Post on 19-Nov-2015
description
Hands-on Lab - Linux Containers
Getting Started with Linux Containers on Oracle LinuxGetting Started with Linux Containers on Oracle Linux
IntroductionRequirementsExercise: Installing and configuring additionally required software packagesExercise: Creating and mounting a Btrfs volume for the container storageExercise: Creating a containerExercise: Cloning an existing containerExercise: Starting and stopping a containerExercise: Logging into a containerExercise: Updating and installing software inside a containerInstalling and starting an Oracle Linux 5 containerExercise: Monitoring containersExercise: Changing a container's network configurationDestroying containersConclusionReferences
Introduction
In this hands-on lab you will learn the basics of working with Linux Containers on Oracle Linux:
Installing and configuring the required software packagesSetting up a Btrfs volume for the container storageInstalling a containerCloning an existing containerStarting and logging into a containerUpdating and installing software inside a containerMonitoring and shutting down containersChanging a container's network configurationDestroying a container
Linux Containers ( ) provide a means to isolate individual services or applications as well as of a complete Linux operating system from otherLXCservices running on the same host. To accomplish this, each container gets its own directory structure, network devices, IP addresses andprocess table. The processes running in other containers or the host system are not visible from inside a container. Additionally, Linux Containersallow for fine granular control of resources like RAM, CPU or disk I/O.
Generally speaking, Linux Containers use a completely different approach than "classical" virtualization technologies like KVM or Xen (on whichOracle VM Server for x86 is based on). An application running inside a container will be executed directly on the operating system kernel of thehost system, shielded from all other running processes in a sandbox-like environment. This allows a very direct and fair distribution of CPU andI/O-resources. Linux containers can offer the best possible performance and several possibilities for managing and sharing the resourcesavailable.
Similar to Containers (or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version runs on the host as well as in the containers; it is notpossible to run different Linux kernel versions or other operating systems like Microsoft Windows or Oracle Solaris for x86 inside a container.However, it is possible to run different Linux distribution versions (e.g. Fedora Linux in a container on top of an Oracle Linux host), provided itsupports the version of the Linux kernel that runs on the host. This approach has one caveat, though - if any of the containers causes a kernelcrash, it will bring down all other containers (and the host system) as well.
Some use cases for Linux Containers include:
Consolidation of multiple separate Linux systems on one server: instances of Linux systems that are not performance-critical or onlysee sporadic use (e.g. a fax or print server or intranet services) do not necessarily need a dedicated server for their operations. Thesecan easily be consolidated to run inside containers on a single server, to preserve energy and rack space.Running multiple instances of an application in parallel, e.g. for different users or customers. Each user receives his "own"application instance, with a defined level of service/performance. This prevents that one user's application could hog the entire systemand ensures, that each user only has access to his own data set. It also helps to save main memory if multiple instances of a sameprocess are running, the Linux kernel can share memory pages that are identical and unchanged across all application instances. Thisalso applies to shared libraries that applications may use, they are generally held in memory once and mapped to multiple processes.Quickly creating sandbox environments for development and testing purposes: containers that have been created and configuredonce can be archived as templates and can be duplicated (cloned) instantly on demand. After finishing the activity, the clone can safely
http://lxc.sourceforge.net/
be discarded. This allows to provide repeatable software builds and test environments, because the system will always be reset to itsinitial state for each run. Linux Containers also boot significantly faster than "classic" virtual machines, which can save a lot of time whenrunning frequent build or test runs on applications.Safe execution of an individual application: if an application running inside a container has been compromised because of a securityvulnerability, the host system and other containers remain unaffected. The potential damage can be minimized, analyzed and resolveddirectly from the host system.
Note: Linux Containers on Oracle Linux 6 with the Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as -Technology Previewtheir use is only recommended for testing and evaluation purposes.
The creation of Oracle Linux containers can be accomplished on the command line in a few steps, using the LXC utilities. So far, there is nointegration or support for this technology in applications like Oracle VM Manager or Oracle Enterprise Manager. However, Oracle has developedseveral enhancements which are included in the package that's part of Oracle Linux 6.4; these changes were also contributed to thelxcupstream LXC project and are now part of the official LXC releases.
HintIf you want to learn more about Linux Containers, the has a Oracle Linux Administrator's Solutions Guide for Release 6
about this technology.dedicated chapter
Requirements
The should be up and running (from the initial snapshot) and you should be logged in as the Oracle Linux userOracle Linux 6.4 virtual appliancewith a terminal window opened to enter the following commands. You should have some basic experience with working on a Linux command line,e.g. opening and editing files, moving around the file system directory structure, running commands.
