LXC/LXD Deep Dive

Elle Kroutelle@linuxacademy.comMarch 30, 2020

Study Guide

5

5

5

6

7

7

7

9

10

10

Contents

What Are Linux Containers?

Container Rundown

Linux Containers

Linux Container Daemon

LXC vs. Docker

Infrastructure vs. Application Containers

LXC, LXD, and Docker

Use Cases

LXC/LXD Installation

LXC

Study Guide | LXC/LXD Deep Dive

2

10

11

12

14

15

16

17

18

19

20

21

LXD

LXD Initialization

Storage Backends

Launching Our First Container

Instance Configuration

Accessing a Container

Working with Files

Networking

Profiles

Snapshots

Image Remotes

Study Guide | LXC/LXD Deep Dive

3

22

23

24

25

25

26

27

28

29

Creating a Remote

Anatomy of an Image

Publishing Containers

Distrobuilder

File Breakdown

Server Configuration

Server Clustering

Server Backups

Production Considerations

Study Guide | LXC/LXD Deep Dive

4

What Are Linux Containers?

Container Rundown

Containers are isolated execution environments

Shared kernel with isolated resources

Often compared to virtual machines:

Isolation feels like virtual machine

Less resources than virtual machine

Isolation (containers) versus virtualization (VMs)

Linux Containers

LXC is short for Linux Containers

Operating-system-level virtualization for Linux systems

Leverages cgroups via the Linux kernel:

Prioritization of resources:

CPU

Memory

I/O

Network

Share kernel

Namespace isolation

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

5

lxc- commands

Linux Container Daemon

The daemon on the host that accepts API calls for LXC

LXC manages the container and LXD manages the remote -- image/container servers

Extends LXC functionality

Allows for easier migration, publishing

lxc command

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

6

LXC vs. Docker

Infrastructure vs. Application Containers

Infrastructure, or system, containers function similarly to virtual machines:

Work as an isolated OS environment

Generally used alongside traditional configuration management

Are upgraded, maintained

Application containers are stateless and ephemeral and provide a platform-agnostic space for an applicationcomponent:

Replaced, not upgraded

Portable, used with microservices

LXC, LXD, and Docker

LXC/LXD intended as system containers:

Long-running applications

Linux-only

Manages:

Kernel namespaces

Apparmor/SELinux Profiles

chroots

Anything in the kernel/operating system

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

7

Docker is more often used for application containers:

For creating a lot of containers fast

Linux, Windows, OS X

Self-contained file system, not base userspace image

App + image:

Dockerfile

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

8

Use Cases

Fast-deploying developing environments without the performance hit

Access to bare metal through the kernel

Instances where the operating system matters:

LAMP Stacks

Databases

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

9

LXC/LXD Installation

Course uses Ubuntu 18.04 LTS

LXC

Dependencies:

glibc

Linux kernel >= 2.6.32

Install via the lxc or lxc-utils package, depending on distribution:

CentOS-flavor: lxc

Ubuntu/Debian-flavor: lxc-utils

LXD

Recommended install, all Linux flavors: snap install lxd :

Uninstall apt package, if needed

Can also be installed from source, when necessary

To use as non-root , add user to lxd group

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

10

LXD Initialization

lxd init

A prompt-based tool for configuring LXD

Can be run multiple times

Prompts:

LXD clustering: Allows a number of LXD instances to share the same database

Storage pool configuration: Backend where LXD container file systems are stored:

Create a new pool or use an existing one

MAAS configuration: For connecting to bare-metal hosts

Container network configuration: Create new or use existing network for container communication

LXD network configuration: Allow LXD to bind to a port for outside access

Update cached images: Automatically update images to latest release

Preseed file: Generate a YAML configuration file to replicate the above configuration

Reconfigure server by running lxd init again

Use YAML-based preseed file to configure LXD: cat preseed.yaml | lxd init --preseed

•

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

11

Storage Backends

LXD can manage storage pools:

Create new

Connect to existing

Storage support:

