f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand<!DOCTYPE refentry PUBLIC @docdtd@ [

99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand

99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">

99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand]>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<refentry>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <docinfo>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <date>@LXC_GENERATE_DATE@</date>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </docinfo>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refmeta>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle>lxc</refentrytitle>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <manvolnum>7</manvolnum>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refmiscinfo>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Version @PACKAGE_VERSION@

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refmiscinfo>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refmeta>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refnamediv>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refname>lxc</refname>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refpurpose>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano linux containers

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refpurpose>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refnamediv>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Quick start</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano You are in a hurry, and you don't want to read this man page. Ok,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano without warranty, here are the commands to launch a shell inside

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container with a predefined configuration template, it may

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano work.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>@BINDIR@/lxc-execute -n foo -f

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano @DOCDIR@/examples/lxc-macvlan.conf /bin/bash</command>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Overview</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container technology is actively being pushed into the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano mainstream linux kernel. It provides the resource management

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano through the control groups aka process containers and resource

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano isolation through the namespaces.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The linux containers, <command>lxc</command>, aims to use these

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano new functionalities to provide an userspace container object

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano which provides full resource isolation and resource control for

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an applications or a system.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The first objective of this project is to make the life easier

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for the kernel developers involved in the containers project and

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano especially to continue working on the Checkpoint/Restart new

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano features. The <command>lxc</command> is small enough to easily

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano manage a container with simple command lines and complete enough

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to be used for other purposes.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Requirements</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The <command>lxc</command> relies on a set of functionalities

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano provided by the kernel which needs to be active. Depending of

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the missing functionalities the <command>lxc</command> will

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano work with a restricted number of functionalities or will simply

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano fail.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following list gives the kernel features to be enabled in

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the kernel to have the full features container:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * General setup

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Control Group support

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Namespace cgroup subsystem

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Freezer cgroup subsystem

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Cpuset support

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Simple CPU accounting cgroup subsystem

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Resource counters

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Memory resource controllers for Control Groups

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Group CPU scheduler

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Basis for grouping tasks (Control Groups)

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Namespaces support

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> UTS namespace

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> IPC namespace

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> User namespace

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Pid namespace

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Network namespace

0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Device Drivers

ac30d6a43245e0c50aad9e2ebfb88d80aaeea691Filippo Giunchedi * Character devices

ac30d6a43245e0c50aad9e2ebfb88d80aaeea691Filippo Giunchedi -> Support multiple instances of devpts

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * Network device support

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> MAC-VLAN support

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Virtual ethernet pair device

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * Networking

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano * Networking options

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> 802.1d Ethernet Bridging

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano * Security options

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> File POSIX Capabilities

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano </programlisting>

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The kernel version >= 2.6.27 shipped with the distros, will

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano work with <command>lxc</command>, this one will have less

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano functionalities but enough to be interesting.

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano With the kernel 2.6.29, <command>lxc</command> is fully

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano functional.

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano The helper script <command>lxc-checkconfig</command> will give

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano you information about your kernel configuration.

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano </para>

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <para>

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano Before using the <command>lxc</command>, your system should be

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano configured with the file capabilities, otherwise you will need

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano to run the <command>lxc</command> commands as root.

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano </para>

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <para>

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano The control group can be mounted anywhere, eg:

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <command>mount -t cgroup cgroup /cgroup</command>.

0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano If you want to dedicate a specific cgroup mount point

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for <command>lxc</command>, that is to have different cgroups

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano mounted at different places with different options but

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano let <command>lxc</command> to use one location, you can bind

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the mount point with the <option>lxc</option> name, eg:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>mount -t cgroup lxc /cgroup4lxc</command> or

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>mount -t cgroup -ons,cpuset,freezer,devices

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc /cgroup4lxc</command>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano <title>Functional specification</title>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano <para>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano A container is an object isolating some resources of the host,

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano for the application or system running in it.