Exercise: Installing and configuring additionally required software packages
To properly support and work with Linux Containers, the following packages (and their dependencies) need to be installed with yum: , , and . Note that and may already be installed on your lab system, you canbtrfs-progs lxc libvirt libcgroup btrfs-progs libcgroup
use to verify this.rpm -q btrfs-progs libcgroup
The following command installs the required package including its dependencies, and :lxc libvirt lxc-libs
http://docs.oracle.com/cd/E37670_01/E37355/html/index.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/ol_containers.htmlhttp://www.oracle.com/technetwork/server-storage/linux/downloads/vm-for-hol-1896500.html
[oracle@oraclelinux6 ~]$ sudo yum install lxc
Loaded plugins: refresh-packagekit, securitySetting up Install ProcessResolving Dependencies--> Running transaction check---> Package lxc.x86_64 0:0.8.0-2.0.8.el6 will be installed--> Processing Dependency: libvirt for package: lxc-0.8.0-2.0.8.el6.x86_64--> Processing Dependency: liblxc.so.0()(64bit) for package: lxc-0.8.0-2.0.8.el6.x86_64--> Running transaction check---> Package libvirt.x86_64 0:0.10.2-18.0.1.el6_4.9 will be installed---> Package lxc-libs.x86_64 0:0.8.0-2.0.8.el6 will be installed--> Finished Dependency Resolution
Dependencies Resolved
================================================================================ Package Arch Version Repository Size================================================================================Installing: lxc x86_64 0.8.0-2.0.8.el6 ol6_latest 103 kInstalling for dependencies: libvirt x86_64 0.10.2-18.0.1.el6_4.9 ol6_latest 2.3 M lxc-libs x86_64 0.8.0-2.0.8.el6 ol6_latest 68 k
Transaction Summary================================================================================Install 3 Package(s)
Total download size: 2.5 MInstalled size: 6.1 M
Is this ok [y/N]: y
Downloading Packages:(1/3): libvirt-0.10.2-18.0.1.el6_4.9.x86_64.rpm | 2.3 MB 00:06 (2/3): lxc-0.8.0-2.0.8.el6.x86_64.rpm | 103 kB 00:00 (3/3): lxc-libs-0.8.0-2.0.8.el6.x86_64.rpm | 68 kB 00:00 --------------------------------------------------------------------------------Total 268 kB/s | 2.5 MB 00:09 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : lxc-libs-0.8.0-2.0.8.el6.x86_64 1/3 Installing : libvirt-0.10.2-18.0.1.el6_4.9.x86_64 2/3 Installing : lxc-0.8.0-2.0.8.el6.x86_64 3/3 Verifying : lxc-0.8.0-2.0.8.el6.x86_64 1/3 Verifying : libvirt-0.10.2-18.0.1.el6_4.9.x86_64 2/3 Verifying : lxc-libs-0.8.0-2.0.8.el6.x86_64 3/3
Installed: lxc.x86_64 0:0.8.0-2.0.8.el6
Dependency Installed: libvirt.x86_64 0:0.10.2-18.0.1.el6_4.9 lxc-libs.x86_64 0:0.8.0-2.0.8.el6
Complete!
The LXC template scripts are installed in :/usr/share/lxc/templates
[oracle@oraclelinux6 ~]$ ls /usr/share/lxc/templates/
lxc-altlinux lxc-debian lxc-opensuse lxc-ubuntulxc-archlinux lxc-fedora lxc-oracle lxc-ubuntu-cloudlxc-busybox lxc-lenny lxc-sshd
As you can see, the LXC distribution contains templates for other Linux distributions as well.However, the focus of this lab session will be on working with Oracle Linux containers.
Linux Control Groups (cgroups) are an essential component of Linux Containers.Verify that the Control Groups service is started and enabled at boot time:cgconfig
[oracle@oraclelinux6 ~]$ service cgconfig statusRunning[oracle@oraclelinux6 ~]$ ls /cgroup/blkio cpu cpuacct cpuset devices freezer memory net_cls[oracle@oraclelinux6 ~]$ chkconfig --list cgconfigcgconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Now start the virtualization management service, , enable it at boot time:libvirtd
[oracle@oraclelinux6 ~]$ sudo service libvirtd startStarting libvirtd daemon: [ OK ][oracle@oraclelinux6 ~]$ sudo chkconfig libvirtd on
Among other things, provides a host-internal virtual network bridge and DHCP/DNS service (using the application) that will belibvirt dnsmasqused to automatically configure the network settings of the containers we will create.
HintFor more information about libvirt's virtual networking functionality, please consult .this Wiki page
Now that we've concluded all the necessary preparations, let's check the configuration using the script:lxc-checkconfig
[oracle@oraclelinux6 ~]$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...Kernel configuration found at /boot/config-2.6.39-400.109.4.el6uek.x86_64--- Namespaces ---Namespaces: enabledUtsname namespace: enabledIpc namespace: enabledPid namespace: enabledUser namespace: enabledNetwork namespace: enabledMultiple /dev/pts instances: enabled
--- Control groups ---Cgroup: enabledCgroup clone_children flag: enabledCgroup device: enabledCgroup sched: enabledCgroup cpu account: enabledCgroup memory controller: enabledCgroup cpuset: enabled
--- Misc ---Veth pair device: enabledMacvlan: enabledVlan: enabledFile capabilities: enabled
Note : Before booting a new kernel, you can check its configurationusage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
Looks like we're good to go!
Exercise: Creating and mounting a Btrfs volume for the container storage
At first, a dedicated directory should be created to host the container file systems. The default location is . Creating this directory on/containertop of a Btrfs file system provides a few additional interesting possibilities, e.g. the option to "freeze" a container file system at a certain point intime, or the fast creation (cloning) of additional containers based on a template. Cloning containers using Btrfs snapshots takes place at aninstant, without requiring any additional disk space except for the differences to the original template.
