The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Prior to UEK R3, LXC was a Technology Preview feature that was made available for testing and evaluation purposes, but was not recommended for production systems. LXC is a supported feature with UEK R3.
The Linux Containers (LXC) feature is a lightweight virtualization mechanism that does not require you to set up a virtual machine on an emulation of physical hardware. The Linux Containers feature takes the cgroups resource management facilities as its basis and adds POSIX file capabilities to implement process and network isolation. You can run a single application within a container (an application container) whose name space is isolated from the other processes on the system in a similar manner to a chroot jail. However, the main use of Linux Containers is to allow you to run a complete copy of the Linux operating system in a container (a system container) without the overhead of running a level-2 hypervisor such as VirtualBox. In fact, the container is sharing the kernel with the host system, so its processes and file system are completely visible from the host. When you are logged into the container, you only see its file system and process space. Because the kernel is shared, you are limited to the modules and drivers that it has loaded.
Typical use cases for Linux Containers are:
Running Oracle Linux 5 and Oracle Linux 6 containers in parallel. Both versions of the operating system support the Unbreakable Enterprise Kernel Release 2. You can even run an Oracle Linux 5 container on an Oracle Linux 6 system with the UEK R3 kernel, even though UEK R3 is not supported for Oracle Linux 5. You can also run an i386 container on an x86_64 kernel. However, you cannot run an x86_64 container on an i386 kernel. For more information, see Section 27.1.1, “Supported Oracle Linux Container Versions”.
Running applications that are supported only by Oracle Linux 5 in an Oracle Linux 5 container on an Oracle Linux 6 host. However, incompatibilities might exist in the modules and drivers that are available.
Running many copies of application configurations on the same system. An example configuration would be a LAMP stack, which combines Linux, Apache server, MySQL, and Perl, PHP, or Python scripts to provide specialised web services.
Creating sandbox environments for development and testing.
Providing user environments whose resources can be tightly controlled, but which do not require the hardware resources of full virtualization solutions.
Creating containers where each container appears to have its own IP address. For example you can use the
lxc-sshdtemplate script to create isolated environments for untrusted users. Each container runs an sshd daemon to handle logins. By bridging a container's Virtual Ethernet interface to the host's network interface, each container can appear to have its own IP address on a LAN.
When you use the lxc-start command to start a
system container, by default the copy of
/sbin/init in the container is started to spawn
other processes in the container's process space. Any system calls
or device access are handled by the kernel running on the host. If
you need to run different kernel versions or different operating
systems from the host, use a true virtualization solution such as
Oracle VM or Oracle VM VirtualBox instead of Linux Containers.
There are a number of configuration steps that you need to perform on the file system image for a container so that it can run correctly:
Disable any
initscripts that load modules to access hardware directly.Disable
udevand instead create static device nodes in/devfor any hardware that needs to be accessible from within the container.Configure the network interface so that it is bridged to the network interface of the host system.
LXC provides a number of template scripts in
/usr/share/lxc/templates that perform much of
the required configuration of system containers for you. However,
it is likely that you will need to modify the script to allow the
container to work correctly as the scripts cannot anticipate the
idiosyncrasies of your system's configuration. You use the
lxc-create command to create a system container
by invoking a template script. For example, the
lxc-busybox template script creates a
lightweight BusyBox system container.
The example system container in this chapter uses the template
script for Oracle Linux (lxc-oracle). The
container is created on a btrfs file system
(/container) to take advantage of its snapshot
feature. A btrfs file system allows you to create a subvolume that
contains the root file system (rootfs) of a
container, and to quickly create new containers by cloning this
subvolume.
You can use control groups to limit the system resources that are available to applications such as web servers or databases that are running in the container.
Application containers are not created by using template scripts.
Instead, an application container mounts all or part of the host's
root file system to provide access to the binaries and libraries
that the application requires. You use the
lxc-execute command to invoke
lxc-init (a cut-down version of
/sbin/init) in the container.
lxc-init mounts any required directories such
as /proc, /dev/shm, and
/dev/mqueue, executes the specified application
program, and then waits for it to finish executing. When the
application exits, the container instance ceases to exist.