5
5
5
6
7
7
7
9
10
10
Contents
What Are Linux Containers?
Container Rundown
Linux Containers
Linux Container Daemon
LXC vs. Docker
Infrastructure vs. Application Containers
LXC, LXD, and Docker
Use Cases
LXC/LXD Installation
LXC
Study Guide | LXC/LXD Deep Dive
2
10
11
12
14
15
16
17
18
19
20
21
LXD
LXD Initialization
Storage Backends
Launching Our First Container
Instance Configuration
Accessing a Container
Working with Files
Networking
Profiles
Snapshots
Image Remotes
Study Guide | LXC/LXD Deep Dive
3
22
23
24
25
25
26
27
28
29
Creating a Remote
Anatomy of an Image
Publishing Containers
Distrobuilder
File Breakdown
Server Configuration
Server Clustering
Server Backups
Production Considerations
Study Guide | LXC/LXD Deep Dive
4
What Are Linux Containers?
Container Rundown
Containers are isolated execution environments
Shared kernel with isolated resources
Often compared to virtual machines:
Isolation feels like virtual machine
Less resources than virtual machine
Isolation (containers) versus virtualization (VMs)
Linux Containers
LXC is short for Linux Containers
Operating-system-level virtualization for Linux systems
Leverages cgroups via the Linux kernel:
Prioritization of resources:
CPU
Memory
I/O
Network
Share kernel
Namespace isolation
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
5
lxc- commands
Linux Container Daemon
The daemon on the host that accepts API calls for LXC
LXC manages the container and LXD manages the remote -- image/container servers
Extends LXC functionality
Allows for easier migration, publishing
lxc command
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
6
LXC vs. Docker
Infrastructure vs. Application Containers
Infrastructure, or system, containers function similarly to virtual machines:
Work as an isolated OS environment
Generally used alongside traditional configuration management
Are upgraded, maintained
Application containers are stateless and ephemeral and provide a platform-agnostic space for an applicationcomponent:
Replaced, not upgraded
Portable, used with microservices
LXC, LXD, and Docker
LXC/LXD intended as system containers:
Long-running applications
Linux-only
Manages:
Kernel namespaces
Apparmor/SELinux Profiles
chroots
Anything in the kernel/operating system
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
7
Docker is more often used for application containers:
For creating a lot of containers fast
Linux, Windows, OS X
Self-contained file system, not base userspace image
App + image:
Dockerfile
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
8
Use Cases
Fast-deploying developing environments without the performance hit
Access to bare metal through the kernel
Instances where the operating system matters:
LAMP Stacks
Databases
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
9
LXC/LXD Installation
Course uses Ubuntu 18.04 LTS
LXC
Dependencies:
glibc
Linux kernel >= 2.6.32
Install via the lxc or lxc-utils package, depending on distribution:
CentOS-flavor: lxc
Ubuntu/Debian-flavor: lxc-utils
LXD
Recommended install, all Linux flavors: snap install lxd :
Uninstall apt package, if needed
Can also be installed from source, when necessary
To use as non-root , add user to lxd group
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
10
LXD Initialization
lxd init
A prompt-based tool for configuring LXD
Can be run multiple times
Prompts:
LXD clustering: Allows a number of LXD instances to share the same database
Storage pool configuration: Backend where LXD container file systems are stored:
Create a new pool or use an existing one
MAAS configuration: For connecting to bare-metal hosts
Container network configuration: Create new or use existing network for container communication
LXD network configuration: Allow LXD to bind to a port for outside access
Update cached images: Automatically update images to latest release
Preseed file: Generate a YAML configuration file to replicate the above configuration
Reconfigure server by running lxd init again
Use YAML-based preseed file to configure LXD: cat preseed.yaml | lxd init --preseed
•
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
11
Storage Backends
LXD can manage storage pools:
Create new
Connect to existing
Storage support:
ZFS
btrfs
LVM
Ceph
Directory
Recommended: ZFS, btrfs:
ZFS is more reliable
Use full disk/partition for LXD, when possible
CLI: lxc storage <command> :
