0N/Alxc: linux Container library 0N/A(C) Copyright IBM Corp. 2007, 2008 0N/AThis library is free software; you can redistribute it and/or 0N/Amodify it under the terms of the GNU Lesser General Public 0N/ALicense as published by the Free Software Foundation; either 0N/Aversion 2.1 of the License, or (at your option) any later version. 0N/AThis library is distributed in the hope that it will be useful, 0N/Abut WITHOUT ANY WARRANTY; without even the implied warranty of 0N/AMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 0N/ALesser General Public License for more details. 0N/AYou should have received a copy of the GNU Lesser General Public 0N/ALicense along with this library; if not, write to the Free Software 0N/AFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 0N/A<!
DOCTYPE refentry PUBLIC @
docdtd@ [
0N/A<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
207N/A <
date>@LXC_GENERATE_DATE@</
date>
99N/A <
refentrytitle>lxc</
refentrytitle>
99N/A <
manvolnum>7</
manvolnum>
928N/A Version @PACKAGE_VERSION@
0N/A <
refname>lxc</
refname>
0N/A <
title>Quick start</
title>
58N/A You are in a hurry, and you don't want to read this man page. Ok,
207N/A without warranty, here are the commands to launch a shell inside
98N/A a container with a predefined configuration template, it may
98N/A <
command>@BINDIR@/lxc-execute -n foo -f
98N/A @DOCDIR@/examples/lxc-macvlan.conf /
bin/
bash</
command>
98N/A <
title>Overview</
title>
98N/A The container technology is actively being pushed into the
98N/A mainstream linux kernel. It provides the resource management
819N/A through the control groups aka process containers and resource
830N/A isolation through the namespaces.
98N/A The linux containers, <
command>lxc</
command>, aims to use these
98N/A new functionalities to provide a userspace container object
98N/A which provides full resource isolation and resource control for
98N/A an applications or a system.
98N/A The first objective of this project is to make the life easier
98N/A for the kernel developers involved in the containers project and
819N/A features. The <
command>lxc</
command> is small enough to easily
98N/A manage a container with simple command lines and complete enough
98N/A to be used for other purposes.
58N/A <
title>Requirements</
title>
0N/A The <
command>lxc</
command> relies on a set of functionalities
0N/A provided by the kernel which needs to be active. Depending of
0N/A the missing functionalities the <
command>lxc</
command> will
0N/A work with a restricted number of functionalities or will simply
0N/A The following list gives the kernel features to be enabled in
0N/A the kernel to have the full features container:
0N/A * Control Group support
0N/A -> Namespace cgroup subsystem
819N/A -> Freezer cgroup subsystem
0N/A -> Simple CPU accounting cgroup subsystem
0N/A -> Resource counters
830N/A -> Memory resource controllers for Control Groups
830N/A -> Basis for grouping tasks (Control Groups)
0N/A -> Network namespace
0N/A -> Support multiple instances of devpts
0N/A * Network device support
58N/A -> Virtual ethernet pair device
0N/A * Networking options
0N/A -> 802.1d Ethernet Bridging
0N/A -> File POSIX Capabilities
819N/A The kernel version >= 2.6.32 shipped with the distros, will
0N/A work with <
command>lxc</
command>, this one will have less
0N/A functionalities but enough to be interesting.
0N/A The helper script <
command>lxc-checkconfig</
command> will give
0N/A you information about your kernel configuration.
928N/A The control group can be mounted anywhere, eg:
99N/A <
command>mount -t cgroup cgroup /cgroup</
command>.
125N/A It is however recommended to use cgmanager, cgroup-lite or systemd
207N/A <
title>Functional specification</
title>
830N/A A container is an object isolating some resources of the host,
830N/A for the application or system running in it.
830N/A The application / system will be launched inside a
830N/A container specified by a configuration that is either
928N/A initially created or passed as parameter of the starting commands.
