linux containers
DESCRIPTION
TRANSCRIPT
![Page 1: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/1.jpg)
Linux Containers - LXC
Marian HackMan Marinov
17 Jun 2014
Marian HackMan Marinov Linux Containers - LXC
![Page 2: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/2.jpg)
Why am I speaking about containers?
Marian HackMan Marinov Linux Containers - LXC
![Page 3: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/3.jpg)
Difference between lxc and docker
Docker is for applications
Linux Containers are for starting up a whole new Linux distributioninstances
Marian HackMan Marinov Linux Containers - LXC
![Page 4: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/4.jpg)
Implementation limitations
LXC is not a VM. . . but it should be :)
Our patches for /proc
CPU
cpuinfo interrupts schedstat softirqs stat timer list zoneinfo
irq dir (exposes CPU limit information trough smp affinity)
Memory - meminfo
Others
modules
sysrq-trigger
fs dir (shows all attached block devices)
scsi dir (leaks block device information)
sys dir (writes are allowed only in the main cgroup)
Uptime
Marian HackMan Marinov Linux Containers - LXC
![Page 5: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/5.jpg)
Security
Drop these capabilities
sys module sys boot sys time sys rawio sys pacct sys tty configsys module mac admin mac override audit control audit writemknod setfcap syslog block suspend wake alarm
Do not enable kcore/vmcore
Secure kallsyms
We implemented new capability - CAP LXC ADMIN
tasks limit per cgroup
RLIMIT NPROC && SIGNALS
Limit the namespaces to a single tier instead of hirarchy
We made it so, every user that has CAP LINUX IMMUTABLEto be able to actualy chattr files and dirs
Marian HackMan Marinov Linux Containers - LXC
![Page 6: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/6.jpg)
Security
Allow umount from within a namespace
Allow mounting devpts, but only with new instance
Fix prctl set mm() permisions, so will work from namespaces
Allow pivot root() to everyone with CAP LXC ADMIN
setns() now requires CAP LXC ADMIN
hardened proc permissions
GRsecurity http://sw.1h.com/grsecurity
Marian HackMan Marinov Linux Containers - LXC
![Page 7: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/7.jpg)
Functional changes
SHM, SEM, MSQ limits and inheritance
Kernel version within the containers
Licensing issues with other vendors
xt owner match does not work
tc does not work in the
OOM patches from upstream
memcg-kill-alloc-task
proc-loadavg fixes
Marian HackMan Marinov Linux Containers - LXC
![Page 8: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/8.jpg)
Namespaces
UTS
User
IPC
Mount
PID
Network
Marian HackMan Marinov Linux Containers - LXC
![Page 9: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/9.jpg)
Control Groups
Devices
CPU
cpusets
cpu quota
cpu shares
Memory
memory limits
memory+swap limits
kernel memory limits
BlkI/O
weighted I/O limiting
iops I/O limiting
Network
priority and classification
Note: actually does not work with openvswitch :)
FreezerMarian HackMan Marinov Linux Containers - LXC
![Page 10: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/10.jpg)
snapshots
LVM snapshots work
QCOW2 snapshots work(with some small issues)
Marian HackMan Marinov Linux Containers - LXC
![Page 11: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/11.jpg)
Near live migration
CRIU - Checkpoint Restore In Userspace
Dump a process(es) with its whole state
Copy to the dump to a remote machine
Restore the whole dump and continue
Marian HackMan Marinov Linux Containers - LXC
![Page 12: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/12.jpg)
Network options
macvlan
veth
bridge utils
openvswitch
Marian HackMan Marinov Linux Containers - LXC
![Page 13: Linux Containers](https://reader031.vdocument.in/reader031/viewer/2022013117/53f4913c8d7f728e318b4893/html5/thumbnails/13.jpg)
Thank You
Marian HackMan Marinov Linux Containers - LXC