lxc.sgml.in revision c159cb963868d4646cf415abb064d8fd4b6ee848
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<!--
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanolxc: linux Container library
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano(C) Copyright IBM Corp. 2007, 2008
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoAuthors:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoDaniel Lezcano <dlezcano at fr.ibm.com>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoThis library is free software; you can redistribute it and/or
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanomodify it under the terms of the GNU Lesser General Public
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLicense as published by the Free Software Foundation; either
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoversion 2.1 of the License, or (at your option) any later version.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoThis library is distributed in the hope that it will be useful,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanobut WITHOUT ANY WARRANTY; without even the implied warranty of
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLesser General Public License for more details.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoYou should have received a copy of the GNU Lesser General Public
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoLicense along with this library; if not, write to the Free Software
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanoFoundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano-->
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand]>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<refentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <docinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <date>@LXC_GENERATE_DATE@</date>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </docinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refmeta>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle>lxc</refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <manvolnum>7</manvolnum>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refmiscinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Version @LXC_MAJOR_VERSION@.@LXC_MINOR_VERSION@.@LXC_MICRO_VERSION@
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refmiscinfo>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refmeta>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refnamediv>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refname>lxc</refname>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refpurpose>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano linux containers
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refpurpose>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refnamediv>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Quick start</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano You are in a hurry, and you don't want to read this man page. Ok,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano without warranty, here are the commands to launch a shell inside
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container with a predefined configuration template, it may
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano work.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano @BINDIR@/lxc-execute -n foo -f @SYSCONFDIR@/lxc/lxc-macvlan.conf /bin/bash
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </command>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Overview</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container technology is actively being pushed into the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano mainstream linux kernel. It provides the resource management
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano through the control groups aka process containers and resource
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano isolation through the namespaces.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The linux containers, <command>lxc</command>, aims to use these
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano new functionalities to provide an userspace container object
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano which provides full resource isolation and resource control for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an applications or a system.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The first objective of this project is to make the life easier
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for the kernel developers involved in the containers project and
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano especially to continue working on the Checkpoint/Restart new
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano features. The <command>lxc</command> is small enough to easily
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano manage a container with simple command lines and complete enough
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to be used for other purposes.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Requirements</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano The <command>lxc</command> relies on a set of functionalies
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano provided by the kernel which needs to be active. Depending of
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano the missing functionalities the <command>lxc</command> will
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano work with a restricted number of functionalities or will simply
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano fails.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following list gives the kernel features to be enabled in
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the kernel to have the full features container:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * General setup
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano * Control Group support
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Namespace cgroup subsystem
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Freezer cgroup subsystem
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Cpuset support
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Simple CPU accounting cgroup subsystem
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano -> Resource counters
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Memory resource controllers for Control Groups
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Group CPU scheduler
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Basis for grouping tasks (Control Groups)
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi * Namespaces support
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> UTS namespace
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> IPC namespace
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> User namespace
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Pid namespace
0478642a4349846ab8e76e318909886e795df92dFilippo Giunchedi -> Network namespace
ac30d6a43245e0c50aad9e2ebfb88d80aaeea691Filippo Giunchedi * Security options
ac30d6a43245e0c50aad9e2ebfb88d80aaeea691Filippo Giunchedi -> File POSIX Capabilities
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano The kernel version >= 2.6.27 shipped with the distros, will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano work with <command>lxc</command>, this one will have less
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano functionalities but enough to be interesting.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano With the kernel 2.6.29, <command>lxc</command> is fully
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano functional.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Before using the <command>lxc</command>, your system should be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configured with the file capabilities, otherwise you will need
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano to run the <command>lxc</command> commands as root.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <para>
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano The control group can be mounted anywhere, eg:
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <command>mount -t cgroup cgroup /cgroup</command>.