830N/A <
para>How to run an application in a container ?</
para>
830N/A Before running an application, you should know what are the
830N/A resources you want to isolate. The default configuration is to
830N/A isolate the pids, the sysv ipc and the mount points. If you want
830N/A to run a simple shell inside a container, a basic configuration
830N/A is needed, especially if you want to share the rootfs. If you
928N/A want to run an application like <
command>sshd</
command>, you
830N/A should provide a new network stack and a new hostname. If you
830N/A want to avoid conflicts with some files
928N/A directory. If you want to avoid the conflicts in all the cases,
830N/A you can specify a rootfs for the container. The rootfs can be a
830N/A directory tree, previously bind mounted with the initial rootfs,
207N/A so you can still use your distro but with your
830N/A own <
filename>/etc</
filename> and <
filename>/home</
filename>
819N/A Here is an example of directory tree
928N/A for <
command>sshd</
command>:
819N/A[root@lxc sshd]$ tree -d rootfs
819N/A and the mount points file associated with it:
819N/A [root@lxc sshd]$ cat fstab
510N/A <
para>How to run a system in a container ?</
para>
510N/A <
para>Running a system inside a container is paradoxically easier
849N/A than running an application. Why ? Because you don't have to care
510N/A about the resources to be isolated, everything need to be
510N/A isolated, the other resources are specified as being isolated but
0N/A without configuration because the container will set them
0N/A up. eg. the ipv4 address will be setup by the system container
0N/A init scripts. Here is an example of the mount points file:
850N/A [root@lxc debian]$ cat fstab
942N/A More information can be added to the container to facilitate the
107N/A configuration. For example, make accessible from the container
152N/A <
title>Container life cycle</
title>
152N/A When the container is created, it contains the configuration
152N/A information. When a process is launched, the container will be
0N/A starting and running. When the last process running inside the
144N/A container exits, the container is stopped.
144N/A In case of failure when the container is initialized, it will
0N/A pass through the aborting state.
98N/A | STOPPED |<--------------- 866N/A | RUNNING | | ABORTING | | 98N/A | STOPPING |<------- | 98N/A <
title>Configuration</
title>
98N/A <
para>The container is configured through a configuration
98N/A file, the format of the configuration file is described in
0N/A <
refentrytitle><
filename>
lxc.conf</
filename></
refentrytitle>
0N/A <
manvolnum>5</
manvolnum>
99N/A <
title>Creating / Destroying container
830N/A (persistent container)</
title>
207N/A A persistent container object can be
830N/A created via the <
command>lxc-create</
command>
830N/A command. It takes a container name as parameter and
830N/A optional configuration file and template.
830N/A The name is used by the different
830N/A commands to refer to this
830N/A container. The <
command>lxc-destroy</
command> command will
830N/A destroy the container object.
830N/A <
title>Volatile container</
title>
830N/A <
para>It is not mandatory to create a container object
830N/A The container can be directly started with a
830N/A configuration file as parameter.
603N/A <
title>Starting / Stopping container</
title>
0N/A <
para>When the container has been created, it is ready to run an
0N/A application / system.
0N/A This is the purpose of the <
command>lxc-execute</
command> and
0N/A <
command>lxc-start</
command> commands.
0N/A If the container was not created before
0N/A starting the application, the container will use the
830N/A configuration file passed as parameter to the command,
0N/A and if there is no such parameter either, then
603N/A it will use a default isolation.
830N/A If the application is ended, the container will be stopped also,
603N/A but if needed the <
command>lxc-stop</
command> command can
603N/A be used to kill the still running application.
0N/A Running an application inside a container is not exactly the
0N/A same thing as running a system. For this reason, there are two
0N/A different commands to run an application into a container:
603N/A <
command>lxc-execute</
command> command will run the
830N/A specified command into the container via an intermediate
603N/A process, <
command>lxc-init</
command>.
603N/A This lxc-init after launching the specified command,
830N/A will wait for its end and all other reparented processes.
0N/A (to support daemons in the container).
0N/A In other words, in the
0N/A container, <
command>lxc-init</
command> has the pid 1 and the
0N/A first process of the application has the pid 2.
0N/A <
command>lxc-start</
command> command will run directly the specified
0N/A command into the container.