ZFS

btrfs

LVM

Ceph

Directory

Recommended: ZFS, btrfs:

ZFS is more reliable

Use full disk/partition for LXD, when possible

CLI: lxc storage <command> :

Commands:

create <pool> <driver> <flag> - Create a new storage pool:

Example: lxc storage create test-pool lvm

delete <flags> - Remove a storage pool:

Example: lxc storage delete test-pool

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

12

edit <pool> - Open a pool.yaml file for defined pool to edit configuration:

Example: lxc storage edit test-pool

get <pool> <key> - Retrieve individual configuration data about a pool:

Example: lxc storage get test-pool source

info <pool> - Output information about the defined pool:

Example: lxc storage info test-pool

list - List all pools:

Example: lxc storage list

set <pool> <key> <value> - Update a configuration value:

Example: lxc storage set test-pool source /dev/test-pool-block

show <pool> - Show pool configuration:

Example: lxc storage show test-pool

unset <pool> <key> - Remove a configuration value:

Example: lxc storage unset test-pool rsync.bwlimit

Study Guide | LXC/LXD Deep Dive

13

Launching Our First Container

lxc launch images:alpine/3.10 -s default

lxc launch - Command to create and start a container

images:alpine/3.10 - Pulls Alpine Linux 3.10 from the images.linuxcontainers.org remote

-s default - Add to default storage pool

lxc image copy ubuntu:18.04 local: --alias ubuntu-18.04

lxc image - Command to manage images

copy - Add image from one remote to another remote

ubuntu:18.04 - The image to pull down; ubuntu: is the remote, 18.04 is the image name

local: - The remote to copy to the image to

--alias ubuntu-18.04 - A nickname for the image

lxc launch ubuntu-18.04 web01

When launching:

If using a new image:

Pulls image down from the remote to the default remote

Creates a cache of that image

An instance is created based on the cached image

Builds container

Starts container

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

14

Instance Configuration

lxc config :

edit <instance> - Edit instance configuration

get <instance> <key> - Retrieve the value of a configuration

set <instance> <key> <value> - Set a configuration

show <instance> - View instance configuration

lxc config device <command> <instance> <device> <key> <value> - Manage disk configurations

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

15

Accessing a Container

lxc exec <instance> -- <command> - Run a command on the defined container

lxc exec <instance> -- <shell> - Access the container's shell

•

•

Study Guide | LXC/LXD Deep Dive

16

Working with Files

lxc file push <local_file> <container>/<path/to/file/on/container.html> - Push a local file to acontainer

lxc file edit <container>/<path/to/file/on/container.html> - Edit a file on the container directly

lxc file delete <container>/<path/to/file/on/container.html> - Remove a file on the container

lxc file pull <container>/<path/to/file/on/container.html> <local_target> - Pull down a file fromthe container to a local host

•

•

•

•

Study Guide | LXC/LXD Deep Dive

17

Networking

Containers are on the same private network:

Can communicate with each other

Packet flow:

On the container:

eth0 works as a virtual ethernet card

One end of a veth pair connects to this card

On the host:

The other end of a veth pair exists as a veth interface

This connects to the lxdbr0 bridge created during initialization

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

18

Profiles

lxc profile :

add <container> <profile> - Add profile to container

assign <container> <profile>,<profile> - Assign multiple profiles to container

copy <profile-copied> <new-profile> - Copy an existing profile

create <profile> - Create a blank profile

delete <profile> - Delete profile

edit <profile> - Edit YAML configuration

get <profile> <key> - Retrieve configuration values from a profile

list - List all profiles

remove <profile> - Remove a profile from a container

rename <old-name> <new-name> - Rename a profile

set <profile> <key> <value> - Set a configuration value for a profile

show <profile> - Show the profile configuration

unset <profile> <key> - Remove a configuration value

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

19

Snapshots

lxc snapshot <container> <snapshot-name> - Create a snapshot of an existing container

lxc copy <container>/<snapshot-name> <new-container> - Create a new container based on a snapshot:

