Shulou(Shulou.com)05/31 Report--

How to build Linux containers and simple management, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Introduction to cgroups

The LXC project consists of a Linux kernel patch and some user space (userspace) tools. These tools use new kernel features added by patches to provide a simplified set of tools to maintain containers. The Linux kernel version after version 2.6.29 already includes most of the features provided by this patch. Therefore, it is strongly recommended to use the kernel source code of *. LXC relies on cgroups (Control Groups) system of Linux kernel for resource management. Cgroups system is a process group-based resource management framework provided by Linux kernel, which can limit the resources that can be used for specific process groups. It was originally proposed by Google engineers and later integrated into the Linux kernel. Cgroups is also a resource management tool used by LXC to achieve virtualization. It can be said that without cgroups, there would be no LXC. The structure of the cgroups file system is shown in figure 1.

Figure 1.cgroups file system structure

Interpretation of related nouns

Control population (control group): a control group is a process divided according to certain criteria. Resource control in cgroups is realized on the basis of controlling ethnic groups. A process can join one control group or migrate to another control group.

Hierarchy (hierarchy). The control population can be organized in the form of hierarchical, which is a control group tree. The child node on the control group tree the control group is the child of the parent node control group, inheriting the specific attributes of the parent control group.

Subsystem (subsytem). A subsystem is a resource controller. For example, the CPU subsystem is a controller that controls the time allocation of the CPU. A subsystem must be attach to a level in order to work. After a subsystem is attached to a level, all control groups at that level are controlled by that subsystem. It mainly includes the following nine subsystems:

Blkio: this subsystem sets input / output limits for block devices, such as physical devices (disks, solid state drives, USB, etc.).

Cpu: this subsystem uses a scheduler to provide cgroup task access to the CPU.

Cpuacct: this subsystem automatically generates CPU reports used by tasks in cgroup.

Cpuset: this subsystem allocates independent central processing units (in multicore systems) and memory nodes for tasks in cgroup.

Devices: this subsystem allows or denies tasks in cgroup access to the device.

Freezer: this subsystem suspends or restores tasks in cgroup.

Memory: this subsystem sets the memory limits used by tasks in cgroup and automatically generates reports on memory resources used by those tasks.

Net_cls: this subsystem marks network packets with a level identifier (classid), which allows the Linux flow control program (tc) to identify packets generated from a specific cgroup.

Ns: the ns subsystem provides a way to group processes into different namespaces. In specific namespaces, processes can interact with each other, but are isolated from processes running in other namespaces. These separate namespaces are sometimes referred to as containers when used for operating system-level virtualization.

Set up * LXC virtual computers

The Linux distribution used in this article is Ubuntu 12.10. Install the software package first:

# apt-get install lxc

To check the kernel support for LXC in the Linux distribution after installing the package, use the command lxc-checkconfig below, as shown in figure 2.

Figure 2.lxc-checkconfig command

After the lxc-checkconfig command checks, if all items show "enabled", you can use LXC directly.

Establish a Ubuntu Server LXC virtual computer system

Build (see figure for execution) 3 with the following command:

# lxc-create-t ubuntu-n cjhlxc1

Note that the ubuntu template is used here. The template file is saved in the / usr/lib/lxc/templates/ directory, and there are other templates in this directory. You can use the following command to view it. The command output is as follows:

# tree / usr/lib/lxc/templates/ / usr/lib/lxc/templates/ ├── lxc-busybox ├── lxc-debian ├── lxc-fedora ├── lxc-opensuse ├── lxc-sshd ├── lxc-ubuntu └── lxc-ubuntu-cloud

Figure 3. Set up a Ubuntu Server LXC system

Note: the installation process should last for a period of time, and the installation process should ensure Internet connection.

After the above command is completed, the virtual machine cjhlxc1 is generated in the / var/lib/lxc directory, and its directory structure is shown in figure 4.