The creation and management of Btrfs file systems is explained in detail in the chapter " " of the "The Btrfs File System Oracle Linux". For some practical examples, take a look at the .Administrator's Solutions Guide for Release 6 Hands-on lab - Storage Management with Btrfs
On our virtual lab environment, you can create a Btrfs file system on the second disk ( ) and mount it at by entering the/dev/sdb /container
http://wiki.libvirt.org/page/VirtualNetworkinghttp://docs.oracle.com/cd/E37670_01/E37355/html/ol_btrfs.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/index.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/index.htmlhttps://wikis.oracle.com/display/oraclelinux/Hands-on+lab+-+Storage+Management+with+Btrfs
following commands:
[oracle@oraclelinux6 ~]$ sudo mkfs.btrfs /dev/sdb
WARNING! - Btrfs v0.20-rc1 IS EXPERIMENTALWARNING! - see http://btrfs.wiki.kernel.org before using
fs created label (null) on /dev/sdb nodesize 4096 leafsize 4096 sectorsize 4096 size 4.00GBBtrfs v0.20-rc1
[oracle@oraclelinux6 ~]$ sudo mkdir -v /containermkdir: created directory `/container'[oracle@oraclelinux6 ~]$ sudo mount -v /dev/sdb /container
mount: you didn't specify a filesystem type for /dev/sdb I will try type btrfs/dev/sdb on /container type btrfs (rw)
To mount the file system at system startup time, you can add an entry for to the file, either by adding it with your/container /etc/fstabfavorite text editor or by using the following command line:
[oracle@oraclelinux6 ~]$ sudo su[root@oraclelinux6 ~]# echo "/dev/sdb /container btrfs defaults 0 0" >> /etc/fstab[root@oraclelinux6 ~]# exitexit
Exercise: Creating a container
Now you can create a container of the latest version of Oracle Linux 6 named " " and using the default options by entering the followingol6cont1command. The option " " determines the general type of the Linux distribution to be installed (the so-called "template"), e.g. " ", "-t oracle ubuntu" or " ". Depending on the template, you can pass template-specific options after the double dashes (" "). In the case of the Oracle Linuxfedora --template, you can choose the distribution's release version by providing values like " ", " " or " " to the option.5.8 6.3 6.latest --release
Further information about the available configuration options can be found in chapter " " of the Oracle Linux 6About the lxc-oracle Template ScriptAdministrator's Solutions Guide.
Enter the following command to create an Oracle Linux 6 container, based on the latest available update release and using the defaultconfiguration options:
[oracle@oraclelinux6 ~]$ sudo lxc-create -n ol6cont1 -t oracle -- --release=6.latest
/usr/share/lxc/templates/lxc-oracle is /usr/share/lxc/templates/lxc-oracleNote: Usually the template option is called with a configurationfile option too, mostly to configure the network.For more information look at lxc.conf (5)
Host is OracleServer 6.4Create configuration file /container/ol6cont1/configDownloading release 6.latest for x86_64Loaded plugins: refresh-packagekit, securityol6_latest | 1.4 kB 00:00 ol6_latest/primary | 31 MB 01:23 ol6_latest 21879/21879Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package chkconfig.x86_64 0:1.3.49.3-2.el6 will be installed--> Processing Dependency: libc.so.6(GLIBC_2.4)(64bit) for package:chkconfig-1.3.49.3-2.el6.x86_64--> Processing Dependency: libc.so.6(GLIBC_2.3.4)(64bit) for package:chkconfig-1.3.49.3-2.el6.x86_64[...]--> Processing Dependency: pygpgme for package: yum-3.2.29-40.0.1.el6.noarch--> Processing Dependency: python-iniparse for package: yum-3.2.29-40.0.1.el6.noarch--> Processing Dependency: rpm-python for package: yum-3.2.29-40.0.1.el6.noarch--> Running transaction check
http://docs.oracle.com/cd/E37670_01/E37355/html/ol_config_os_containers.html#ol_otmpl_lxc
---> Package audit-libs.x86_64 0:2.2-2.el6 will be installed---> Package bash.x86_64 0:4.1.2-15.el6_4 will be installed---> Package checkpolicy.x86_64 0:2.0.22-1.el6 will be installed---> Package coreutils.x86_64 0:8.4-19.0.1.el6_4.2 will be installed--> Processing Dependency: coreutils-libs = 8.4-19.0.1.el6_4.2 for package:coreutils-8.4-19.0.1.el6_4.2.x86_64[...]---> Package pinentry.x86_64 0:0.7.6-6.el6 will be installed--> Running transaction check---> Package groff.x86_64 0:1.18.1.4-21.el6 will be installed--> Finished Dependency Resolution
Dependencies Resolved
================================================================================ Package Arch Version Repository Size================================================================================Installing: chkconfig x86_64 1.3.49.3-2.el6 ol6_latest 158 k dhclient x86_64 12:4.1.1-34.P1.0.1.el6 ol6_latest 316 k initscripts x86_64 9.03.38-1.0.1.el6_4.1 ol6_latest 937 k[...] rootfiles noarch 8.1-6.1.el6 ol6_latest 6.3 k rsyslog x86_64 5.8.10-6.el6 ol6_latest 648 k vim-minimal x86_64 2:7.2.411-1.8.el6 ol6_latest 363 k yum noarch 3.2.29-40.0.1.el6 ol6_latest 995 kInstalling for dependencies: MAKEDEV x86_64 3.24-6.el6 ol6_latest 88 k audit-libs x86_64 2.2-2.el6 ol6_latest 60 k basesystem noarch 10.0-4.0.1.el6 ol6_latest 4.3 k[...] yum-metadata-parser x86_64 1.1.2-16.el6 ol6_latest 26 k zlib x86_64 1.2.3-29.el6 ol6_latest 72 k
