Skip to content

containers

The big advantages of containers above VM's is you don't need a complete OS underneath each application. The picture beneath shows the difference.

image

Now for some terms that keep flying around, i put them in order of 'size' :

  • cgroups : control groups are the way the kernel groups containers real-estate
  • container : a lightweight VM,it reuses the OS and some libs, but is shielded.
  • docker : focuses on applications based on containers.
  • kubernetes : orchestrates many docker apps into bigger swarms.

In this list i think docker is the level we are most interested in as a developer. But i think i want to see how the lower level blocks work, and are actually not interested in kubernetes

lxc

Lxc is generally seen as somewhere between chroot and a VM.

https://linuxcontainers.org/lxc/getting-started/

Linux containers. On the given page it states that Ubuntu is an ideal way of starting with linux containers. Installation is merely :

install lxc
1
sudo apt-get install lxc

usage

If using as a non-root user you have to create an unprivileged container. You cannot do everything in one of those (a good thing). To get a feel for it i now just do a very terse commandline session:

cli
1
2
3
4
5
sudo echo "kees veth lxcbr0 10" >> /etc/lxc/lxc-usernet
mkdir -p ~/.config/lxc
cp /etc/lxc/default.conf ~/.config/lxc/
echo "lxc.idmap = u 0 100000 65536" >> ~/.config/lxc/default.conf
echo "lxc.idmap = g 0 100000 65536" >> ~/.config/lxc/default.conf

However when starting the container i get this error :

lxc-create container
1
2
3
lxc-create -t download -n my-container
lxc-create: my-container: conf.c: chown_mapped_root: 3206 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open ttyOperation not permitted - Failed to unshare mount and user namespac
lxc-create: my-container: tools/lxc_create.c: main: 331 Failed to create container my-container

No web advise works, so i reverted to doing it as root with a privileged container :

privileged container
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
sudo su 
lxc-create -t download -n privileged-container
lxc-start -n privileged-container
lxc-info privileged-container
Name:           privileged-container
State:          RUNNING
PID:            7639
CPU use:        0.75 seconds
BlkIO use:      1.77 MiB
Memory use:     26.76 MiB
KMem use:       10.98 MiB

You can attach to the container and look around :

attach
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
root@hoek:/home/kees# lxc-attach privileged-container
root@privileged-container:/# ls /home
root@privileged-container:/# df
Filesystem     1K-blocks      Used Available Use% Mounted on
/dev/sdf1      488384512 468786456  19410744  97% /
none                 492         0       492   0% /dev
tmpfs           12332944         0  12332944   0% /dev/shm
tmpfs           12332944      8252  12324692   1% /run
tmpfs               5120         0      5120   0% /run/lock
tmpfs           12332944         0  12332944   0% /sys/fs/cgroup

The command ls /home says empty, this is a real debian system you have at your hands, but it is not like a VM. For instance lsblk gives all disks of the host system, also /dev/sdf1 is the same disk as in the hypervisor, so that looks more like a chroot.

To wrap up :

destroy
1
2
3
exit
lxc-stop privileged-container
lxc-destroy privileged-container