Figure 4. Virtual computer cjhlxc1 directory structure

The basic Management of LXC Virtual computer-- understanding the Management commands of LXC Virtual computer

Common LXC commands are described in Table 1:

Table 1 description of common LXC commands

Description: for a more detailed list of lxc commands and how to use them, please refer to the official website documentation.

Figure 5 is a schematic diagram of the execution of the main LXC command

Figure A schematic diagram of the execution of the 5.LXC command

Examples of common commands in LXC

Start the LXC virtual computer

# lxc-start-n cjhlxc1

The actual account and password are both ubuntu and then log in to the virtual computer as shown in figure 6:

Figure 6. Log in to the virtual computer

List all containers in the current system

Check which containers are currently started (if there are no results, there are currently no containers to start):

# lxc-ls cjhlxc1 foo

Log in to the third console of the container using console:

$lxc-console-n cjhlxc1-t 3

Note: if the-t N option is not specified, an unused console will be selected automatically. To exit the console, use the shortcut key Ctrl-a Q.

Stop running a container:

# lxc-stop-n cjhlxc1

Get the status of a container:

# lxc-info-n ol6ctr1

To destroy a container:

# lxc-destroy-n cjhlxc11

Copy a container:

# lxc-clone-o cjhlxc1-n ol6ctr2

To pause or resume a container:

# lxc-freeze-n cjhlxc1 # lxc-unfreeze-n cjhlxc1

LXC virtual network interface settin

Learn about LXC's built-in network architecture

No matter which virtual system it is, as long as it operates within the Linux system architecture, the virtual network used is the default virtual network architecture of the Linux system (i.e. TAP/TUP, Bridge). Figure 7 is a diagram.

Figure 7.LXC virtual network interface diagram

Figure 7 the two containers in this structure use Veth Bridge, because by default, LXC's template script settings network is based on Veth Bridge. In this mode, the container gets its IP address from the dnsmasq server. The host allows containers to connect to the rest of the network (using iptables's NAT rules, but these rules do not allow incoming connections to containers).

In addition to Veth Bridge, the LXC virtual computer also supports Macvlan Bridge and Macvlan VEPA. Sometimes we may need a physical network card to bind multiple IP and multiple MAC addresses, although it is easy to bind multiple IP, but these IP will share the MAC address of the physical network card, which may not meet our design requirements, so with the MACVLAN device, it works.

Based on the destination MAC address of the received packet, MACVLAN determines which virtual network card the packet needs to be handed over to. Limited to the space here to introduce Macvlan Bridge and Macvlan VEPA, interested users can refer to the introduction in the references.

After the same LXC installation as KVM, a network interface (including the following functions: switch (Switch Hub) + DHCP server + NAT + Cache DNS server) is generated by default. The name of the network interface is lxcbr0, which can be verified by the following command:

# brctl show bridge name bridge id STP enabled interfaces lxcbr0 8000.3eef2e882ac9 no vetheCYpw4

From the above command output diagram, you can clearly see the relevant information of lxcbr0. In addition to acting as the function of the switch, this network interface also provides the functions of NAT and DHCP by default. To put it simply, lxcbr0 not only provides the functions of the switch, but also provides DHCP service and DNS cache service. The function of starting NAT through iptables can be proved by the following command. The command output is as follows:

# iptables-t nat-L-n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all-10.0.3.0 Compact 24! 10.0.3.0 Greater 24

The functions of DHCP service and DNS cache service can be verified by the following command:

# ps aux | grep lxc

The output of the command is shown in figure 8:

Figure 8. View DHCP service and DNS caching service

The method of modifying LXC Network Interface

Generally, we do this by modifying the settings file of lxcbr0. Through the "ifconfig lxcbr0" command, you can know the IP address of the lxcbr0 itself, and from the "ps aux | grep dnsmasq" command, you can clearly see the IP range assigned by DHCP Server, so you can know that the default IP section of the LXC virtual network is 10.0.3.0 LXC 24. Can you modify this information? Of course, the above network information is the default network settings of LXC, so you can modify the relevant information by modifying the configuration file to meet the actual application, and you can use the editor to modify the network configuration file of LXC:

