Linux Containers - LXC

Marian HackMan Marinov

17 Jun 2014

Marian HackMan Marinov Linux Containers - LXC

Why am I speaking about containers?

Marian HackMan Marinov Linux Containers - LXC

Difference between lxc and docker

Docker is for applications

Linux Containers are for starting up a whole new Linux distributioninstances

Marian HackMan Marinov Linux Containers - LXC

Implementation limitations

LXC is not a VM. . . but it should be :)

Our patches for /proc

CPU

cpuinfo interrupts schedstat softirqs stat timer list zoneinfo

irq dir (exposes CPU limit information trough smp affinity)

Memory - meminfo

Others

modules

sysrq-trigger

fs dir (shows all attached block devices)

scsi dir (leaks block device information)

sys dir (writes are allowed only in the main cgroup)

Uptime

Marian HackMan Marinov Linux Containers - LXC

Security

Drop these capabilities

sys module sys boot sys time sys rawio sys pacct sys tty configsys module mac admin mac override audit control audit writemknod setfcap syslog block suspend wake alarm

Do not enable kcore/vmcore

Secure kallsyms

We implemented new capability - CAP LXC ADMIN

tasks limit per cgroup

RLIMIT NPROC && SIGNALS

Limit the namespaces to a single tier instead of hirarchy

We made it so, every user that has CAP LINUX IMMUTABLEto be able to actualy chattr files and dirs

Marian HackMan Marinov Linux Containers - LXC

Security

Allow umount from within a namespace

Allow mounting devpts, but only with new instance

Fix prctl set mm() permisions, so will work from namespaces

Allow pivot root() to everyone with CAP LXC ADMIN

setns() now requires CAP LXC ADMIN

hardened proc permissions

GRsecurity http://sw.1h.com/grsecurity

Marian HackMan Marinov Linux Containers - LXC

Functional changes

SHM, SEM, MSQ limits and inheritance

Kernel version within the containers

Licensing issues with other vendors

xt owner match does not work

tc does not work in the

OOM patches from upstream

memcg-kill-alloc-task

proc-loadavg fixes

Marian HackMan Marinov Linux Containers - LXC

Namespaces

UTS

User

IPC

Mount

PID

Network

Marian HackMan Marinov Linux Containers - LXC

Control Groups

Devices

CPU

cpusets

cpu quota

cpu shares

Memory

memory limits

memory+swap limits

kernel memory limits

BlkI/O

weighted I/O limiting

iops I/O limiting

Network

priority and classification

Note: actually does not work with openvswitch :)

FreezerMarian HackMan Marinov Linux Containers - LXC

snapshots

LVM snapshots work

QCOW2 snapshots work(with some small issues)

Marian HackMan Marinov Linux Containers - LXC

Near live migration

CRIU - Checkpoint Restore In Userspace

Dump a process(es) with its whole state

Copy to the dump to a remote machine

Restore the whole dump and continue

Marian HackMan Marinov Linux Containers - LXC

Network options

macvlan

veth

bridge utils

openvswitch

Marian HackMan Marinov Linux Containers - LXC

Thank You

Marian HackMan Marinov Linux Containers - LXC