Transaction Summary================================================================================Install 135 Package(s)
Total download size: 79 MInstalled size: 294 MDownloading Packages:(1/135): MAKEDEV-3.24-6.el6.x86_64.rpm | 88 kB 00:00 (2/135): audit-libs-2.2-2.el6.x86_64.rpm | 60 kB 00:00 (3/135): basesystem-10.0-4.0.1.el6.noarch.rpm | 4.3 kB 00:00 (4/135): bash-4.1.2-15.el6_4.x86_64.rpm | 904 kB 00:02 (5/135): binutils-2.20.51.0.2-5.36.el6.x86_64.rpm | 2.8 MB 00:07 [...](131/135): vim-minimal-7.2.411-1.8.el6.x86_64.rpm | 363 kB 00:01 (132/135): xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_ | 89 kB 00:00 (133/135): yum-3.2.29-40.0.1.el6.noarch.rpm | 995 kB 00:03 (134/135): yum-metadata-parser-1.1.2-16.el6.x86_64.rpm | 26 kB 00:00 (135/135): zlib-1.2.3-29.el6.x86_64.rpm | 72 kB 00:00 --------------------------------------------------------------------------------Total 271 kB/s | 79 MB 04:59 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : libgcc-4.4.7-3.el6.x86_64 1/135 Installing : setup-2.8.14-20.el6.noarch 2/135 Installing : filesystem-2.4.30-3.el6.x86_64 3/135 Installing : basesystem-10.0-4.0.1.el6.noarch 4/135 Installing : ca-certificates-2010.63-3.el6_1.5.noarch 5/135 [...] Installing : rsyslog-5.8.10-6.el6.x86_64 131/135 Installing : yum-3.2.29-40.0.1.el6.noarch 132/135 Installing : passwd-0.77-4.el6_2.2.x86_64 133/135 Installing : 2:vim-minimal-7.2.411-1.8.el6.x86_64 134/135 Installing : rootfiles-8.1-6.1.el6.noarch 135/135 Verifying : gamin-0.1.10-9.el6.x86_64 1/135 Verifying : procps-3.2.8-25.el6.x86_64 2/135 Verifying : 12:dhclient-4.1.1-34.P1.0.1.el6.x86_64 3/135 Verifying : 2:ethtool-3.5-1.el6.x86_64 4/135 Verifying : ncurses-base-5.7-3.20090208.el6.x86_64 5/135 [...] Verifying : ca-certificates-2010.63-3.el6_1.5.noarch 130/135 Verifying : libssh2-1.4.2-1.el6.x86_64 131/135 Verifying : cpio-2.10-11.el6_3.x86_64 132/135 Verifying : mingetty-1.08-5.el6.x86_64 133/135
Verifying : libcurl-7.19.7-37.el6_4.x86_64 134/135 Verifying : 1:findutils-4.4.2-6.el6.x86_64 135/135
Installed: chkconfig.x86_64 0:1.3.49.3-2.el6 dhclient.x86_64 12:4.1.1-34.P1.0.1.el6 initscripts.x86_64 0:9.03.38-1.0.1.el6_4.1 openssh-server.x86_64 0:5.3p1-84.1.el6 [...]Dependency Installed: MAKEDEV.x86_64 0:3.24-6.el6 audit-libs.x86_64 0:2.2-2.el6 basesystem.noarch 0:10.0-4.0.1.el6 bash.x86_64 0:4.1.2-15.el6_4 binutils.x86_64 0:2.20.51.0.2-5.36.el6 [...] upstart.x86_64 0:0.6.5-12.el6_4.1 ustr.x86_64 0:1.0.4-9.1.el6 util-linux-ng.x86_64 0:2.17.2-12.9.el6_4.3 xz-libs.x86_64 0:4.999.9-0.3.beta.20091007git.el6 yum-metadata-parser.x86_64 0:1.1.2-16.el6 zlib.x86_64 0:1.2.3-29.el6
Complete!Rebuilding rpm databaseConfiguring container for Oracle Linux 6.4Added container user:oracle password:oracleAdded container user:root password:rootContainer : /container/ol6cont1/rootfsConfig : /container/ol6cont1/configNetwork : eth0 () on virbr0
'oracle' template installed'ol6cont1' created
[oracle@oraclelinux6 ~]$ lxc-lsol6cont1
The installation script performed a download of the required RPM packages to prepare a minimal installation of the latest version of Oracle Linux6 (about 400 MB), from Oracle's " " service.public-yum
The directory structure of the installed container can be found at , it can be browsed and modified like any/container/ol6cont1/rootfsother regular directory structure.
The script also created two user accounts " " and " " (with passwords equaling the user names) and configured a virtual networkroot oracledevice, which obtains an IP address via DHCP from the DHCP server provided by the framework. The container's configuration filelibvirtcreated by is located at and can be adapted and modified using a regular text editor.lxc-create /container/ol6cont1/config
[oracle@oraclelinux6 ~]$ cat /container/ol6cont1/config
# Container configuration for Oracle Linux 6.latestlxc.arch = x86_64lxc.utsname = ol6cont1lxc.devttydir = lxclxc.tty = 4lxc.pts = 1024lxc.rootfs = /container/ol6cont1/rootfslxc.mount = /container/ol6cont1/fstab# Uncomment these if you don't run anything that needs the capability, and# would like the container to run with less privilege.## Dropping sys_admin disables container root from doing a lot of things# that could be bad like re-mounting lxc fstab entries rw for example,# but also disables some useful things like being able to nfs mount, and# things that are already namespaced with ns_capable() kernel checks, like# hostname(1).# lxc.cap.drop = sys_admin# lxc.cap.drop = net_raw # breaks dhcp/ping# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)# lxc.cap.drop = setuid # breaks sshd,nfs statd# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)# lxc.cap.drop = audit_write#lxc.cap.drop = mac_admin mac_override setfcap setpcaplxc.cap.drop = sys_module sys_nice sys_pacctlxc.cap.drop = sys_rawio sys_timelxc.cap.drop = sys_resource# Networkinglxc.network.type = vethlxc.network.flags = uplxc.network.link = virbr0lxc.network.name = eth0lxc.network.mtu = 1500lxc.network.hwaddr = fe:7d:66:a0:3d:e9# Control Group devices: all denied except those whitelistedlxc.cgroup.devices.deny = alxc.cgroup.devices.allow = c 1:3 rwm # /dev/nulllxc.cgroup.devices.allow = c 1:5 rwm # /dev/zerolxc.cgroup.devices.allow = c 1:7 rwm # /dev/fulllxc.cgroup.devices.allow = c 5:0 rwm # /dev/ttylxc.cgroup.devices.allow = c 1:8 rwm # /dev/randomlxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandomlxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc consolelxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
Exercise: Cloning an existing container
