Linux-Containers — Part 1: Overview
- by Lenz Grimmer
"Containers" by Jean-Pierre Martineau (CC BY-NC-SA 2.0).
Linux Containers (LXC)
provide a means to isolate individual services or
applications as well as of a complete Linux operating system from other
services running on the same host. To
accomplish this, each
container gets its own directory structure, network devices, IP
addresses and process
table. The processes running in other containers or the host system are
not visible from inside a container. Additionally, Linux Containers
allow for fine
granular
control of resources like RAM, CPU or disk I/O.
Generally speaking, Linux Containers use a completely different
approach than "classicial" virtualization technologies like KVM or
Xen (on which Oracle
VM Server for x86
is based on). An application running inside a container will be
executed directly on the operating system kernel of the host
system, shielded from all other running processes in a sandbox-like
environment. This allows a very direct and fair distribution of CPU and
I/O-resources. Linux containers can offer the best possible
performance and several possibilities for managing and sharing the
resources
available.
Similar to Containers
(or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version
runs on the host as well as in the containers; it is not possible to
run
different Linux kernel versions or other operating systems like
Microsoft Windows or Oracle Solaris for x86 inside a container.
However, it is possible to run different Linux distribution versions
(e.g. Fedora Linux in a container on top of an Oracle Linux host),
provided it supports the version of the Linux kernel that runs on the
host. This approach has one caveat, though - if any of the containers
causes a kernel crash, it will bring down all other containers (and the
host system) as well.
For example, Oracle's Unbreakable Enterprise Kernel Release 2
(2.6.39) is supported for both Oracle Linux 5 and 6. This makes it
possible to run Oracle Linux 5 and 6 container instances on top of an
Oracle Linux 6 system. Since Linux Containers are fully implemented on
the OS level (the Linux kernel), they can be easily combined with other
virtualization technologies. It's certainly possible to set up Linux
containers within a virtualized Linux instance that runs inside Oracle
VM Server for Oracle VM Virtualbox.
Some use cases for Linux Containers include:
Consolidation of multiple
separate Linux systems on one server: instances of Linux systems
that are not performance-critical or only see sporadic use (e.g. a fax
or print server or intranet services) do not necessarily need a
dedicated
server for their operations. These can easily be consolidated to run
inside containers on a single server, to preserve energy and rack space.
Running multiple instances of an
application in parallel, e.g. for different users or customers.
Each user receives his "own" application instance, with a defined level
of service/performance. This prevents that one user's application could
hog the entire system and ensures, that each user only has access to
his own data set. It also helps to save main memory — if multiple
instances of a same process are running, the Linux kernel can share
memory pages
that are identical and unchanged across all application instances. This
also applies to shared libraries that applications may use, they are
generally held in memory once and mapped to multiple processes.
Quickly creating sandbox
environments for development and testing purposes:
containers that have been created and configured once can be archived
as templates and can be duplicated (cloned) instantly on demand. After
finishing the activity, the clone can safely be discarded. This allows
to provide repeatable software builds and test environments, because
the system will always be reset to its initial state for each run.
Linux Containers also boot significantly faster than "classic" virtual
machines, which can save a lot of time when running frequent build or
test runs on applications.
Safe execution of an individual
application: if an application running inside a container has
been compromised because of a security vulnerability, the host system
and other containers remain unaffected. The potential damage can be
minimized, analyzed and resolved directly from the host system.
Note: Linux Containers on
Oracle Linux 6 with the
Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as
Technology Preview - their use
is only recommended for testing and
evaluation purposes.
The Open-Source project "Linux
Containers" (LXC) is driving the development of the technology
behind this, which is based on the "Control Groups" (CGroups) and "Name
Spaces" functionality of the Linux kernel. Oracle is actively involved
in the Linux Containers development and contributes patches to the
upstream LXC code base.
Control Groups provide means to manage and monitor
the allocation of resources for individual processes or process groups.
Among other things, you can restrict the maximum amount of memory, CPU
cycles as well as the disk and network throughput (in MB/s or IOP/s)
that are available for an
application.
Name Spaces help to isolate
process groups from each other, e.g. the visibility of other running
processes or the exclusive access to a network device. It's also
possible to restrict a process group's access and visibility of the
entire file system hierarchy (similar to a classic "chroot"
environment).
CGroups and Name Spaces provide the foundation on which Linux
containers are based on, but they can actually be used independently as
well.
A more detailed description of how Linux Containers can be
created and managed on Oracle Linux will be explained in the second
part of this article.
Additional links related to Linux Containers:
OTN Article: The
Role of Oracle Solaris Zones and Linux Containers in a Virtualization
Strategy
Linux Containers on
Wikipedia
- Lenz Grimmer
Follow me on:
Personal Blog | Facebook | Twitter | Linux Blog |