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano If you want to dedicate a specific cgroup mount point
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano for <command>lxc</command>, that is to have different cgroups
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano mounted at different places with different options but
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano let <command>lxc</command> to use one location, you can bind
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano the mount point with the <option>lxc</option> name, eg:
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <command>mount -t cgroup lxc /cgroup4lxc</command> or
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano <command>mount -t cgroup -ons,cpuset,freezer,devices
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano lxc /cgroup4lxc</command>
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano </para>
0d9f8e188c1c4832e4f6b9de646478947ae86877Daniel Lezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Functional specification</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano A container is an object where the configuration is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano persistent. The application will be launched inside this
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container and it will use the configuration which was previously
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano created.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>How to run an application in a container ?</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Before running an application, you should know what are the
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano resources you want to isolate. The default configuration is to
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano isolate the pids, the sysv ipc and the mount points. If you want
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano to run a simple shell inside a container, a basic configuration
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano is needed, especially if you want to share the rootfs. If you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano want to run an application like <command>sshd</command>, you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano should provide a new network stack and a new hostname. If you
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano want to avoid conflicts with some files
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano eg. <filename>/var/run/httpd.pid</filename>, you should
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano remount <filename>/var/run</filename> with an empty
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory. If you want to avoid the conflicts in all the cases,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano you can specify a rootfs for the container. The rootfs can be a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano directory tree, previously bind mounted with the initial rootfs,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano so you can still use your distro but with your
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano own <filename>/etc</filename> and <filename>/home</filename>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example of directory tree
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for <command>sshd</command>:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano[root@lxc sshd]$ tree -d rootfs
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanorootfs
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- bin
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- dev
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| |-- pts
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- shm
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- network
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- etc
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano| `-- ssh
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- lib
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- proc
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- root
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- sbin
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- sys
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano|-- usr
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano`-- var
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano |-- empty
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- sshd
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano |-- lib
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- empty
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | `-- sshd
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano `-- run
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano `-- sshd
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and the mount points file associated with it:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc sshd]$ cat fstab
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /lib /home/root/sshd/rootfs/lib none ro,bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /bin /home/root/sshd/rootfs/bin none ro,bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /usr /home/root/sshd/rootfs/usr none ro,bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /sbin /home/root/sshd/rootfs/sbin none ro,bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>How to run a system in a container ?</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>Running a system inside a container is paradoxically easier
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano than running an application. Why ? Because you don't have to care
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano about the resources to be isolated, everything need to be
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano isolated, the other resources are specified as being isolated but
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano without configuration because the container will set them
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano up. eg. the ipv4 address will be setup by the system container
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano init scripts. Here is an example of the mount points file:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano [root@lxc debian]$ cat fstab
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /dev /home/root/debian/rootfs/dev none bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano /dev/pts /home/root/debian/rootfs/dev/pts none bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano More information can be added to the container to facilitate the
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano configuration. For example, make accessible from the container
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano the resolv.conf file belonging to the host.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano /etc/resolv.conf /home/root/debian/rootfs/etc/resolv.conf none bind 0 0
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Container life cycle</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano When the container is created, it contains the configuration
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano information. When a process is launched, the container will be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano starting and running. When the last process running inside the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container exits, the container is stopped.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano In case of failure when the container is initialized, it will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano pass through the aborting state.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | STOPPED |<---------------
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano start |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano V |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | STARTING |--error- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano V V |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | RUNNING | | ABORTING | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano --------- ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano no process | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano V | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | STOPPING |<------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------- |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano | |
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano ---------------------
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Configuration</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is configured through a configuration
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano file, the format of the configuration file is described in
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refentrytitle><filename>lxc.conf</filename></refentrytitle>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <manvolnum>5</manvolnum>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </citerefentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Creating / Destroying the containers</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The container is created via the <command>lxc-create</command>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command. It takes a container name as parameter and an
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano optional configuration file. The name is used by the different
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands to refer to this
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The <command>lxc-destroy</command> command will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano destroy the container object.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-create -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-destroy -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Starting / Stopping a container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When the container has been created, it is ready to run an
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano application / system. When the application has to be destroyed
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container can be stopped, that will kill all the processes
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano of the container.</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Running an application inside a container is not exactly the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano same thing as running a system. For this reason, there is two
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands to run an application into a container:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-execute -n foo [-f config] /bin/bash
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-start -n foo [/bin/bash]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-execute</command> command will run the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano specified command into a container but it will mount /proc
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano and autocreate/autodestroy the container if it does not
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano exist. It will furthermore create an intermediate
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano process, <command>lxc-init</command>, which is in charge to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano launch the specified command, that allows to support daemons
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano in the container. In other words, in the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container <command>lxc-init</command> has the pid 1 and the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano first process of the application has the pid 2.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-start</command> command will run the specified
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command into the container doing nothing else than using the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano configuration specified by <command>lxc-create</command>.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The pid of the first process is 1. If no command is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano specified <command>lxc-start</command> will
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano run <filename>/sbin/init</filename>.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano To summarize, <command>lxc-execute</command> is for running
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano an application and <command>lxc-start</command> is for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano running a system.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano If the application is no longer responding, inaccessible or is
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano not able to finish by itself, a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano wild <command>lxc-stop</command> command will kill all the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano processes in the container without pity.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-stop -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <refsect2>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <title>Connect to an available tty</title>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <para>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano If the container is configured with the ttys, it is possible
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano to access it through them. It is up to the container to
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano provide a set of available tty to be used by the following
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano command. When the tty is lost, it is possible to reconnect it
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano without login again.