Before making any changes, it's recommended to create a snapshot of the container first, which can act as a backup copy and template fromwhich we can quickly spawn additional containers based on this snapshot:
http://public-yum.oracle.com/
[oracle@oraclelinux6 ~]$ sudo lxc-clone -o ol6cont1 -n ol6cont2
Tweaking configurationCopying rootfs...Create a snapshot of '/container/ol6cont1/rootfs' in '/container/ol6cont2/rootfs'Updating rootfs...'ol6cont2' created
[oracle@oraclelinux6 ~]$ lxc-ls -1ol6cont1ol6cont2
Since we've created our container storage file system on top of Btrfs file system, the script used Btrfs' snapshotting/cloninglxc-clonefunctionality to create a snapshot of the first container's root file system:
[oracle@oraclelinux6 ~]$ sudo btrfs subvolume list /container/
ID 256 gen 53 top level 5 path ol6cont1/rootfsID 263 gen 54 top level 5 path ol6cont2/rootfs
Exercise: Starting and stopping a container
Now that the container's file system has been installed, you can start the container using the command:lxc-start
[oracle@oraclelinux6 ~]$ sudo lxc-info -n ol6cont1state: STOPPEDpid: -1[oracle@oraclelinux6 ~]$ sudo lxc-start -n ol6cont1 -d -o /container/ol6cont1/ol6cont1.log[oracle@oraclelinux6 ~]$ sudo lxc-info -n ol6cont1state: RUNNINGpid: 3001
The container has now been started by in the background (courtesy of the option). By passing the option any eventual loglxc-start -d -omessages will be redirected to the file . As you can tell from the output of , the container /container/ol6cont1/ol6cont.log lxc-info
has been started and is now in state .ol6cont1 RUNNING
A container can be shut down using various ways: either by calling (for an orderly shutdown) or (for immediatelxc-shutdown lxc-stoptermination) from the host, or from within the container using the usual commands like or .shutdown -h poweroff
[oracle@oraclelinux6 ~]$ sudo lxc-shutdown -n ol6cont1[oracle@oraclelinux6 ~]$ sudo lxc-info -n ol6cont1state: STOPPEDpid: -1
Restart the container using again, to continue with the exercises.lxc-start
Exercise: Logging into a container
Now you can log into the container instance's console using the command and take a look at its configuration.lxc-console
The container's root password defaults to , root it is strongly recommended to change this to a more secure password using the passwd!command before deploying a container on an untrusted network
[oracle@oraclelinux6 ~]$ sudo lxc-console -n ol6cont1
Oracle Linux Server release 6.4Kernel 2.6.39-400.109.4.el6uek.x86_64 on an x86_64
ol6cont1 login: rootPassword: root[root@ol6cont1 ~]# cat /etc/oracle-releaseOracle Linux Server release 6.4[root@ol6cont1 ~]# ps x
PID TTY STAT TIME COMMAND 1 ? Ss 0:00 /sbin/init 184 ? Ss 0:00 /sbin/dhclient -H ol6cont1 -1 -q -lf /var/lib/dhclien 207 ? Sl 0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5 249 ? Ss 0:00 /usr/sbin/sshd 256 lxc/console Ss+ 0:00 /sbin/mingetty /dev/console 260 ? Ss 0:00 login -- root 262 lxc/tty2 Ss+ 0:00 /sbin/mingetty /dev/tty2 264 lxc/tty3 Ss+ 0:00 /sbin/mingetty /dev/tty3 266 lxc/tty4 Ss+ 0:00 /sbin/mingetty /dev/tty4 267 lxc/tty1 Ss 0:00 -bash 278 lxc/tty1 R+ 0:00 ps x
[root@ol6cont1 ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr FE:1E:10:07:2C:C0 inet addr:192.168.122.230 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::fc1e:10ff:fe07:2cc0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:103 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6046 (5.9 KiB) TX bytes:1278 (1.2 KiB)
[root@ol6cont1 ~]# ip route
default via 192.168.122.1 dev eth0 169.254.0.0/16 dev eth0 scope link metric 1006 192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.62
[root@ol6cont1 ~]# logout
Oracle Linux Server release 6.4Kernel 2.6.39-400.109.4.el6uek.x86_64 on an x86_64
ol6cont1 login: CTRL-a q
The key combination terminates the LXC console session, .CTRL-a, q leaving the container's console at the stage where you left itSo make sure to first log out of the container before you disconnect!
Alternatively, you can also log in to the container using Secure Shell (SSH) from the host system. All containers have their own IP address andare connected to a virtual bridge device by default, which is also reachable from the host system (but not from outside the host). Thisvirbr0way, you can easily set up simple client/server architectures within a host system. To obtain the currently assigned IP addresses, take a look atthe file from running on the host:default.leases dnsmasq
[oracle@oraclelinux6 ~]$ grep ol6cont1 /var/lib/libvirt/dnsmasq/default.leases1379336654 fe:1e:10:07:2c:c0 192.168.122.230 ol6cont1 *[oracle@oraclelinux6 ~]$ ssh oracle@192.168.122.230The authenticity of host '192.168.122.230 (192.168.122.230)' can't be established.RSA key fingerprint is 29:5b:05:d4:0e:89:ef:a4:76:19:51:35:86:a1:89:b8.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.122.230' (RSA) to the list of known hosts.oracle@192.168.122.230's password: oracle[oracle@ol6cont1 ~]$ logoutConnection to 192.168.122.230 closed.
