Linux containers #lxc

What are LinuX Containers

• LXC (LinuX Containers) is light weight virtualisation system
• It is based on linux(kernal) and allows for creation and management of many virtualized linux environments on a single parent host
• These virtualized environments(call containers) are invisible to each other
• Unlike some other virtualization solutions, no hardware emulation is used and the container shares the kernel with the host,
• It makes LXC lightweight and easy to get started with
• The concept behind the LXC is Containers

More on containers

• Simply containers provide operating system level virtualization mechanism
• Containers are group of processes in linux box
• Inside the box it looks like a VM(but not a VM)
• In outside the box it looks like group of processes
• Following figure describes how multiple containers looks on a single host

VMs vs Containers

• VMs consists with hypervisor which provides emulated hardware for virtual machine images
• So VMs allows to creates many self contained systems via hypervisor

• As I mentioned, containers are not VMs
• Containers are more light weight than VMs, since it shares kernal with host without hardware emulation(hypervisor)
• Containers use kernal features such as kernel namespaces, and control groups(cgroups)
• Kernel namespaces provide basic isolation and CGroups use for resource allocation
• Basically containers provide same functionality which provides by VMs, with out any hypervisor overhead

Namespaces

• Kernel namespaces provide basic isolation
• It guarantee that each container cannot see or affect other containers
• For an example, with namespaces you can have multiple processes with same PID in different environments(containers)
• There are six types of namespaces available

1. pid (processes)
2. net (network interfaces, routing...)
3. ipc (System V IPC)
4. mnt (mount points, filesystems)
5. uts (hostname)
6. user (UIDs)

CGroups

• CGroups(Control Groups) allocate resources (memory, CPU, disk I/O) between containers
• It ensure that each container gets its fair share of memory, CPU, disk I/O(resources),
• Also It guarantee that single container not over consuming the resources

Docker and LXC

• Docker provides high-level API which is capable to create and maintain lightweight virtualization environments(processes isolation)
• It is really an extension of LXC’s capabilities
• Docker used the LXC as default execution environment
• Actually docker contains wrapper around the LXC to make their functionality
• But recently (after docker version 0.9) they have replaced the LXC with their own execution environment call libcontainers

Reference

• https://sysadmincasts.com/episodes/24-introduction-to-containers-on-linux-using-lxc
• https://sysadmincasts.com/episodes/14-introduction-to-linux-control-groups-cgroups
• http://www.socallinuxexpo.org/scale11x/presentations/lightweight-virtualization-namespaces-cgroups-and-unioning-filesystems.html
• http://www.socallinuxexpo.org/scale11x-supporting/default/files/presentations/Jerome-Scale11x%20LXC%20Talk.pdf
• http://blog.docker.com/2013/08/containers-docker-how-secure-are-they/
• http://www.infoq.com/news/2014/03/docker_0_9