lxc.sgml.in revision b6d441f289eb03a1a6fe0662a14c26ecc852be21
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanolxc: linux Container library
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano(C) Copyright IBM Corp. 2007, 2008
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoDaniel Lezcano <dlezcano at fr.ibm.com>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoThis library is free software; you can redistribute it and/or
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanomodify it under the terms of the GNU Lesser General Public
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLicense as published by the Free Software Foundation; either
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoversion 2.1 of the License, or (at your option) any later version.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoThis library is distributed in the hope that it will be useful,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanobut WITHOUT ANY WARRANTY; without even the implied warranty of
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLesser General Public License for more details.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoYou should have received a copy of the GNU Lesser General Public
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLicense along with this library; if not, write to the Free Software
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoFoundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refmiscinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Version @LXC_MAJOR_VERSION@.@LXC_MINOR_VERSION@.@LXC_MICRO_VERSION@
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refmiscinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refnamediv>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refpurpose>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano linux containers
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refpurpose>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refnamediv>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano You are in a hurry, and you don't want to read this man page. Ok,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano without warranty, here are the commands to launch a shell inside
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container with a predefined configuration template, it may
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano @BINDIR@/lxc-execute -n foo -f @SYSCONFDIR@/lxc/lxc-macvlan.conf /bin/bash
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container technology is actively being pushed into the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano mainstream linux kernel. It provides the resource management
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano through the control groups aka process containers and resource
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano isolation through the namespaces.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The linux containers, <command>lxc</command>, aims to use these
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano new functionalities to provide an userspace container object
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano which provides full resource isolation and resource control for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an applications or a system.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The first objective of this project is to make the life easier
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for the kernel developers involved in the containers project and
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano especially to continue working on the Checkpoint/Restart new
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano features. The <command>lxc</command> is small enough to easily
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano manage a container with simple command lines and complete enough
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to be used for other purposes.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano The <command>lxc</command> relies on a set of functionalies
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano provided by the kernel which needs to be active. Depending of
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano the missing functionalities the <command>lxc</command> will
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano work with a restricted number of functionalities or will simply
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following list gives the kernel features to be enabled in
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the kernel to have the full features container:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * Control Group support
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> namespace cgroup subsystem
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> cpuset support
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Group CPU scheduler
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> control group freeze subsystem
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Basis for grouping tasks (Control Groups)
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Simple CPU accounting
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Resource counters
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Memory resource controllers for Control Groups
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Namespace support
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> UTS namespace
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> IPC namespace
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> User namespace
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Pid namespace
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * Network support
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Networking options
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Network namespace support
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano For the moment the easiest way to have all the features in the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano kernel is to use the git tree at:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <systemitem>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano git://git.kernel.org/pub/scm/linux/kernel/git/daveh/linux-2.6-lxc.git
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </systemitem>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano But the kernel version >= 2.6.27 shipped with the distros, may
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano work with <command>lxc</command>, this one will have less
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano functionalities but enough to be interesting.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The planned kernel version which <command>lxc</command> should
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano be fully functionaly is 2.6.29.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Before using the <command>lxc</command>, your system should be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configured with the file capabilities, otherwise you will need
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to run the <command>lxc</command> commands as root. The
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano control group should be mounted anywhere, eg:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano A container is an object where the configuration is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano persistent. The application will be launched inside this
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container and it will use the configuration which was previously
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>How to run an application in a container ?</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Before running an application, you should know what are the
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano resources you want to isolate. The default configuration is to
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano isolate the pids, the sysv ipc and the mount points. If you want
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano to run a simple shell inside a container, a basic configuration
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano is needed, especially if you want to share the rootfs. If you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano want to run an application like <command>sshd</command>, you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano should provide a new network stack and a new hostname. If you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano want to avoid conflicts with some files
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano eg. <filename>/var/run/httpd.pid</filename>, you should
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano remount <filename>/var/run</filename> with an empty
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory. If you want to avoid the conflicts in all the cases,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano you can specify a rootfs for the container. The rootfs can be a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory tree, previously bind mounted with the initial rootfs,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano so you can still use your distro but with your
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano own <filename>/etc</filename> and <filename>/home</filename>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example of directory tree
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano[root@lxc sshd]$ tree -d rootfs
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- network
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- empty
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and the mount points file associated with it:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc sshd]$ cat fstab
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>Running a system inside a container is paradoxically easier
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano than running an application. Why ? Because you don't have to care
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano about the resources to be isolated, everything need to be isolated
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano except <filename>/dev</filename> which needs to be remounted in
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container rootfs, the other resources are specified as being
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano isolated but without configuration because the container will set
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano them up. eg. the ipv4 address will be setup by the system
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container init scripts. Here is an example of the mount points
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc debian]$ cat fstab
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano More information can be added to the container to facilitate the
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano configuration. For example, make accessible from the container
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano the resolv.conf file belonging to the host.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano /etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano When the container is created, it contains the configuration
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano information. When a process is launched, the container will be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano starting and running. When the last process running inside the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container exits, the container is stopped.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano In case of failure when the container is initialized, it will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano pass through the aborting state.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | STOPPED |<---------------
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | STOPPING |<------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------------------
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is configured through a configuration
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano file, the format of the configuration file is described in
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><filename>lxc.conf</filename></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Creating / Destroying the containers</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container is created via the <command>lxc-create</command>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command. It takes a container name as parameter and an
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano optional configuration file. The name is used by the different
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands to refer to this
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The <command>lxc-destroy</command> command will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano destroy the container object.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-create -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-destroy -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When the container has been created, it is ready to run an
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano application / system. When the application has to be destroyed
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container can be stopped, that will kill all the processes
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano of the container.</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Running an application inside a container is not exactly the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano same thing as running a system. For this reason, there is two
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands to run an application into a container:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-execute</command> command will run the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano specified command into a container but it will mount /proc
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and autocreate/autodestroy the container if it does not
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano exist. It will furthermore create an intermediate
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano process, <command>lxc-init</command>, which is in charge to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano launch the specified command, that allows to support daemons
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano in the container. In other words, in the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container <command>lxc-init</command> has the pid 1 and the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano first process of the application has the pid 2.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-start</command> command will run the specified
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command into the container doing nothing else than using the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configuration specified by <command>lxc-create</command>.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The pid of the first process is 1. If no command is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano To summarize, <command>lxc-execute</command> is for running
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an application and <command>lxc-start</command> is for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano running a system.
