwm
# /dev/ptmx
lxc.cgroup.devices.allow                = c 5:2 rwm
# /dev/pts/*
lxc.cgroup.devices.allow                = c 136:* rwm
# /dev/random
lxc.cgroup.devices.allow                = c 1:8 rwm
# /dev/rtc
lxc.cgroup.devices.allow                = c 254:0 rwm
# /dev/tty
lxc.cgroup.devices.allow                = c 5:0 rwm
# /dev/urandom
lxc.cgroup.devices.allow                = c 1:9 rwm
# /dev/zero
lxc.cgroup.devices.allow                = c 1:5 rwm

## Limits
#lxc.cgroup.cpu.shares                  = 1024
#lxc.cgroup.cpuset.cpus                 = 0
#lxc.cgroup.memory.limit_in_bytes       = 256M
#lxc.cgroup.memory.memsw.limit_in_bytes = 1G

## Filesystem
lxc.mount.entry                         = proc /var/lib/lxc/example.org/rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry                         = sysfs /var/lib/lxc/example.org/rootfs/sys sysfs defaults,ro 0 0
#lxc.mount.entry                        = /srv/share/example.org /var/lib/example.org/rootfs/srv/example.org none defaults,bind 0 0

## Network
lxc.network.type                        = veth
lxc.network.flags                       = up
lxc.network.hwaddr                      = 00:FF:00:00:00:02
lxc.network.link                        = br0
lxc.network.name                        = eth0
lxc.network.veth.pair                   = veth-example
EOF

4. Usage

  • Create Container

    lxc-create -n example.org -t debian -f /var/lib/lxc/example.org/config

  • Start Container

    lxc-start -n example.org

  • Stop Container

    lxc-stop -n example.org

  • Pause Container

    lxc-freeze -n example.org

  • Unpause Container

    lxc-unfreeze -n example.org

  • Remove Container

    lxc-destroy -n example.org

  • Autostart Container on boot

    ln -s /var/lib/lxc/example.org/config /etc/lxc/auto/example.org

5. Best Practices

5.1 LXC Directories

  • move /var/lib/lxc to /srv/local/lxc/containers and symlink /srv/local/lxc/containers to /var/lib/lxc (lxc does that through a debconf question already).

5.2 LXC Container Data

  • move all container data to /srv/share/example.org and mount /srv/share/example.org to /srv/example.org within the container.

5.3 LXC Stuff

Some additional scripts are included in the LXC packages:

  • lxc: a convenience wrapper for lxc which allows using commands in the more convenient form of 'lxc COMMAND CONTAINER' rather than 'lxc-COMMAND -n CONTAINER'.
  • lxc-list: lists all containers with status (running/stopped, with information about auto start).
  • lxc-halt: shut down a container with a proper halt command issued, rather than kill -15 (as lxc-stop does).
  • lxc-backup/lxc-restore: simple rootfs backup and restore scripts usefull when prototyping.

6. Known Bugs

6.1 General

  • Rebooting a container from within does not work (container stops and does not start again) and needs either kernel patches or a userspace watchdog.

  • Using two bridges with lxc on a kernel version before 2.6.36 results in a kernel panic. With kernel versions prior 2.6.36 (e.g. on artax), either use only one bridge or upgrade your kernel (e.g. with artax-backports).

6.2 Applications

  • Google Chroome and Chromium browsers require the suid bit for sandboxing (see Issues 31077 for more information). As a workaround the --no-sandbox parameter can be used.

7. Links

7.1 Upstream

7.2 Debian

7.3 Progress

7.4 Other