Applies to openSUSE Leap 42.3

30 Linux Containers

30.1 Setting Up LXC Distribution Containers

A container is a kind of virtual machine that can be started, stopped, frozen, or cloned (to name but a few tasks). To set up an LXC container, you first need to create a root file system containing the guest distribution:

Procedure 30.1: Creating a Root File System

There is currently no GUI to create a root file system. You will thus need to open a terminal and use virt-create-rootfs as root to populate the new root file system. In the following steps, the new root file system will be created in /path/to/rootfs.

  1. Run the virt-create-rootfs command:

    virt-create-rootfs --root /PATH/TO/ROOTFS --distro SLES-12.0 -c REGISTRATION_CODE
  2. Change the root path to the root file system with the chroot command:

    chroot /path/to/rootfs
  3. Change the password for user root with passwd.

  4. Create an operator user without root privileges:

    useradd -m operator
  5. Change the operator's password:

    passwd operator
  6. Leave the chroot environment with exit.

Procedure 30.2: Defining the Container
  1. Start Virtual Machine Manager.

  2. (Optional) If not already present, add a local LXC connection by clicking File › Add Connection.

    Select LXC (Linux Containers) as the hypervisor and click Connect.

  3. Select the localhost (LXC) connection and click File New Virtual Machine menu.

  4. Activate Operating system container and click Forward.

  5. Type the path to the root file system from Procedure 30.1, “Creating a Root File System” and click the Forward button.

  6. Choose the maximum amount of memory and CPUs to allocate to the container. Then click the Forward button.

  7. Type in a name for the container. This name will be used for all virsh commands on the container.

    Click Advanced options. Select the network to connect the container to and click the Finish button: the container will then be created and started. A console will also be automatically opened.

Warning
Warning: Container Network

To configure the container network, edit the /etc/sysconfig/network/ifcfg-* files. Make sure not to change the IPv6 setting: this would lead to errors while starting the network.

30.2 Setting Up LXC Application Containers

Libvirt also allows to run single applications instead of full blown Linux distributions in containers. In this example, bash will be started in its own container.

Procedure 30.3: Defining an Application Container Using YaST
  1. Start Virtual Machine Manager.

  2. (Optional) If not already present, add a local LXC connection by clicking File › Add Connection.

    Select LXC (Linux Containers) as the hypervisor and click Connect.

  3. Select the localhost (LXC) connection and click File New Virtual Machine menu.

  4. Activate Application container and click Forward.

    Set the path to the application to be launched. As an example, the field is filled with /bin/sh, which is fine to create a first container. Click Forward.

  5. Choose the maximum amount of memory and CPUs to allocate to the container. Click Forward.

  6. Type in a name for the container. This name will be used for all virsh commands on the container.

    Click Advanced options. Select the network to connect the container to and click Finish. The container will be created and started. A console will be opened automatically.

    Note that the container will be destroyed after the application has finished running.

30.3 Securing a Container Using AppArmor

By default, containers are not secured using AppArmor or SELinux. There is no graphical user interface to change the security model for a libvirt domain, but virsh will help.

  1. Edit the container XML configuration using virsh:

    virsh -c lxc:/// edit MYCONTAINER
  2. Add the following to the XML configuration, save it and exit the editor.

    <domain>
        ...
        <seclabel type="dynamic" model="apparmor"/>
        ...
    </domain>
  3. With this configuration, an AppArmor profile for the container will be created in the /etc/apparmor.d/libvirt directory. The default profile only allows the minimum applications to run in the container. This can be changed by modifying the libvirt-CONTAINER-uuid file: this file is not overwritten by libvirt.

30.4 Differences Between the libvirt LXC Driver and LXC

openSUSE versions prior to Leap were shipping LXC, while openSUSE Leap comes with the libvirt LXC driver, sometimes named libvirt-lxc to avoid confusion. The containers are not managed or configured in the same way in these tools. Here is a non-exhaustive list of differences.

The main difference is that domain configuration in libvirt is an XML file, while LXC configuration is a properties file. Most of the LXC properties can be mapped to the domain XML. The properties that cannot be migrated are:

  • lxc.network.script.up: this script can be implemented using the /etc/libvirt/hooks/network libvirt hook, though the script will need to be adapted.

  • lxc.network.ipv*: libvirt cannot set the container network configuration from the domain configuration.

  • lxc.network.name: libvirt cannot set the container network card name.

  • lxc.devttydir: libvirt does not allow changing the location of the console devices.

  • lxc.console: there is currently no way to log the output of the console into a file on the host for libvirt LXC containers.

  • lxc.pivotdir: libvirt does not allow to fine-tune the directory used for the pivot_root. /.olroot is used.

  • lxc.rootfs.mount: libvirt does not allow to fine-tune this.

LXC VLAN networks automatically create the VLAN interface on the host and then move it into the guest namespace. libvirt-lxc configuration can mention a VLAN tag ID only for Open vSwitch tap devices or PCI pass-through of SR-IOV VF. The conversion tool actually needs the user to manually create the VLAN interface on the host side.

LXC rootfs can also be an image file, but LXC brute-forces the mount to try to detect the proper file system format. libvirt-lxc can mount image files of several formats, but the 'auto' value for the format parameter is explicitly not supported. This means that the generated configuration will need to be tweaked by the user to get a proper match in that case.

LXC can support any cgroup configuration, even future ones, while libvirt domain configuration, needs to map each of them.

LXC can mount block devices in the rootfs, but it cannot mount raw partition files: the file needs to be manually attached to a loop device. On the other hand libvirt-lxc can mount block devices, but also partition files of any format.

30.5 For More Information

LXC Container Driver

http://libvirt.org/drvlxc.html

Print this page