Exercise: Updating and installing software inside a container
The container's system configuration can be modified using the usual operating system tools (e.g. or to install additional software).yum rpmLog into the container (using or , see the previous exercise for details) and install and enable the Apache webol6cont1 lxc-console sshserver:
[root@ol6cont1 ~]# yum install httpd
ol6_latest | 3.4 kB 00:00 ol6_latest/primary_db | 4.9 MB 00:00 Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package httpd.x86_64 0:2.2.15-29.0.1.el6_4 will be installed--> Processing Dependency: httpd-tools = 2.2.15-29.0.1.el6_4 for package:httpd-2.2.15-29.0.1.el6_4.x86_64--> Processing Dependency: apr-util-ldap for package: httpd-2.2.15-29.0.1.el6_4.x86_64--> Processing Dependency: /etc/mime.types for package: httpd-2.2.15-29.0.1.el6_4.x86_64--> Processing Dependency: libaprutil-1.so.0()(64bit) for package:httpd-2.2.15-29.0.1.el6_4.x86_64--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.2.15-29.0.1.el6_4.x86_64--> Running transaction check---> Package apr.x86_64 0:1.3.9-5.el6_2 will be installed---> Package apr-util.x86_64 0:1.3.9-3.el6_0.1 will be installed---> Package apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 will be installed---> Package httpd-tools.x86_64 0:2.2.15-29.0.1.el6_4 will be installed---> Package mailcap.noarch 0:2.1.31-2.el6 will be installed--> Finished Dependency Resolution
Dependencies Resolved
================================================================================ Package Arch Version Repository Size================================================================================Installing: httpd x86_64 2.2.15-29.0.1.el6_4 ol6_latest 820 kInstalling for dependencies: apr x86_64 1.3.9-5.el6_2 ol6_latest 122 k apr-util x86_64 1.3.9-3.el6_0.1 ol6_latest 87 k apr-util-ldap x86_64 1.3.9-3.el6_0.1 ol6_latest 15 k httpd-tools x86_64 2.2.15-29.0.1.el6_4 ol6_latest 72 k mailcap noarch 2.1.31-2.el6 ol6_latest 26 k
Transaction Summary================================================================================Install 6 Package(s)
Total download size: 1.1 MInstalled size: 3.6 M
Is this ok [y/N]: y
Downloading Packages:(1/6): apr-1.3.9-5.el6_2.x86_64.rpm | 122 kB 00:00 (2/6): apr-util-1.3.9-3.el6_0.1.x86_64.rpm | 87 kB 00:00 (3/6): apr-util-ldap-1.3.9-3.el6_0.1.x86_64.rpm | 15 kB 00:00 (4/6): httpd-2.2.15-29.0.1.el6_4.x86_64.rpm | 820 kB 00:00 (5/6): httpd-tools-2.2.15-29.0.1.el6_4.x86_64.rpm | 72 kB 00:00 (6/6): mailcap-2.1.31-2.el6.noarch.rpm | 26 kB 00:00 --------------------------------------------------------------------------------Total 6.3 MB/s | 1.1 MB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEYRetrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEYImporting GPG key 0xEC551F03: Userid : Oracle OSS group (Open Source Software group) Package: 6:oraclelinux-release-6Server-4.0.4.x86_64 (@ol6_latest/$releasever) From : /etc/pki/rpm-gpg/RPM-GPG-KEY
Is this ok [y/N]: y
Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : apr-1.3.9-5.el6_2.x86_64 1/6 Installing : apr-util-1.3.9-3.el6_0.1.x86_64 2/6 Installing : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 3/6 Installing : httpd-tools-2.2.15-29.0.1.el6_4.x86_64 4/6 Installing : mailcap-2.1.31-2.el6.noarch 5/6 Installing : httpd-2.2.15-29.0.1.el6_4.x86_64 6/6 Verifying : httpd-2.2.15-29.0.1.el6_4.x86_64 1/6 Verifying : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 2/6 Verifying : apr-1.3.9-5.el6_2.x86_64 3/6 Verifying : httpd-tools-2.2.15-29.0.1.el6_4.x86_64 4/6 Verifying : mailcap-2.1.31-2.el6.noarch 5/6 Verifying : apr-util-1.3.9-3.el6_0.1.x86_64 6/6
Installed: httpd.x86_64 0:2.2.15-29.0.1.el6_4
Dependency Installed: apr.x86_64 0:1.3.9-5.el6_2 apr-util.x86_64 0:1.3.9-3.el6_0.1 apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 httpd-tools.x86_64 0:2.2.15-29.0.1.el6_4 mailcap.noarch 0:2.1.31-2.el6
Complete!
[root@ol6cont1 ~]# service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name,using 127.0.0.1 for ServerName [ OK ]
[root@ol6cont1 ~]# chkconfig httpd on
Now let's create some minimal custom content that will be served from this web server. Change to the directory in the container/var/www/htmland create a file named using a text editor like (or if you prefer - simply install it inside the container using index.html vi nano yum install
):nano
ol6cont1 test page
ol6cont1 web server is runningCongratulations, the web server in container ol6cont1 is working properly!
You should now be able to reach the web server running inside the container from the host system.
Try to open the container's IP address (e.g. in our example) in the host's Firefox browser:192.168.122.230
The Apache web server running within the container has successfully delivered the web page you created!ol6cont1
Installing and starting an Oracle Linux 5 container
Now repeat the exercises above and create an Oracle Linux 5 (latest version) container named .ol5cont1Then create a clone named and start it up afterwards, so both an Oracle Linux 5 and 6 container are running in parallel.ol5cont2
Click here to obtain a hint for the correct command sequence (the output has been omitted for brevity).
