Posts
Dockers并不是第一个Linux container solution。
Dockers V.S. LXC
As Docker vs LXC mentioned: Docker, previously called dotCloud, was started as a side project and only open-sourced in 2013. It is really an extension of LXC’s capabilities. This it achieves using a high-level API that provides a lightweight virtualization solution to run processes in isolation. Docker is developed in the Go language and utilizes LXC, cgroups, and the Linux kernel itself. Since it’s based on LXC, a Docker container does not include a separate operating system; instead it relies on the operating system’s own functionality as provided by the underlying infrastructure. So Docker acts as a portable container engine, packaging the application and all its dependencies in a virtual container that can run on any Linux server.
Commands lxc-attach/lxc-console for enter a container. Others(-t = --template, -n = --name, -d = --daemon, u1 is container name):
[sudo] lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64 => no need of sudo for creating unprivileged container
sudo lxc-ls --fancy
sudo lxc-start --name u1 --daemon
sudo lxc-info --name u1
sudo lxc-stop --name u1
sudo lxc-destroy --name u1
sudo lxc-start --name u1 --daemon
sudo lxc-info --name u1
sudo lxc-stop --name u1
sudo lxc-destroy --name u1
For Unprivileged container, if not using sudo, may need refer to this and this to grant permission for accessing .local folder, like this:
chmod a+rx ~/.local ~/.local/share or: cd $HOME && setfacl -m u:100000:x .local .local/share, "100000" here is the uid you get from /etc/subuid. Basically need to add root-of-the-unpriv-container (usually 100000 for the first normal user) "x" access to your home and .local directory. With the 2nd way, when run getfacl against .local, will see a new line: “mask::--x”.
After installed openssh-server on the container, will need to run useradd and passwd to create user for ssh access.
Global configuration
The following configuration files are consulted by LXC. For privileged use, they are found under /etc/lxc, while for unprivileged use they are under ~/.config/lxc.
lxc.conf may optionally specify alternate values for several lxc settings, including the lxcpath, the default configuration, cgroups to use, a cgroup creation pattern, and storage backend settings for lvm and zfs.
default.conf specifies configuration which every newly created container should contain. This usually contains at least a network section, and, for unprivileged users, an id mapping section
lxc-usernet.conf specifies how unprivileged users may connect their containers to the host-owned network.
lxc.conf and default.conf are both under /etc/lxc and $HOME/.config/lxc, while lxc-usernet.conf is only host-wide.
By default, containers are located under /var/lib/lxc for the root user, and $HOME/.local/share/lxc otherwise. The location can be specified for all lxc commands using the "-P|--lxcpath" argument. => unprivileged container will be stored at /var/lib/lxc if run lxc-create with sudo.
Practice
lxc-clone is deprecated in favor of lxc-copy. Refer to wikipedia for LVM. For running multiple same container, to save space, creating the 2nd container C2 from origin container C1, use snapshot option: lxc-stop -n C1 && lxc-copy -n C1 -s -N C2
Almost no space cost for the 2nd container.
Both container can see the host’s kernel log by running dmesg, and can access sysfs of host.
