container userspace tools

From: Daniel Lezcano
Date: Fri Oct 10 2008 - 07:01:38 EST


Hi all,

I saw different emails from people asking for user space tools for the containers, so I made a library and a set of command line tools.
This component is called "lxc" which stands for "LinuX Container".

The package can be found in the download area of:
http://sourceforge.net/projects/lxc

There is a cvs repository at:
http://lxc.cvs.sourceforge.net/lxc

The API is exported in the "lxc.h" header file.

It is not perfect, but it is very light and I hope that will make the life easier for the kernel hackers.
It can be used to create virtual private server and to "boot" a minimal distro like "debian minimal".

It takes into account the control groups and the checkpoint/restart API ... in a very optimistic way :)
It should be used with the kernel coming from the git tree, git://git.kernel.org/pub/scm/linux/kernel/git/daveh/linux-2.6-lxc.git
But the latest -mm should be ok, some commands will just fail (eg. checkpoint/restart).

How to use it ?
--------------------

(for checkpointr/restart see the end of the explanation for this very specific, experimental use case).

A container should be created before with (or without) a configuration file.

The configuration file has the following format (all fields are optional):

# set the hostname for the container
lxc.utsname = myhostname
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv4 = 1.2.3.5/24
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
lxc.mount = fstab
lxc.rootfs = rootfs
lxc.cgroup.cpuset.cpus = 1
lxc.cgroup.cpu.shares = 512

This is an example, but the configuration file can be much more simple or complex. In this example the configuration assume the host is configured with a bridge, the liblxc does not configure anything not related to the container, so it is up to the user/administrator to setup a bridge in this case. If the bridge is a problem, different network configurations exist to have a container to communicate with the outside world.
The network can be specified with several ip addresses, or either if there is only one physical network device, it is possible to specify multiple network devices for the container. To do that just replicate the network sections as follow:

lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.9.100/24
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.name = eth1
lxc.network.ipv4 = 192.168.10.100/24

The more there are informations in the configuration file, the more the container is isolated. eg. if the network section is removed from the configuration file, the network won't be virtualized, the same for the ustname.

Step 1 : create the container named 'foo' with the configuration file 'lxc.conf'

lxc-create -n foo -f lxc.conf

If no configuration file is specified, the container will be created with default configuration, that is to say, pid namespace, mount namespace and ipc namespace. The other resources, network, file system, utsname, won't be virtualized.

Step 2 : launch a command inside

lxc-execute -n foo /bin/bash
or
lxc-start -n foo /bin/bash

The differences between lxc-execute and lxc-start are, lxc-execute creates an intermediate process for the pid namespace in order to support daemons and it mounts /proc and /sys.

Step 3 : Stop the container (from outside of the container)

lxc-stop -n foo

Step 4 : Destroy the container

lxc-destroy -n foo

ps: it is not mandatory to destroy the container, you can keep the configuration and execute/start the command again. That means after a reboot, the container configuration is still available.

These are the minimal steps to use a container, but there are some other useful commands:
lxc-freeze / lxc-unfreeze => stop / resume all processes running inside the container
lxc-monitor => follow the different states of the container
lxc-wait => wait for a specific state before exiting (useful for scripting)
lxc-ps => show all non-virtualized pids of a container
lxc-info => show the state of the container
lxc-cgroup => get/set cgroup info for this container

Checkpoint/Restart:
--------------------------

The checkpoint / restart is currently *very* experimental, and takes into account only one task. For this reason the **lxc-start** command *must* be used.

The easiest way is specifying a container with the minimal isolation for the minimal CR :)

lxc-create -n ckpt

lxc-start -n ckpt ./myverysimpleprogram

lxc-checkpoint -n ckpt -s > myckptfile

lxc-restart -n ckpt < myckptfile

ps: you have just to create one time the container.

The lxc-checkpoint command will do freeze - checkpoint - unfreeze, if the '-s' option is set, the container is stopped after the checkpoint.

I hope that will make people to have fun with the containers and the new kernel features.

Thanks.
-- Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/