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano </para>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano <para>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano The application / system will be launched inside a

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano container specified by a configuration that is either

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano initially created or passed as parameter of the starting commands.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>How to run an application in a container ?</para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Before running an application, you should know what are the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano resources you want to isolate. The default configuration is to

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano isolate the pids, the sysv ipc and the mount points. If you want

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to run a simple shell inside a container, a basic configuration

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano is needed, especially if you want to share the rootfs. If you

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano want to run an application like <command>sshd</command>, you

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano should provide a new network stack and a new hostname. If you

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano want to avoid conflicts with some files

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano eg. <filename>/var/run/httpd.pid</filename>, you should

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano remount <filename>/var/run</filename> with an empty

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory. If you want to avoid the conflicts in all the cases,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano you can specify a rootfs for the container. The rootfs can be a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory tree, previously bind mounted with the initial rootfs,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano so you can still use your distro but with your

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano own <filename>/etc</filename> and <filename>/home</filename>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example of directory tree

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for <command>sshd</command>:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano[root@lxc sshd]$ tree -d rootfs

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanorootfs

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- bin

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- dev

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| |-- pts

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- shm

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- network

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- etc

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- ssh

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- lib

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- proc

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- root

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- sbin

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- sys

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- usr

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano`-- var

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano |-- empty

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- sshd

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano |-- lib

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- empty

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- sshd

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano `-- run

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano `-- sshd

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and the mount points file associated with it:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc sshd]$ cat fstab

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /lib /home/root/sshd/rootfs/lib none ro,bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /bin /home/root/sshd/rootfs/bin none ro,bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /usr /home/root/sshd/rootfs/usr none ro,bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /sbin /home/root/sshd/rootfs/sbin none ro,bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>How to run a system in a container ?</para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>Running a system inside a container is paradoxically easier

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano than running an application. Why ? Because you don't have to care

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano about the resources to be isolated, everything need to be

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano isolated, the other resources are specified as being isolated but

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano without configuration because the container will set them

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano up. eg. the ipv4 address will be setup by the system container

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano init scripts. Here is an example of the mount points file:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc debian]$ cat fstab

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /dev /home/root/debian/rootfs/dev none bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano More information can be added to the container to facilitate the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configuration. For example, make accessible from the container

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the resolv.conf file belonging to the host.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Container life cycle</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano When the container is created, it contains the configuration

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano information. When a process is launched, the container will be

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano starting and running. When the last process running inside the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container exits, the container is stopped.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano In case of failure when the container is initialized, it will

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano pass through the aborting state.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<![CDATA[

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano]]>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Configuration</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is configured through a configuration

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano file, the format of the configuration file is described in

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><filename>lxc.conf</filename></refentrytitle>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <manvolnum>5</manvolnum>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Creating / Destroying container

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano (persistent container)</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano A persistent container object can be

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano created via the <command>lxc-create</command>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command. It takes a container name as parameter and

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano optional configuration file and template.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The name is used by the different

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands to refer to this

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The <command>lxc-destroy</command> command will

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano destroy the container object.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-create -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-destroy -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Volatile container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>It is not mandatory to create a container object

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano before to start it.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container can be directly started with a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configuration file as parameter.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Starting / Stopping container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When the container has been created, it is ready to run an

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano application / system.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano This is the purpose of the <command>lxc-execute</command> and

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-start</command> commands.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano If the container was not created before

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano starting the application, the container will use the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configuration file passed as parameter to the command,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and if there is no such parameter either, then

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano it will use a default isolation.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano If the application is ended, the container will be stopped also,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano but if needed the <command>lxc-stop</command> command can

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano be used to kill the still running application.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Running an application inside a container is not exactly the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano same thing as running a system. For this reason, there are two

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano different commands to run an application into a container:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano lxc-execute -n foo [-f config] /bin/bash

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano lxc-start -n foo [-f config] [/bin/bash]

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-execute</command> command will run the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano specified command into the container via an intermediate

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano process, <command>lxc-init</command>.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano This lxc-init after launching the specified command,

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano will wait for its end and all other reparented processes.

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano (that allows to support daemons in the container).

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano In other words, in the

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano container, <command>lxc-init</command> has the pid 1 and the

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano first process of the application has the pid 2.