# vi / etc/default/lxc

The contents of the listing 1./etc/default/lxc file:

LXC_BRIDGE= "lxcbr0" LXC_ADDR= "10.0.3.1" LXC_NETMASK= "255.255.255.0" LXC_NETWORK= "10.0.3.0 LXC_SHUTDOWN_TIMEOUT=120 24" LXC_DHCP_RANGE= "10.0.3.254" LXC_DHCP_MAX= "253" LXC_SHUTDOWN_TIMEOUT=120

To restart the network service after modification, use the following command:

# service lxc-net restart

Set up LXC to use physical network interface

Compared with KVM, LXC can directly use the physical network interface (for example, in this article, the physical network card is eth0, eth2, the author is going to assign eth0 to LXC virtual network). First of all, use the "ifconfig-a" command to check, where eth2 is the actual network interface used by the physical computer online, and the eth0 can be set to the LXC virtual computer to use. Then modify the configuration file of the LXC virtual computer: / var/lib/lxc/cjhlxc1/config.

# vi / var/lib/lxc/cjhlxc1/config

Listing 2 / var/lib/lxc/cjhlxc1/config file contents:

Lxc.network.type=phys lxc.network.link=eth0 lxc.network.flags=up lxc.utsname = cjhlxc1 # lxc.network.hwaddr = 00:16:3e:f9:ad:be # comment out this line # lxclxc.devttydir = lxc lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = / var/lib/lxc/myt2/rootfs lxc.mount = / var/lib/lxc/myt2/fstab lxc.arch = amd64 lxc.cap.drop = sys_module mac_admin lxc.pivotdir = lxc_putold

Save and exit after the modification is completed. Briefly explain the above parameters:

Lxc.network.type specifies the type of network used for the container, including four types:

Empty: set up an unused network interface

Veth: the container will be linked to a bridge defined by lxc.network.link to communicate with the outside world. Before that, the bridge must be built in advance.

Macvlan: the interface of a macvlan is linked to the lxc.network.link.

Phys: the physical interface specified by lxc.network.link is assigned to the container.

Lxc.network.flags is used to specify the state of the network, and up indicates that the network is available.

Lxc.network.link is used to specify the real interface used to communicate with the container interface, such as a bridge br0.

Lxc.network.hwaddr is used to specify the mac address of the network interface of the container.

Modify the host network configuration file as follows:

# vim / etc/network/interface

Notice that the configuration file is empty and has no content at this time. It can usually be set to fixed IP address mode (see listing 3) or IP address mode can be obtained from the DHCP server (see listing 4)

Listing 3. Fixed IP address mode:

Auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp dns-nameservers 10.0.0.4

Listing 4. Obtain the IP address mode through the DHCP server:

Auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.3 netmask 255.255.255.0 dns-nameservers 10.0.0.4

Save and exit after the modification is completed. Then restart the network service:

# / etc/init.d/networking restart

Start the LXC virtual computer below:

# lxc-start-n cjhlxc1

Note that once the LXC virtual computer starts successfully, use "ifconfig-a" on the host computer to view the host network interface, and the user will find that the network interface eth0 disappears, only eth2. This is because eth0 has been used by the LXC virtual computer. Then we use the following command "lxc-console-n cjhlxc1" to log on to the LXC virtual computer and find that the network interface of the LXC virtual computer is eth0. Then we can use the ping command to test whether the LXC virtual computer is connected to the Internet.

The Chinese name of LXC is Linux container tool. Containers can provide lightweight virtualization to isolate processes and resources. The advantage of using LXC is that it does not need to install too many software packages, and the use process will not take up too many resources. This article introduces the establishment and management of Linux container and the setting method of virtual network interface step by step.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.