[oracle@oraclelinux6 ~]$ sudo lxc-create -n ol5cont1 -t oracle -- --release=5.latest[oracle@oraclelinux6 ~]$ sudo lxc-clone -o ol5cont1 -n ol5cont2[oracle@oraclelinux6 ~]$ lxc-ls -1ol5cont1ol5cont2ol6cont1ol6cont2[oracle@oraclelinux6 ~]$ sudo lxc-start -n ol5cont1 -d -o /container/ol5cont1/ol5cont1.log
The second container should now be up and running:
[oracle@oraclelinux6 ~]$ lxc-ls --active -1ol5cont1ol6cont1
Now log into the Oracle Linux 5 container and verify its version:
[oracle@oraclelinux6 ~]$ sudo lxc-console -n ol5cont1
Type to exit the console, to enter Ctrl+a itself
Oracle Linux Server release 5.9Kernel 2.6.39-400.109.4.el6uek.x86_64 on an x86_64
ol5cont1 login: oraclePassword: oracle[oracle@ol5cont1 ~]$ cat /etc/oracle-releaseOracle Linux Server release 5.9
Also note that the host's DHCP server conveniently associates each running container's host name with its IP address:dnsmasq
[oracle@ol5cont1 ~]$ ping -c 1 ol6cont1
PING ol6cont1 (192.168.122.62) 56(84) bytes of data.64 bytes from ol6cont1 (192.168.122.62): icmp_seq=1 ttl=64 time=0.100 ms
--- ol6cont1 ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.100/0.100/0.100/0.000 ms
[oracle@ol5cont1 ~]$ logout[Ctrl+a, q]
We now have two containers up and running, using two different major versions of Oracle Linux. They can reach each other via the host's virtualbridge by IP address and host name. To quickly double check this, let's try to reach the web server running on from within ,ol6cont1 ol5cont1using the text-based web browser .w3m
Log into as the user to install :ol5cont1 root w3m
[root@ol5cont1 ~]# yum install w3mel5_latest | 1.4 kB 00:00 Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package w3m.x86_64 0:0.5.1-18.0.1.el5 set to be updated--> Processing Dependency: /usr/bin/perl for package: w3m--> Processing Dependency: perl for package: w3m--> Processing Dependency: libgpm.so.1()(64bit) for package: w3m--> Running transaction check---> Package gpm.x86_64 0:1.20.1-74.1.0.1 set to be updated---> Package perl.x86_64 4:5.8.8-40.el5_9 set to be updated--> Finished Dependency Resolution
Dependencies Resolved
================================================================================ Package Arch Version Repository Size================================================================================Installing: w3m x86_64 0.5.1-18.0.1.el5 el5_latest 1.1 MInstalling for dependencies: gpm x86_64 1.20.1-74.1.0.1 el5_latest 191 k perl x86_64 4:5.8.8-40.el5_9 el5_latest 12 M
Transaction Summary================================================================================Install 3 Package(s)Upgrade 0 Package(s)
Total download size: 14 M
Is this ok [y/N]: y
Downloading Packages:(1/3): gpm-1.20.1-74.1.0.1.x86_64.rpm | 191 kB 00:01 (2/3): w3m-0.5.1-18.0.1.el5.x86_64.rpm | 1.1 MB 00:03 (3/3): perl-5.8.8-40.el5_9.x86_64.rpm | 12 MB 00:33 --------------------------------------------------------------------------------Total 350 kB/s | 14 MB 00:39 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 1e5e0159el5_latest/gpgkey | 1.4 kB 00:00 Importing GPG key 0x1E5E0159 "Oracle OSS group (Open Source Software group)" from /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
Is this ok [y/N]: yes
Running rpm_check_debugRunning Transaction TestFinished Transaction TestTransaction Test SucceededRunning Transaction Installing : perl 1/3 Installing : gpm 2/3 Installing : w3m 3/3
Installed: w3m.x86_64 0:0.5.1-18.0.1.el5
Dependency Installed: gpm.x86_64 0:1.20.1-74.1.0.1 perl.x86_64 4:5.8.8-40.el5_9
Complete!
Now you can access the web server running on as follows:ol6cont1
[root@ol5cont1 ~]# w3m -dump http://ol6cont1/ol6cont1 web server is running
Congratulations, the web server in container ol6cont1 is working properly!
Congratulations, you just exchanged http traffic between two Oracle Linux containers!
Exercise: Monitoring containers
Use on the host to get a list of processes running in a given container:lxc-ps
[oracle@oraclelinux6 ~]$ lxc-ps -n ol5cont1
CONTAINER PID TTY TIME CMDol5cont1 7179 ? 00:00:00 initol5cont1 7470 ? 00:00:00 dhclientol5cont1 7522 ? 00:00:00 rsyslogdol5cont1 7551 ? 00:00:00 sshdol5cont1 7560 pts/11 00:00:00 mingettyol5cont1 7562 pts/8 00:00:00 mingettyol5cont1 7563 pts/9 00:00:00 mingettyol5cont1 7564 pts/10 00:00:00 mingettyol5cont1 7609 pts/7 00:00:00 mingetty
To check the status of active network connections, the command allows you to monitor this from the host system:lxc-netstat
[oracle@oraclelinux6 ~]$ sudo lxc-netstat -n ol6cont1 -ntlup
Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 :::80 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
As you can see in the example above, both the SSH daemon as well as the apache web server are up and running, listening for incomingconnections.
