What are containers?
LXC (LinuX Containers) provide an isolated operating system environment with its own file system, network, process and block I/O space. A favorite way to describe containers is that they are like "chroot on steroids", since they provide the file system isolation that chroot jails provide but they go beyond that by also providing an IP address, a separate process domain, user ids and dedicated access to the host’s physical resources (i.e. memory, CPU) which chroot jails do not provide.
There are two Linux kernel features that make LXC containers possible:
- Namespaces: It isolates an application’s view of the operating system so that it thinks it has its own isolated instance of a global resource. There are several types of namespaces: process (pid), networking (net), inter-process communication (ipc), file system (mnt), hostname (uts) and user IDs (user).
- Control Groups: Also known as cgroups, it provides task grouping and controls and isolates container access to physical resources such as memory, CPU and disk I/O.
The kernel in Ubuntu Server 14.04 LTS has built-in support for namespaces and cgroups so you can readily deploy LXC containers on day one.
What can I do with containers?
One of the main advantages of containers is process and system isolation, which is ideal for developers who need to experiment by installing test libraries or binaries and for system administrators who want to run applications in an isolated environment for management or security purposes.
In Ubuntu Server 14.04 LTS, you can deploy containers that run other Linux distributions such as RHEL and CentOS, so containers can also be used if you need quick access to an alternate Linux distribution than what’s running on your host.
How do containers compare to virtual machines?
Another widely-used term to describe LXC containers is "lightweight virtualization". Containers are similar to virtual machines (VMs) because they provide isolated computing environments all running independently on the same host. However, containers have very low overhead because you are not installing a separate operating system for the container and you do not need a hypervisor running on the host along with its overhead.
Figure 1 shows how VMs compare to containers. As you can see, containers do not have the same overhead as VMs and are thus faster to deploy, take up less resources and can achieve performance levels near those of the host they run on.
Table 1 lists a comparison of some important metrics between VMs and containers.
Containers are not going to replace virtual machines any time soon (or ever) but there are many use cases where the speed and flexibility of containers are better suited than virtual machines.
Figure 1: Virtualization vs. Containers
|
Virtualization (i.e. kvm, xen) |
LXC Containers |
Footprint |
Requires a hypervisor and a full operating system image. |
Does not require a hypervisor or a separate operating system image. |
OS supported |
Any OS supported by the hypervisor |
Most Linux distros, uses same kernel as host |
Typical server deployment |
10 – 100 VMs |
100 - 1000 containers |
Boot time |
Less than a minute |
Seconds |
Physical resources use (i.e. memory, CPU) |
Each VM has resource reserved for its own use |
Shared by all containers |
Table 1: Comparison between virtual machines and containers
Show me how to deploy a container, access it and remove it
In this example we used a PowerEdge R620 server, but you can use any PowerEdge server that has been certified with Ubuntu Server 14.04 LTS.
Install packages and create
You can use containers in Ubuntu 14.04 LTS by installing just a few packages. After installing the base OS, you can start deploying dozens of containers in a matter of minutes. To install:
$ sudo apt-get update
$ sudo apt-get install lxc
Installing the lxc package will automatically start a dnsmasq instance on your host and will create a default network bridge (i.e. lxcbr0) that will be used by the containers to get an IP address and access your host over network 10.0.3.0. These settings can be adjusted but here we used the default values.
To create your first container named lxc-test, run:
$ sudo lxc-create –n lxc-test
This will download a minimal Ubuntu 14.04 image from
http://images.linuxcontainers.org/ and install the operating system inside the container. This can take a few minutes to finish, depending on your network connection.
Starting a container
Once the container is installed, start it:
$ sudo lxc-start –n lxc-test –d
The "-d" ("daemon") option starts it in the background. You can get container details (including its IP address) with ‘lxc-info’:
$ sudo lxc-info –n lxc-test
Name: lxc-test
State: RUNNING
PID: 17954
IP: 10.0.3.156
CPU use: 2.18 seconds
BlkIO use: 160.00 KiB
Memory use: 9.13 MiB
[…]
Access a container
There are several ways to access a container (note that the default login id and password for an Ubuntu container are ‘ubuntu’ and ‘ubuntu’):
Spawn a shell directly in the container:
$ sudo lxc-attach -n lxc-test
Access the containers’ console (to detach, press ‘Ctrl + a’ at the same time, followed by ‘q’).
$ sudo lxc-console -n lxc-test
SSH into the container (get IP address from the ‘lxc-info’ output):
$ ssh
ubuntu@10.0.3.156
Stop and destroy
When you are done with the container (i.e. you are done testing that new test application) you can stop and destroy your container in 2 easy steps:
$ sudo lxc-stop –n lxc-test
$ sudo lxc-destroy –n lxc-test
Anything else?
Of course! But we will cover those in a future article. Here are a few fun things you can do with containers:
- Clone for later use
- Take snapshots to save a particular state
- ‘Freeze’ it to stop it temporarily from operating
- Attach USB devices on your physical host to a container
- Nesting (run a container inside a container)
If you’d like to learn more in the meantime, check out these useful sites:
https://help.ubuntu.com/lts/serverguide/lxc.html
https://linuxcontainers.org/
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/