Commands:
create <pool> <driver> <flag> - Create a new storage pool:
Example: lxc storage create test-pool lvm
delete <flags> - Remove a storage pool:
Example: lxc storage delete test-pool
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
12
edit <pool> - Open a pool.yaml file for defined pool to edit configuration:
Example: lxc storage edit test-pool
get <pool> <key> - Retrieve individual configuration data about a pool:
Example: lxc storage get test-pool source
info <pool> - Output information about the defined pool:
Example: lxc storage info test-pool
list - List all pools:
Example: lxc storage list
set <pool> <key> <value> - Update a configuration value:
Example: lxc storage set test-pool source /dev/test-pool-block
show <pool> - Show pool configuration:
Example: lxc storage show test-pool
unset <pool> <key> - Remove a configuration value:
Example: lxc storage unset test-pool rsync.bwlimit
Study Guide | LXC/LXD Deep Dive
13
Launching Our First Container
lxc launch images:alpine/3.10 -s default
lxc launch - Command to create and start a container
images:alpine/3.10 - Pulls Alpine Linux 3.10 from the images.linuxcontainers.org remote
-s default - Add to default storage pool
lxc image copy ubuntu:18.04 local: --alias ubuntu-18.04
lxc image - Command to manage images
copy - Add image from one remote to another remote
ubuntu:18.04 - The image to pull down; ubuntu: is the remote, 18.04 is the image name
local: - The remote to copy to the image to
--alias ubuntu-18.04 - A nickname for the image
lxc launch ubuntu-18.04 web01
When launching:
If using a new image:
Pulls image down from the remote to the default remote
Creates a cache of that image
An instance is created based on the cached image
Builds container
Starts container
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
14
Instance Configuration
lxc config :
edit <instance> - Edit instance configuration
get <instance> <key> - Retrieve the value of a configuration
set <instance> <key> <value> - Set a configuration
show <instance> - View instance configuration
lxc config device <command> <instance> <device> <key> <value> - Manage disk configurations
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
15
Accessing a Container
lxc exec <instance> -- <command> - Run a command on the defined container
lxc exec <instance> -- <shell> - Access the container's shell
•
•
Study Guide | LXC/LXD Deep Dive
16
Working with Files
lxc file push <local_file> <container>/<path/to/file/on/container.html> - Push a local file to acontainer
lxc file edit <container>/<path/to/file/on/container.html> - Edit a file on the container directly
lxc file delete <container>/<path/to/file/on/container.html> - Remove a file on the container
lxc file pull <container>/<path/to/file/on/container.html> <local_target> - Pull down a file fromthe container to a local host
•
•
•
•
Study Guide | LXC/LXD Deep Dive
17
Networking
Containers are on the same private network:
Can communicate with each other
Packet flow:
On the container:
eth0 works as a virtual ethernet card
One end of a veth pair connects to this card
On the host:
The other end of a veth pair exists as a veth interface
This connects to the lxdbr0 bridge created during initialization
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
18
Profiles
lxc profile :
add <container> <profile> - Add profile to container
assign <container> <profile>,<profile> - Assign multiple profiles to container
copy <profile-copied> <new-profile> - Copy an existing profile
create <profile> - Create a blank profile
delete <profile> - Delete profile
edit <profile> - Edit YAML configuration
get <profile> <key> - Retrieve configuration values from a profile
list - List all profiles
remove <profile> - Remove a profile from a container
rename <old-name> <new-name> - Rename a profile
set <profile> <key> <value> - Set a configuration value for a profile
show <profile> - Show the profile configuration
unset <profile> <key> - Remove a configuration value
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
19
Snapshots
lxc snapshot <container> <snapshot-name> - Create a snapshot of an existing container
lxc copy <container>/<snapshot-name> <new-container> - Create a new container based on a snapshot:
Container is created but not started
lxc delete <container>/<snapshot-name> - Delete a snapshot
•
•
•
•
Study Guide | LXC/LXD Deep Dive