If you'd like to determine the amount of memory currently used by a given container, you can obtain this information from the control groupssubsystem:
[oracle@oraclelinux6 ~]$ lxc-cgroup -n ol6cont1 memory.usage_in_bytes169033728
Please note that containers share memory with the host system when possible, which is why the footprint is pretty low. The Linux memorymanagement subsystem use a copy-on-write technique to share memory pages among processes, if they are identical.
To monitor the state of a container, use the command. Open a second command line terminal and start it with the followinglxc-monitorcommand. Now start and stop your containers using the and commands from another shell and observe how lxc-start lxc-shutdown
indicates the state changes:lxc-monitor
[oracle@oraclelinux6 ~]$ lxc-monitor -n ".*"
'ol6cont2' changed state to [STARTING]'ol6cont2' changed state to [RUNNING]'ol6cont2' changed state to [STOPPING]'ol6cont2' changed state to [STOPPED]'ol5cont1' changed state to [STARTING]'ol5cont1' changed state to [RUNNING]
lxc-monitor can either be given an actual container name or a regular expression to match multiple container names, as in the example above.
Exercise: Changing a container's network configuration
By default, the template script sets up networking by setting up a virtual ethernet (veth) bridge. In this mode, a container obtains itslxc-oracleIP address from the server that runs on the private virtual bridge network ( ) between the container and the host. Thednsmasq libvirtd virbr0
host allows a container to connect to the rest of the network by using NAT rules in , but these rules do not allow incoming connectionsiptablesto the container. Both the host and other containers on the veth bridge have network access to the container via the bridge.
If you want to allow network connections from outside the host to be able to connect to the container, the container needs to have an IP addresson the same network as the host. One way to achieve this configuration is to use a macvlan bridge to create an independent logical network forthe container. This network is effectively an extension of the local network that is connected the host's network interface. External systems canaccess the container as though it were an independent system on the network, and the container has network access to other containers that areconfigured on the bridge and to external systems. The container can also obtain its IP address from an external DHCP server on your localnetwork. However, unlike a veth bridge, the host system does not have network access to the container.
To modify a container so that it uses the macvlan bridge, shut down the container, edit and lookol6cont1 /container/ol6cont1/configfor the following lines:
lxc.network.type = vethlxc.network.flags = uplxc.network.link = virbr0
Now replace these with the following lines to switch to macvlan bridge mode:
lxc.network.type = macvlanlxc.network.macvlan.mode = bridgelxc.network.flags = uplxc.network.link = eth1
Now restart the container and verify its IP address using - it should now have obtained a different one instead, if there is aol6cont1 ifconfigDHCP server configured. This depends on the VirtualBox configuration, in "NAT" mode it will be obtain from the VirtualBox DHCP server, in"Bridged" network mode the DHCP server on your LAN will handle the container's DHCP request instead.
Destroying containers
Containers that are no longer needed can be discarded using the command. Use the option to stop the container if it's stilllxc-destroy -frunning (which would otherwise abort the container destruction):
[oracle@oraclelinux6 ~]$ lxc-lsol5cont1 ol5cont2 ol6cont1 ol6cont2[oracle@oraclelinux6 ~]$ lxc-ls --activeol5cont2 ol6cont1[oracle@oraclelinux6 ~]$ sudo lxc-destroy -n ol5cont2lxc-destroy: 'ol5cont2' is RUNNING; aborted[oracle@oraclelinux6 ~]$ sudo lxc-destroy -f -n ol5cont2Delete subvolume '/container/ol5cont2/rootfs'[oracle@oraclelinux6 ~]$ lxc-ls --activeol6cont1[oracle@oraclelinux6 ~]$ lxc-lsol5cont1 ol6cont1 ol6cont2
Conclusion
In this hands-on lab, we covered the basics of working with Linux Containers (LXC). Hopefully this information was useful and made you curiousto learn more about this technology, which is still evolving.
If you'd like to learn more about this topic, there is a dedicated in the .chapter about Linux containers Oracle Linux Administrator's Solutions GuideIt covers the creation, configuration and starting/stopping as well as monitoring of containers in more detail. Also take a look at the followingresources for more details and practical hints.
References
Chapter: in the Linux Containers Oracle Linux 6 Administrator's Solutions GuideOracle Linux Technology Spotlight: LXC Linux ContainersWikipedia: Linux ContainersOTN Garage blog: Linux-Containers Part 1: OverviewOTN Garage blog: Linux Container (LXC) Part 2: Working With ContainersOTN Article: The Role of Oracle Solaris Zones and Linux Containers in a Virtualization Strategy
http://docs.oracle.com/cd/E37670_01/E37355/html/ol_containers.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/index.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/ol_containers.htmlhttp://docs.oracle.com/cd/E37670_01/E37355/html/index.htmlhttp://www.oracle.com/technetwork/server-storage/linux/technologies/oracle-linux-containers-1898044.htmlhttp://en.wikipedia.org/wiki/LXChttps://blogs.oracle.com/OTNGarage/entry/linux_containers_part_1_overviewhttps://blogs.oracle.com/OTNGarage/entry/linux_container_lxc_part_2http://www.oracle.com/technetwork/articles/servers-storage-admin/zones-containers-virtualization-1880908.html
Video on the : Oracle Linux YouTube channel Linux Containers ExplainedLinux Advocates: Linux Containers and Why They MatterOTN Article: How I Used CGroups to Manage System Resources In Oracle Linux 6libvirt - The virtualization API
https://www.youtube.com/user/OracleLinuxChannelhttp://youtu.be/nm5hhPli7Aghttp://www.linuxadvocates.com/2013/04/linux-containers-and-why-they-matter.htmlhttp://www.oracle.com/technetwork/articles/servers-storage-admin/resource-controllers-linux-1506602.htmlhttp://libvirt.org/