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano </para>

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <para>

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <command>lxc-start</command> command will run directly the specified

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano command into the container.

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano The pid of the first process is 1. If no command is

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano specified <command>lxc-start</command> will

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano run <filename>/sbin/init</filename>.

b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano To summarize, <command>lxc-execute</command> is for running

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an application and <command>lxc-start</command> is better suited for

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano running a system.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano If the application is no longer responding, is inaccessible or is

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano not able to finish by itself, a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano wild <command>lxc-stop</command> command will kill all the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano processes in the container without pity.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-stop -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Connect to an available tty</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano If the container is configured with the ttys, it is possible

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to access it through them. It is up to the container to

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano provide a set of available tty to be used by the following

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command. When the tty is lost, it is possible to reconnect it

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano without login again.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-console -n foo -t 3

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Freeze / Unfreeze container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Sometime, it is useful to stop all the processes belonging to

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container, eg. for job scheduling. The commands:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-freeze -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will put all the processes in an uninteruptible state and

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-unfreeze -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will resume them.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano This feature is enabled if the cgroup freezer is enabled in the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano kernel.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Getting information about container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When there are a lot of containers, it is hard to follow

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano what has been created or destroyed, what is running or what are

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the pids running into a specific container. For this reason, the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following commands may be usefull:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps --name foo

b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano lxc-info -n foo

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ls</command> lists the containers of the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano system. The command is a script built on top

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano of <command>ls</command>, so it accepts the options of the ls

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands, eg:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls -C1

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list in one column or:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls -l

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list and their permissions.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ps</command> will display the pids for a specific

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. Like <command>lxc-ls</command>, <command>lxc-ps</command>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano is built on top of <command>ps</command> and accepts the same

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano options, eg:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>lxc-ps --name foo --forest</programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the processes hierarchy for the processes

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano belonging the 'foo' container.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>lxc-ps --lxc</programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display all the containers and their processes.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-info</command> gives informations for a specific

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container, at present time, only the state of the container is

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano displayed.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example on how the combination of these commands

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano allow to list all the containers and retrieve their state.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-info -n $i

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano done

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano And displaying all the pids of all the containers:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps --name $i --forest

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano done

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-netstat</command> display network information for

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a specific container. This command is built on top of

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the <command>netstat</command> command and will accept its

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano options

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following command will display the socket informations for

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container 'foo'.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-netstat -n foo -tano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Monitoring container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>It is sometime useful to track the states of a container,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for example to monitor it or just to wait for a specific

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state in a script.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-monitor</command> command will monitor one or

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano several containers. The parameter of this command accept a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano regular expression for example:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n "foo|bar"

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor the states of containers named 'foo' and 'bar', and:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n ".*"

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor all the containers.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano For a container 'foo' starting, doing some work and exiting,

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the output will be in the form:

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STARTING]

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [RUNNING]

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPING]

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPED]

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-wait</command> command will wait for a specific

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state change and exit. This is useful for scripting to

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano synchronize the launch of a container or the end. The

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano parameter is an ORed combination of different states. The

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following example shows how to wait for a container if he went

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to the background.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<![CDATA[

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano]]>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>

99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand <title>Setting the control group for container</title>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is tied with the control groups, when a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container is started a control group is created and associated

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano with it. The control group properties can be read and modified

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano when the container is running by using the lxc-cgroup command.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-cgroup</command> command is used to set or get a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano control group subsystem which is associated with a

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The subsystem name is handled by the user, the

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command won't do any syntax checking on the subsystem name, if

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the subsystem name does not exists, the command will fail.

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>

f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>

lxc-cgroup -n foo cpuset.cpus

</programlisting>

will display the content of this subsystem.

<programlisting>

lxc-cgroup -n foo cpu.shares 512

</programlisting>

will set the subsystem to the specified value.

</para>

</refsect2>

</refsect1>

<refsect1>

<title>Bugs</title>

<para>The <command>lxc</command> is still in development, so the

command syntax and the API can change. The version 1.0.0 will be

the frozen version.</para>

</refsect1>

&seealso;

<refsect1>

<title>Author</title>

<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>

</refsect1>

</refentry>