20
Image Remotes
An image remote is a host for any LXD images
All LXD servers contain the local remote for storing images locally
Remotes can be public or private:
Private remotes require password
lxc remote list - View all remotes
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
21
Creating a Remote
On a fresh remote server:
Install and initialize LXD
Retrieve the internal IP address and set the https_address configuration:
lxc config set core.https_address <internal_ip_of_remote>
Set a password to access the remote:
lxc config set core.trust_password <password>
Use remote with existing LXD server:
Add remote:
lxc remote add <remote-name> <remote_ip>
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
22
Anatomy of an Image
lxc image export <image-name> <destination> - Export an image to the local filesystem
Images contain:
A SquashFS file system:
Can be mounted
Contains all necessary files for container to work
A compressed file of metadata and templates:
metadata.yaml contains general image information
templates/ directory contains all configuration templates:
Example: /etc/hosts template
•
•
•
•
Study Guide | LXC/LXD Deep Dive
23
Publishing Containers
Create images based on existing containers
Start with a public image, make changes, save changes as an image
lxc publish <container>/<snapshot> <remote> - Publish a container snapshot as an image
•
•
•
Study Guide | LXC/LXD Deep Dive
24
Distrobuilder
Create distribution images using YAML configurations
Install via Snap: sudo snap install distrobuider --classic :
Since Distrobuilder is used locally, use the most recent
Prereq: apt install debootstrap
distrobuilder build-lxd <file.yaml> - Package an image
File Breakdown
images: - Image properties, including name, architecture, and description
source: - Location of the source distribution to download and key information
targets: - LXC-specific file configurations; this is LXC-only
files: - Root files for the container generated via a file generator:
This includes hostname information, networking data, and any cloudinit files
packages: - Repository configuration and package management
actions: - Commands to run after each specified installation step; these commands can be anything that wouldrun on the distribution
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
25
Server Configuration
lxc config edit - Edit overall LXD server configuration
lxc config set <key> <value> - Set a LXD server configuration value via the CLI
lxc config get - Retrieve a configuration value
lxc config show - Output LXD server configuration
•
•
•
•
Study Guide | LXC/LXD Deep Dive
26
Server Clustering
Create a server: lxd init :
Enable clustering
Set name
Set address
Set password
Add a server: lxd init :
Enable clustering
Set name
Set address
Check fingerprint:
Use lxd info on initial server
Input password
lxc launch <image> <container> --target <cluster-node> - Add to specific node on cluster:
If no target is specified, it will launch on the cluster with the fewest containers
lxc list and related commands will show data for containers on all nodes in a cluster
lxc move <container> <container> --target <new-cluster> - Move between clusters
lxc cluster remove <cluster-node> - Remove from cluster:
No containers can be on the node
lxc cluster list - List all nodes in a cluster
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
27
Server Backups
Components:
Instances
Images
Networks
Profiles
Storage
Full backup:
All of /var/lib/lxd or /var/snap/lxd/common/lxd
Secondary (live) backup:
Copy instances and volumes periodically
Instance backups: lxc export and lxc import
•
•
•
•
•
•
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
28
Production Considerations
Production LXD servers often perform tens of thousands of file operations:
Can cause errors
Production servers should update the following configuration values:
/etc/security/limits.conf :
* soft nofile 1048576root hard nofile 1048576root soft nofile 1048576* hard nofile 1048576* soft memlock unlimited* hard memlock unlimited
/etc/sysctl.conf :
fs.inotify.max_queued_events=1048576fs.inotify.max_user_instances=1048576fs.inotify.max_user_watches=1048576vm.max_map_count=262144kernel.dmesg_restrict=1net.ipv4.neigh.default.gc_thresh3=8192net.ipv6.neigh.default.gc_thresh3=8192kernel.keys.maxkeys=2000
•
•
•
•
•
Study Guide | LXC/LXD Deep Dive
29