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano If the application is no longer responding, inaccessible or is
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano not able to finish by itself, a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano wild <command>lxc-stop</command> command will kill all the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano processes in the container without pity.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-stop -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Sometime, it is useful to stop all the processes belonging to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container, eg. for job scheduling. The commands:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-freeze -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano will put all the processes in an uninteruptible state and
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-unfreeze -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will resume all the tasks.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano This feature is enabled if the cgroup freezer is enabled in the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Getting information about the container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When there are a lot of containers, it is hard to follow
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano what has been created or destroyed, what is running or what are
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the pids running into a specific container. For this reason, the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following commands give this information:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-info -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ls</command> lists the containers of the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano system. The command is a script built on top
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano of <command>ls</command>, so it accepts the options of the ls
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands, eg:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list in one column or:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list and their permissions.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ps</command> will display the pids for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. Like <command>lxc-ls</command>, <command>lxc-ps</command>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano is built on top of <command>ps</command> and accepts the same
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano options, eg:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps -n foo --forest
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the process hierarchy for the container 'foo'.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-info</command> gives informations for a specific
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano container, at present time, only the state of the container is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example on how the combination of these commands
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano allow to list all the containers and retrieve their state.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-info -n $i
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano And displaying all the pids of all the containers:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps -n $i --forest
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-netstat</command> display network information for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a specific container. This command is built on top of
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the <command>netstat</command> command and will accept its
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following command will display the socket informations for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container 'foo'.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-netstat -n foo -tano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>It is sometime useful to track the states of a container,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for example to monitor it or just to wait for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state in a script.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-monitor</command> command will monitor one or
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano several containers. The parameter of this command accept a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano regular expression for example:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n "foo|bar"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor the states of containers named 'foo' and 'bar', and:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n ".*"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor all the containers.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano For a container 'foo' starting, doing some work and exiting,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the output will be in the form:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STARTING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [RUNNING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPED]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-wait</command> command will wait for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state change and exit. This is useful for scripting to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano synchronize the launch of a container or the end. The
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano parameter is an ORed combination of different states. The
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following example shows how to wait for a container if he went
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to the background.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # launch lxc-wait in background
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-wait -n foo -s STOPPED &
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano LXC_WAIT_PID=$!
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # this command goes in background
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-execute -n foo mydaemon &
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # block until the lxc-wait exits
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # and lxc-wait exits when the container
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # is STOPPED
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano wait $LXC_WAIT_PID
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano echo "'foo' is finished"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Setting the control group for a container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is tied with the control groups, when a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container is started a control group is created and associated
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano with it. The control group properties can be read and modified
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano when the container is running by using the lxc-cgroup command.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-cgroup</command> command is used to set or get a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano control group subsystem which is associated with a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The subsystem name is handled by the user, the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command won't do any syntax checking on the subsystem name, if
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the subsystem name does not exists, the command will fail.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-cgroup -n foo cpuset.cpus
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the content of this subsystem.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-cgroup -n foo cpu.shares 512
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will set the subsystem to the specified value.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The <command>lxc</command> is still in development, so the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command syntax and the API can change. The version 1.0.0 will be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the frozen version.</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-create</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-destroy</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-start</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-execute</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-stop</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-monitor</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-wait</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-cgroup</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-ls</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-ps</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-info</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-freeze</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc-unfreeze</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><command>lxc.conf</command></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<!-- Keep this comment at the end of the file Local variables: mode:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml sgml-omittag:t sgml-shorttag:t sgml-minimize-attributes:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-always-quote-attributes:t sgml-indent-step:2 sgml-indent-data:t
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-parent-document:nil sgml-default-dtd-file:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-exposed-tags:nil sgml-local-catalogs:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-local-ecat-files:nil End: -->