28.1 About Linux Containers


Prior to UEK R3, LXC was a Technology Preview feature that was made available for testing and evaluation purposes, but was not recommended for production systems. LXC is a supported feature with UEK R3 and UEK R4.

The Linux Containers (LXC) feature is a lightweight virtualization mechanism that does not require you to set up a virtual machine on an emulation of physical hardware. The Linux Containers feature takes the cgroups resource management facilities as its basis and adds POSIX file capabilities to implement process and network isolation. You can run a single application within a container (an application container) whose name space is isolated from the other processes on the system in a similar manner to a chroot jail. However, the main use of Linux Containers is to allow you to run a complete copy of the Linux operating system in a container (a system container) without the overhead of running a level-2 hypervisor such as VirtualBox. In fact, the container is sharing the kernel with the host system, so its processes and file system are completely visible from the host. When you are logged into the container, you only see its file system and process space. Because the kernel is shared, you are limited to the modules and drivers that it has loaded.

Typical use cases for Linux Containers are:

  • Running Oracle Linux 5, Oracle Linux 6, and Oracle Linux 7 containers in parallel. You can run an Oracle Linux 5 container on an Oracle Linux 7 system with the UEK R3 or UEKR4 kernel, even though UEK R3 and UEK R4 are not supported for Oracle Linux 5. You can also run an i386 container on an x86_64 kernel. For more information, see Section 28.1.1, “Supported Oracle Linux Container Versions”.

  • Running applications that are supported only by Oracle Linux 5 in an Oracle Linux 5 container on an Oracle Linux 7 host. However, incompatibilities might exist in the modules and drivers that are available.

  • Running many copies of application configurations on the same system. An example configuration would be a LAMP stack, which combines Linux, Apache HTTP server, MySQL, and Perl, PHP, or Python scripts to provide specialised web services.

  • Creating sandbox environments for development and testing.

  • Providing user environments whose resources can be tightly controlled, but which do not require the hardware resources of full virtualization solutions.

  • Creating containers where each container appears to have its own IP address. For example you can use the lxc-sshd template script to create isolated environments for untrusted users. Each container runs an sshd daemon to handle logins. By bridging a container's Virtual Ethernet interface to the host's network interface, each container can appear to have its own IP address on a LAN.

When you use the lxc-start command to start a system container, by default the copy of /sbin/init (for an Oracle Linux 6 or earlier container) or /usr/lib/systemd/systemd (for an Oracle Linux 7 container) in the container is started to spawn other processes in the container's process space. Any system calls or device access are handled by the kernel running on the host. If you need to run different kernel versions or different operating systems from the host, use a full virtualization solution such as Oracle VM or Oracle VM VirtualBox instead of Linux Containers.

There are a number of configuration steps that you need to perform on the file system image for a container so that it can run correctly:

  • Disable any init or systemd scripts that load modules to access hardware directly.

  • Disable udev and instead create static device nodes in /dev for any hardware that needs to be accessible from within the container.

  • Configure the network interface so that it is bridged to the network interface of the host system.

LXC provides a number of template scripts in /usr/share/lxc/templates that perform much of the required configuration of system containers for you. However, it is likely that you will need to modify the script to allow the container to work correctly as the scripts cannot anticipate the idiosyncrasies of your system's configuration. You use the lxc-create command to create a system container by invoking a template script. For example, the lxc-busybox template script creates a lightweight BusyBox system container.

The example system container in this chapter uses the template script for Oracle Linux (lxc-oracle). The container is created on a btrfs file system (/container) to take advantage of its snapshot feature. A btrfs file system allows you to create a subvolume that contains the root file system (rootfs) of a container, and to quickly create new containers by cloning this subvolume.

You can use control groups to limit the system resources that are available to applications such as web servers or databases that are running in the container.

Application containers are not created by using template scripts. Instead, an application container mounts all or part of the host's root file system to provide access to the binaries and libraries that the application requires. You use the lxc-execute command to invoke /usr/sbin/init.lxc (a cut-down version of /sbin/init) in the container. init.lxc mounts any required directories such as /proc, /dev/shm, and /dev/mqueue, executes the specified application program, and then waits for it to finish executing. When the application exits, the container instance ceases to exist.