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano <programlisting>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano lxc-console -n foo -t 3
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano </programlisting>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano </para>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano </refsect2>
b0a33c1eb65d2c87e886c740a0dadd8ad5f8d87ddlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Freeze / Unfreeze a container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Sometime, it is useful to stop all the processes belonging to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a container, eg. for job scheduling. The commands:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-freeze -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano will put all the processes in an uninteruptible state and
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-unfreeze -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will resume all the tasks.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano This feature is enabled if the cgroup freezer is enabled in the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano kernel.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Getting information about the container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>When there are a lot of containers, it is hard to follow
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano what has been created or destroyed, what is running or what are
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the pids running into a specific container. For this reason, the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following commands give this information:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano lxc-ps --name foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-info -n foo
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ls</command> lists the containers of the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano system. The command is a script built on top
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano of <command>ls</command>, so it accepts the options of the ls
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano commands, eg:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls -C1
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list in one column or:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ls -l
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the containers list and their permissions.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-ps</command> will display the pids for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. Like <command>lxc-ls</command>, <command>lxc-ps</command>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano is built on top of <command>ps</command> and accepts the same
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano options, eg:
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano <programlisting>lxc-ps --name foo --forest</programlisting>
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano will display the processes hierarchy for the processes
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano belonging the 'foo' container.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano <programlisting>lxc-ps --lxc</programlisting>
c159cb963868d4646cf415abb064d8fd4b6ee848Daniel Lezcano will display all the containers and their processes.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-info</command> gives informations for a specific
b6d441f289eb03a1a6fe0662a14c26ecc852be21dlezcano container, at present time, only the state of the container is
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano displayed.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano Here is an example on how the combination of these commands
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano allow to list all the containers and retrieve their state.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-info -n $i
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano done
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano And displaying all the pids of all the containers:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for i in $(lxc-ls -1); do
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-ps -n $i --forest
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano done
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-netstat</command> display network information for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano a specific container. This command is built on top of
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the <command>netstat</command> command and will accept its
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano options
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano The following command will display the socket informations for
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the container 'foo'.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-netstat -n foo -tano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Monitoring the containers</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>It is sometime useful to track the states of a container,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano for example to monitor it or just to wait for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state in a script.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-monitor</command> command will monitor one or
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano several containers. The parameter of this command accept a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano regular expression for example:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n "foo|bar"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor the states of containers named 'foo' and 'bar', and:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-monitor -n ".*"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will monitor all the containers.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano For a container 'foo' starting, doing some work and exiting,
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the output will be in the form:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STARTING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [RUNNING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPING]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano 'foo' changed state to [STOPPED]
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-wait</command> command will wait for a specific
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano state change and exit. This is useful for scripting to
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano synchronize the launch of a container or the end. The
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano parameter is an ORed combination of different states. The
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano following example shows how to wait for a container if he went
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano to the background.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # launch lxc-wait in background
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-wait -n foo -s STOPPED &
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano LXC_WAIT_PID=$!
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # this command goes in background
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-execute -n foo mydaemon &
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # block until the lxc-wait exits
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # and lxc-wait exits when the container
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano # is STOPPED
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano wait $LXC_WAIT_PID
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano echo "'foo' is finished"
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Setting the control group for a container</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The container is tied with the control groups, when a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container is started a control group is created and associated
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano with it. The control group properties can be read and modified
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano when the container is running by using the lxc-cgroup command.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <command>lxc-cgroup</command> command is used to set or get a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano control group subsystem which is associated with a
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano container. The subsystem name is handled by the user, the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command won't do any syntax checking on the subsystem name, if
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the subsystem name does not exists, the command will fail.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-cgroup -n foo cpuset.cpus
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will display the content of this subsystem.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano lxc-cgroup -n foo cpu.shares 512
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </programlisting>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano will set the subsystem to the specified value.
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect2>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Bugs</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>The <command>lxc</command> is still in development, so the
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano command syntax and the API can change. The version 1.0.0 will be
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano the frozen version.</para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand &seealso;
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <title>Author</title>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano </refsect1>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano</refentry>
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcano<!-- Keep this comment at the end of the file Local variables: mode:
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml sgml-omittag:t sgml-shorttag:t sgml-minimize-attributes:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-always-quote-attributes:t sgml-indent-step:2 sgml-indent-data:t
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-parent-document:nil sgml-default-dtd-file:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-exposed-tags:nil sgml-local-catalogs:nil
f1d8791c17f7e0f131de20d7bbc8836b992bd4dbdlezcanosgml-local-ecat-files:nil End: -->