0N/A The pid of the first process is 1. If no command is
0N/A specified <
command>lxc-start</
command> will
603N/A To summarize, <
command>lxc-execute</
command> is for running
603N/A an application and <
command>lxc-start</
command> is better suited for
0N/A If the application is no longer responding, is inaccessible or is
0N/A not able to finish by itself, a
603N/A wild <
command>lxc-stop</
command> command will kill all the
603N/A processes in the container without pity.
0N/A <
title>Connect to an available tty</
title>
0N/A If the container is configured with the ttys, it is possible
0N/A to access it through them. It is up to the container to
0N/A provide a set of available tty to be used by the following
0N/A command. When the tty is lost, it is possible to reconnect it
0N/A without login again.
0N/A lxc-console -n foo -t 3
0N/A <
title>Freeze / Unfreeze container</
title>
0N/A Sometime, it is useful to stop all the processes belonging to
0N/A a container, eg. for job scheduling. The commands:
850N/A will put all the processes in an uninteruptible state and
0N/A This feature is enabled if the cgroup freezer is enabled in the
0N/A <
title>Getting information about container</
title>
819N/A <
para>When there are a lot of containers, it is hard to follow
0N/A what has been created or destroyed, what is running or what are
0N/A the pids running into a specific container. For this reason, the
0N/A following commands may be useful:
0N/A <
command>lxc-ls</
command> lists the containers of the
0N/A <
command>lxc-info</
command> gives information for a specific
819N/A Here is an example on how the combination of these commands
0N/A allow to list all the containers and retrieve their state.
0N/A for i in $(lxc-ls -1); do
0N/A <
title>Monitoring container</
title>
0N/A <
para>It is sometime useful to track the states of a container,
0N/A for example to monitor it or just to wait for a specific
0N/A <
command>lxc-monitor</
command> command will monitor one or
0N/A several containers. The parameter of this command accept a
0N/A regular expression for example:
0N/A lxc-monitor -n "foo|bar"
830N/A will monitor the states of containers named 'foo' and 'bar', and:
0N/A will monitor all the containers.
58N/A For a container 'foo' starting, doing some work and exiting,
0N/A the output will be in the form:
0N/A 'foo' changed state to [STARTING]
0N/A 'foo' changed state to [RUNNING]
0N/A 'foo' changed state to [STOPPING]
0N/A 'foo' changed state to [STOPPED]
0N/A <
command>lxc-wait</
command> command will wait for a specific
0N/A state change and exit. This is useful for scripting to
0N/A synchronize the launch of a container or the end. The
66N/A parameter is an ORed combination of different states. The
0N/A following example shows how to wait for a container if he went
0N/A # launch lxc-wait in background 0N/A lxc-wait -n foo -s STOPPED & # this command goes in background lxc-execute -n foo mydaemon & # block until the lxc-wait exits # and lxc-wait exits when the container <
title>Setting the control group for container</
title>
<
para>The container is tied with the control groups, when a
container is started a control group is created and associated
with it. The control group properties can be read and modified
when the container is running by using the lxc-cgroup command.
<
command>lxc-cgroup</
command> command is used to set or get a
control group subsystem which is associated with a
container. The subsystem name is handled by the user, the
command won't do any syntax checking on the subsystem name, if
the subsystem name does not exists, the command will fail.
will display the content of this subsystem.
will set the subsystem to the specified value.
<
para>The <
command>lxc</
command> is still in development, so the
command syntax and the API can change. The version 1.0.0 will be
the frozen version.</
para>
<
para>Daniel Lezcano <
email>daniel.lezcano@free.fr</
email></
para>
<!-- Keep this comment at the end of the file Local variables: mode: sgml sgml-omittag:t sgml-shorttag:t sgml-minimize-attributes:nil sgml-always-quote-attributes:t sgml-indent-step:2 sgml-indent-data:t sgml-parent-document:nil sgml-default-dtd-file:nil sgml-exposed-tags:nil sgml-local-catalogs:nil sgml-local-ecat-files:nil End: -->