Container is created but not started

lxc delete <container>/<snapshot-name> - Delete a snapshot

•

•

•

•

Study Guide | LXC/LXD Deep Dive

20

Image Remotes

An image remote is a host for any LXD images

All LXD servers contain the local remote for storing images locally

Remotes can be public or private:

Private remotes require password

lxc remote list - View all remotes

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

21

Creating a Remote

On a fresh remote server:

Install and initialize LXD

Retrieve the internal IP address and set the https_address configuration:

lxc config set core.https_address <internal_ip_of_remote>

Set a password to access the remote:

lxc config set core.trust_password <password>

Use remote with existing LXD server:

Add remote:

lxc remote add <remote-name> <remote_ip>

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

22

Anatomy of an Image

lxc image export <image-name> <destination> - Export an image to the local filesystem

Images contain:

A SquashFS file system:

Can be mounted

Contains all necessary files for container to work

A compressed file of metadata and templates:

metadata.yaml contains general image information

templates/ directory contains all configuration templates:

Example: /etc/hosts template

•

•

•

•

Study Guide | LXC/LXD Deep Dive

23

Publishing Containers

Create images based on existing containers

Start with a public image, make changes, save changes as an image

lxc publish <container>/<snapshot> <remote> - Publish a container snapshot as an image

•

•

•

Study Guide | LXC/LXD Deep Dive

24

Distrobuilder

Create distribution images using YAML configurations

Install via Snap: sudo snap install distrobuider --classic :

Since Distrobuilder is used locally, use the most recent

Prereq: apt install debootstrap

distrobuilder build-lxd <file.yaml> - Package an image

File Breakdown

images: - Image properties, including name, architecture, and description

source: - Location of the source distribution to download and key information

targets: - LXC-specific file configurations; this is LXC-only

files: - Root files for the container generated via a file generator:

This includes hostname information, networking data, and any cloudinit files

packages: - Repository configuration and package management

actions: - Commands to run after each specified installation step; these commands can be anything that wouldrun on the distribution

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

25

Server Configuration

lxc config edit - Edit overall LXD server configuration

lxc config set <key> <value> - Set a LXD server configuration value via the CLI

lxc config get - Retrieve a configuration value

lxc config show - Output LXD server configuration

•

•

•

•

Study Guide | LXC/LXD Deep Dive

26

Server Clustering

Create a server: lxd init :

Enable clustering

Set name

Set address

Set password

Add a server: lxd init :

Enable clustering

Set name

Set address

Check fingerprint:

Use lxd info on initial server

Input password

lxc launch <image> <container> --target <cluster-node> - Add to specific node on cluster:

If no target is specified, it will launch on the cluster with the fewest containers

lxc list and related commands will show data for containers on all nodes in a cluster

lxc move <container> <container> --target <new-cluster> - Move between clusters

lxc cluster remove <cluster-node> - Remove from cluster:

No containers can be on the node

lxc cluster list - List all nodes in a cluster

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

27

Server Backups

Components:

Instances

Images

Networks

Profiles

Storage

Full backup:

All of /var/lib/lxd or /var/snap/lxd/common/lxd

Secondary (live) backup:

Copy instances and volumes periodically

Instance backups: lxc export and lxc import

•

•

•

•

•

•

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

28

Production Considerations

Production LXD servers often perform tens of thousands of file operations:

Can cause errors

Production servers should update the following configuration values:

/etc/security/limits.conf :

* soft nofile 1048576root hard nofile 1048576root soft nofile 1048576* hard nofile 1048576* soft memlock unlimited* hard memlock unlimited

/etc/sysctl.conf :

fs.inotify.max_queued_events=1048576fs.inotify.max_user_instances=1048576fs.inotify.max_user_watches=1048576vm.max_map_count=262144kernel.dmesg_restrict=1net.ipv4.neigh.default.gc_thresh3=8192net.ipv6.neigh.default.gc_thresh3=8192kernel.keys.maxkeys=2000

•

•

•

•

•

Study Guide | LXC/LXD Deep Dive

29