Difference between revisions of "Linux Container"

From Proxmox VE
Jump to navigation Jump to search
(remove duplicate content)
Line 1: Line 1:
 
{{#pvedocs:chapter-pct-plain.html}}
 
{{#pvedocs:chapter-pct-plain.html}}
 
== Introduction ==
 
 
Linux Containers (LXC) is an operating-system-level virtualization environment for running multiple isolated Linux systems on a single Linux control host ([https://en.wikipedia.org/wiki/LXC Wikipedia LXC]).  It can be also defined as a lightweight VM but extremely fast and easy to deploy.
 
 
There is not much overhead and therefore it's the perfect solution for effective use of resources.
 
 
No extra kernel boot is necessary on startup resulting in a super fast boot.
 
 
Linux Containers (LXC) are introduced in Proxmox VE 4.0 and support the [[Storage_Model |Proxmox Storage Model]].
 
 
===LXC vs LXD vs Docker ===
 
 
A nice comparison is available as an [https://insights.ubuntu.com/2015/09/23/infographic-lxd-machine-containers-from-ubuntu/ Infographic].
 
 
[https://linuxcontainers.org/lxc/ LXC] is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Linux users easily create and manage system or application containers. LXD specializes in deploying (Linux) Virtual Machines.
 
 
[http://www.docker.com Docker] is a container system making use of LXC containers to <tt>Build, Ship, and Run Any App, Anywhere</tt> and is supported by Docker, Inc. Docker specializes in deploying apps.
 
 
[https://linuxcontainers.org/lxd/ LXD] isn't a rewrite of LXC, in fact it's building on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding to create and manage the containers. It's basically an alternative to LXC's tools and distribution template system with the added features that come from being controllable over the network. Incidentally, [http://blog.scottlowe.org/2015/05/06/quick-intro-lxd/ LXD is installed] using the command <tt>lxc</tt>.
 
 
LXD and Docker are not needed for ProxMox VE as the latter manages all it's LXC instances from within itself. Information from Docker scripts can be used to build LXC.
 
 
== System requirements ==
 
*Proxmox VE 4.0 or higher
 
 
== Features ==
 
*Support of local directories('''NOTE:not on ZFS use instead ZFSPoolPlugin'''), NFS, ZFS, LVM, Ceph and DRBD9 (other will/can follow)
 
*manipulate disk size
 
*snapshot, rollback, clone, linked clone (all these features need storage support) 
 
*Kernel namespaces (ipc, uts, mount, pid, network and user)
 
*Apparmor profiles
 
*Seccomp policies
 
*Chroots (using pivot_root)
 
*Kernel capabilities
 
*CGroups (control groups)
 
*Migration
 
*Backup and restore
 
*Integrated firewall
 
*Network support for VLAN, IPv4, IPv6
 
 
== Supported OS ==
 
*Debian 4, 5, 6, 7, 8
 
*CentOS 6, 7
 
*Ubuntu 12.04, 14.04, 15.04, 15.10, 16.04
 
*Archlinux
 
*Alpine Linux (tested >=3.1)
 
*Fedora 22
 
*OpenSUSE 13.1 13.2
 
Other OS are following step by step.
 
 
== Manage containers ==
 
Management can be done either via the web gui, or via command line tools
 
=== Get a container template ===
 
All templates can be downloaded at the GUI.[[File:DownloadContainer.png|200px|thumb|rigth|DownloadContainer]]
 
<b>NOTE: Only the supported OS work</b>
 
 
If the containers are not yet visible use the following pve command to update the list.
 
<pre>
 
pveam update
 
</pre>
 
 
=== Create container ===
 
After you have downloaded a template, you can create a container based on it.
 
[[File:Create CT.png|200px|thumb|rigth|Create CT]]
 
A GUI wizard will guide you through the creation process.
 
 
It is also possible to create a container with the pct command line tool.
 
More details see manpages
 
<pre>
 
pct create 104 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz \
 
-description LXC -rootfs 4 -hostname pvecontainer01 -memory 1024 -nameserver 8.8.8.8 \
 
-net0 name=eth0,hwaddr=52:4A:5E:26:58:D8,ip=192.168.15.147/24,gw=192.168.15.1,bridge=vmbr0 \
 
-storage local -password
 
</pre>
 
 
=== Start container ===
 
There are two possibilities to start a container:
 
either on the GUI or on the command line [[File:Start_CT.png|200px|thumb|rigth|Start Container]]
 
<pre>
 
pct start 100
 
</pre>
 
 
=== Stop container ===
 
Stopping a container can be done in a similar way like starting a container.
 
[[File:Stop_CT.png|200px|thumb|rigth|Stop Container]]
 
<pre>
 
pct stop 100
 
</pre>
 
 
=== Backup container ===
 
The backup can be done in three different modes: snapshot, suspend and stopped. This mode options have only an effect if the container is running.
 
[[File:Backup_CT.png|200px|thumb|rigth|Backup Container]]
 
Snapshot mode: this feature depends on the filesystem and so it must support snapshots. If snapshot mode is chosen but it's not supported by the filesystem the backup will be done in suspend mode.
 
 
Suspend mode: the container will be frozen during the time the backup is running. <b>NOTE: Container is not running untill backup is done!</b>
 
 
Stopped mode: the container will be turned off and restarted after backup.
 
 
The command line tool backing up Linux container is vzdump.
 
For more information read vzdump manpage.
 
 
vzdump 100 -compress lzo -dumpdir /var/lib/vz/dump/ -mode snapshot -remove 0
 
 
=== Restore container ===
 
[[File:Restore CT.png|200px|thumb|rigth|Restore Container]]
 
It is easy and fast to restore a container.
 
 
On the GUI it was only possible to restore a container with the same VMID and if there is no VM with this VMID. In Proxmox VE 3+ it can be restored to any available VMID.
 
 
If you need to change the VMID or override a VM you can use the command line tool pct.
 
 
For more information read the man page of pct.
 
pct restore 101 /var/lib/vz/dump/vzdump-lxc-100-2015_06_22-11_12_40.tar.lzo
 
  
 
=== Security ===
 
=== Security ===

Revision as of 15:04, 23 September 2016

Security

LXC Containers use an AppArmor profile to provide ressource isolation in the container. This works by blocking system calls like 'mount' who are denied being executed in the container. You can trace the AppArmor activity with: 

dmesg | grep apparmor

If you want to disable AppArmor for a container, you can add the stanza 

lxc.aa_profile = unconfined

at the end of the configuration file ( located in /etc/pve/lxc/CTID.conf ) Note that this is not a recommended setup for production.


Migrate container from OpenVZ to Linux container

Follow this howto:

References

Retrieved from "https://pve.proxmox.com/mediawiki/index.php?title=Linux_Container&oldid=9026"