User Tools
docs:lxc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
docs:lxc [2014-05-13 18:33] glen Links to thinfo changed to th |
docs:lxc [2016-08-21 00:36] (current) glen [LXC - Linux Container Tools] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== LXC - Linux Container Tools ====== | ====== LXC - Linux Container Tools ====== | ||
| - | LXC is a tool to create and manage containers. It contains a full featured container with the isolation / virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. | + | [[https://linuxcontainers.org/lxc/|LXC]] is a tool to create and manage containers. It contains a full featured container with the isolation / virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. |
| + | |||
| + | LXC is pretty low level, very flexible and covers just about every containment feature supported by the upstream kernel. For a completely fresh and intuitive user experience with a single command line tool to manage your containers see [[LXD]]. | ||
| **Resources** | **Resources** | ||
| - | * [[http://linuxcontainers.org/|LXC Project homepage]] | ||
| * [[https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/|LXC 1.0 blog post series]] - must read to get quick overview what's out there | * [[https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/|LXC 1.0 blog post series]] - must read to get quick overview what's out there | ||
| * [[http://lists.linuxfoundation.org/mailman/listinfo/containers|Linux Containers mailing list]] | * [[http://lists.linuxfoundation.org/mailman/listinfo/containers|Linux Containers mailing list]] | ||
| Line 20: | Line 21: | ||
| * 3.8+ kernel [[http://docs.docker.io/en/latest/installation/kernel/|according]] to docker devs | * 3.8+ kernel [[http://docs.docker.io/en/latest/installation/kernel/|according]] to docker devs | ||
| * [[package>lxc]] package | * [[package>lxc]] package | ||
| - | * cgroups mounted, use [[package>systemd]] or [[package>libcgroup]] for that. | + | * cgroups mounted, use [[package>systemd]] or [[package>libcgroup]] for that (edit and enable most groups in ///etc/cgconfig.conf// except debug) |
| + | |||
| + | <note warning>Kernels with vserver support compiled in, do not work correctly with LXC | ||
| + | |||
| + | * [[http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2014-January/thread.html#23786]] | ||
| + | * http://www.paul.sladen.org/vserver/archives/201402/0015.html | ||
| + | </note> | ||
| ===== Guest creation ===== | ===== Guest creation ===== | ||
| Line 33: | Line 40: | ||
| 'test' created | 'test' created | ||
| - | # lxc-ls --fancy | + | # lxc-ls --fancy (install python3-lxc for lxc-ls) |
| NAME STATE IPV4 IPV6 | NAME STATE IPV4 IPV6 | ||
| ----------------------------------- | ----------------------------------- | ||
| Line 53: | Line 60: | ||
| There are two versions of PLD available for guest systems: | There are two versions of PLD available for guest systems: | ||
| - | * ac - [[:AcInfo|PLD 2.0 (Ac)]] | + | * ac - [[:ac|PLD 2.0 (Ac)]] |
| * th - [[:th|PLD 3.0 (Th)]] | * th - [[:th|PLD 3.0 (Th)]] | ||
| Line 65: | Line 72: | ||
| ===== Common problems / Useful tricks ===== | ===== Common problems / Useful tricks ===== | ||
| + | |||
| + | ==== lxc-start has no output ==== | ||
| + | |||
| + | In case ''lxc-start -n test'' produces no output, ensure /dev/console is present in guest filesystem. | ||
| ==== lxc-stop is not graceful ==== | ==== lxc-stop is not graceful ==== | ||
| Line 121: | Line 132: | ||
| | vserver test stop | lxc-stop -n test | | | vserver test stop | lxc-stop -n test | | ||
| | vserver-stat | %%lxc-ls --fancy --running%% | you need ''python3-lxc'' installed for this tool | | | vserver-stat | %%lxc-ls --fancy --running%% | you need ''python3-lxc'' installed for this tool | | ||
| - | ===== Sample configs ===== | ||
| - | ==== config for network ==== | ||
| - | static networking, set ''VSERVER=yes'' and ''VSERVER_ISOLATION_NET=yes'' in guest ''/etc/sysconfig/system'' to disable all network configuration by guest. | + | ===== Network configs ===== |
| + | ==== general ==== | ||
| - | - uses ''macvlan'' | + | static networking, set ''VSERVER=yes'' and ''VSERVER_ISOLATION_NET=yes'' in guest ''/etc/sysconfig/system'' to disable all network configuration by guest, set RC_PROMPT=no to avoid hanging startup scripts, in general it's good idea to turn off there most of things |
| - | - that interface is NOT visible on host | + | |
| - | - you can't filter it from host's firewall | + | |
| - | - you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | + | |
| - | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible) | + | |
| + | ==== network using macvlan in bridge mode ==== | ||
| + | - traffic from host to guest (and vice-versa) is NOT passed. external trafic works | ||
| + | - guest interface is NOT visible on host | ||
| + | - you can't filter guest straffic from host's firewall | ||
| + | - host can use seme default interface with and without guests running. | ||
| + | - one have better to set static MAC address. If not - on every container start you'll have different MAC generated and your router may have problems with passing traffic. | ||
| + | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having guest macvlan interface visible) | ||
| first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | ||
| Line 157: | Line 170: | ||
| + | ==== network using bridged veth interfaces ==== | ||
| + | |||
| + | ==== More raeding about network ==== | ||
| + | |||
| + | [[http://containerops.org/2013/11/19/lxc-networking/|Elaborate article about configuring different types of network ]] | ||
| + | ===== Sample configs ===== | ||
| ==== full config ==== | ==== full config ==== | ||
docs/lxc.1399998818.txt.gz · Last modified: 2014-05-13 18:33 by glen
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
