Download - Linux Containers
Linux Containers - LXC
Marian HackMan Marinov
17 Jun 2014
Marian HackMan Marinov Linux Containers - LXC
Why am I speaking about containers?
Marian HackMan Marinov Linux Containers - LXC
Difference between lxc and docker
Docker is for applications
Linux Containers are for starting up a whole new Linux distributioninstances
Marian HackMan Marinov Linux Containers - LXC
Implementation limitations
LXC is not a VM. . . but it should be :)
Our patches for /proc
CPU
cpuinfo interrupts schedstat softirqs stat timer list zoneinfo
irq dir (exposes CPU limit information trough smp affinity)
Memory - meminfo
Others
modules
sysrq-trigger
fs dir (shows all attached block devices)
scsi dir (leaks block device information)
sys dir (writes are allowed only in the main cgroup)
Uptime
Marian HackMan Marinov Linux Containers - LXC
Security
Drop these capabilities
sys module sys boot sys time sys rawio sys pacct sys tty configsys module mac admin mac override audit control audit writemknod setfcap syslog block suspend wake alarm
Do not enable kcore/vmcore
Secure kallsyms
We implemented new capability - CAP LXC ADMIN
tasks limit per cgroup
RLIMIT NPROC && SIGNALS
Limit the namespaces to a single tier instead of hirarchy
We made it so, every user that has CAP LINUX IMMUTABLEto be able to actualy chattr files and dirs
Marian HackMan Marinov Linux Containers - LXC
Security
Allow umount from within a namespace
Allow mounting devpts, but only with new instance
Fix prctl set mm() permisions, so will work from namespaces
Allow pivot root() to everyone with CAP LXC ADMIN
setns() now requires CAP LXC ADMIN
hardened proc permissions
GRsecurity http://sw.1h.com/grsecurity
Marian HackMan Marinov Linux Containers - LXC
Functional changes
SHM, SEM, MSQ limits and inheritance
Kernel version within the containers
Licensing issues with other vendors
xt owner match does not work
tc does not work in the
OOM patches from upstream
memcg-kill-alloc-task
proc-loadavg fixes
Marian HackMan Marinov Linux Containers - LXC
Namespaces
UTS
User
IPC
Mount
PID
Network
Marian HackMan Marinov Linux Containers - LXC
Control Groups
Devices
CPU
cpusets
cpu quota
cpu shares
Memory
memory limits
memory+swap limits
kernel memory limits
BlkI/O
weighted I/O limiting
iops I/O limiting
Network
priority and classification
Note: actually does not work with openvswitch :)
FreezerMarian HackMan Marinov Linux Containers - LXC
snapshots
LVM snapshots work
QCOW2 snapshots work(with some small issues)
Marian HackMan Marinov Linux Containers - LXC
Near live migration
CRIU - Checkpoint Restore In Userspace
Dump a process(es) with its whole state
Copy to the dump to a remote machine
Restore the whole dump and continue
Marian HackMan Marinov Linux Containers - LXC
Network options
macvlan
veth
bridge utils
openvswitch
Marian HackMan Marinov Linux Containers - LXC
Thank You
Marian HackMan Marinov Linux Containers - LXC