Linux Container

From Proxmox VE
Jump to: navigation, search

Introduction

Linux Containers (LXC) is an operating-system-level virtualization environment for running multiple isolated Linux systems on a single Linux control host (Wikipedia LXC). It can be also defined as a lightweight VM but extremely fast and easy to deploy.

There is not much overhead and therefore it's the perfect solution for effective use of resources.

No extra kernel boot is necessary on startup resulting in a super fast boot.

Linux Containers (LXC) are introduced in Proxmox VE 4.0 and support the Proxmox Storage Model.

LXC vs LXD vs Docker

A nice comparison is available as an Infographic.

LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Linux users easily create and manage system or application containers. LXD specializes in deploying (Linux) Virtual Machines.

Docker is a container system making use of LXC containers to Build, Ship, and Run Any App, Anywhere and is supported by Docker, Inc. Docker specializes in deploying apps.

LXD isn't a rewrite of LXC, in fact it's building on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding to create and manage the containers. It's basically an alternative to LXC's tools and distribution template system with the added features that come from being controllable over the network. Incidentally, LXD is installed using the command lxc.

LXD and Docker are not needed for ProxMox VE as the latter manages all it's LXC instances from within itself. Information from Docker scripts can be used to build LXC.

System requirements

  • Proxmox VE 4.0 or higher

Features

  • Support of local directories(NOTE:not on ZFS use instead ZFSPoolPlugin), NFS, ZFS, LVM, Ceph and DRBD9 (other will/can follow)
  • manipulate disk size
  • snapshot, rollback, clone, linked clone (all these features need storage support)
  • Kernel namespaces (ipc, uts, mount, pid, network and user)
  • Apparmor profiles
  • Seccomp policies
  • Chroots (using pivot_root)
  • Kernel capabilities
  • CGroups (control groups)
  • Migration
  • Backup and restore
  • Integrated firewall
  • Network support for VLAN, IPv4, IPv6

Supported OS

  • Debian 4, 5, 6, 7, 8
  • CentOS 6, 7
  • Ubuntu 12.04, 14.04, 15.04, 15.10, 16.04
  • Archlinux
  • Alpine Linux (tested >=3.1)
  • Fedora 22
  • OpenSUSE 13.1 13.2

Other OS are following step by step.

Manage containers

Management can be done either via the web gui, or via command line tools

Get a container template

All templates can be downloaded at the GUI.
DownloadContainer

NOTE: Only the supported OS work

If the containers are not yet visible use the following pve command to update the list.

pveam update

Create container

After you have downloaded a template, you can create a container based on it.

Create CT

A GUI wizard will guide you through the creation process.

It is also possible to create a container with the pct command line tool. More details see manpages

pct create 104 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz \
 -description LXC -rootfs 4 -hostname pvecontainer01 -memory 1024 -nameserver 8.8.8.8 \
 -net0 name=eth0,hwaddr=52:4A:5E:26:58:D8,ip=192.168.15.147/24,gw=192.168.15.1,bridge=vmbr0 \
 -storage local -password

Start container

There are two possibilities to start a container:

either on the GUI or on the command line
Start Container
pct start 100

Stop container

Stopping a container can be done in a similar way like starting a container.

Stop Container
pct stop 100

Backup container

The backup can be done in three different modes: snapshot, suspend and stopped. This mode options have only an effect if the container is running.

Backup Container

Snapshot mode: this feature depends on the filesystem and so it must support snapshots. If snapshot mode is chosen but it's not supported by the filesystem the backup will be done in suspend mode.

Suspend mode: the container will be frozen during the time the backup is running. NOTE: Container is not running untill backup is done!

Stopped mode: the container will be turned off and restarted after backup.

The command line tool backing up Linux container is vzdump. For more information read vzdump manpage.

vzdump 100 -compress lzo -dumpdir /var/lib/vz/dump/ -mode snapshot -remove 0

Restore container

Restore Container

It is easy and fast to restore a container.

On the GUI it was only possible to restore a container with the same VMID and if there is no VM with this VMID. In Proxmox VE 3+ it can be restored to any available VMID.

If you need to change the VMID or override a VM you can use the command line tool pct.

For more information read the man page of pct.

pct restore 101 /var/lib/vz/dump/vzdump-lxc-100-2015_06_22-11_12_40.tar.lzo

Security

LXC Containers use an AppArmor profile to provide ressource isolation in the container. This works by blocking system calls like 'mount' who are denied being executed in the container. You can trace the AppArmor activity with:

dmesg | grep apparmor 

If you want to disable AppArmor for a container, you can add the stanza

lxc.aa_profile = unconfined 

at the end of the configuration file ( located in /etc/pve/lxc/CTID.conf ) Note that this is not a recommended setup for production.


Migrate container from OpenVZ to Linux container

Follow this howto:

References