E
Eric Hansen
Guest
I like to preface all of my series-articles with an intro to give you, the reader, an idea as to what I'm going to be writing about. This one, while it may or may not be a very long series, will definitely be a doozy. So lets get started, shall we?
What Is A Container?
If you’ve ever rented or created a VPS, or used TrueCrypt, you at least have used a container. In a broad sense, a container is something that encapsulates data. Most programs that allow you to create/admin containers put security measures into place so you can’t access someone else’s memory and other means as well, though.
But lets get back to the VPS concept, since this is essentially what this article series will be similar to. There’s one particularly really famous virtualization environment for VPSes and that’s OpenVZ (OVZ). There is also KVM, but that’s a bit different. What OVZ does is, when installed, loads up a specialized kernel that allows you to segment disk space, CPU and memory usage, as well as other features such as bandwidth per container, and locks them in to that specific area of the server. So, if you tell OVZ to only allow a container access to CPU core 1 and only able to use 128MB of RAM, when that container starts up the kernel will know what to allocate for that container (or VPS) and restrict it only to that.
Why Use A Container?
I first got interested in this concept for the VPS reason, so I could manage my own servers without having to rent out a dedicated server. However, once I dived deeper into how VPSes are created, managed and overall used, I thought of other uses for this such as sandboxing.
Sandboxing is a useful technique when you’re unsure of a program’s usage (i.e.: something that was sent via attachment). You create a minimal environment and run the program in that, with it being a container (thus segregated away from the core OS’ resources as much as possible) you can make sure the program is safe without jeopardizing your own environment.
Its also simpler to use than virtualization. A container is basically no different than a virtual machine made in VMware, Virtual Box, Q-EMU, etc..., however, the container actually uses the host’s resources instead of needing its own. For example, a VMware virtual machine (at least in the olden days) didn’t use the host’s CPU but instead a generic AMD imitation. I haven’t used VMware in a very long time so I don’t know if this still stands true but from about 2005 to 2007 it did.
Containers have a lot more uses than this, such as wanting to set up different environments for different purposes without corrupting your current one. Those who program in Python and use virtualenv can understand this, as each virtual environment is virtually a container in their own right.
So Should I Use OVZ For This?
If you’re looking to get into web hosting and selling VPS space, then its definitely worth while. Its not hard to set up (if you’re using Red Hat or CentOS). However, what I discovered is that Linux also has container support built into the kernel (granted, kernels can be customized so your mileage may vary...do some research). The Linux container userspace tools is called LXC which you should be able to install without issues. Most of this is done on Arch Linux’s default kernel (at the time of writing 3.5.0-31 for me), but as long as you have a kernel version >= 2.6.29 complete functionality exists.
What Needs To Be Enabled In the Kernel?
Let me prefix this section with this: “if you don’t know what you are doing, don’t compile the kernel!”
I believe in learning what to do and what’s going on, but compiling the kernel is like fixing your car’s engine. If you screw up a small detail, big problems can definitely occur. If you want to build your own kernel, see your distro’s documentation or go through LFS (Linux From Scratch). Also, compiling your kernel can be boring...took me 2 hour to compile a kernel for Gentoo once and it didn’t even let me use nVidia drivers.
Anyways, back to the topic of this, here’s the basic outline of what your kernel needs enabled to use LXC:
The structure will most likely change over the course of kernel releases, so you should just use a stock kernel if you’re first getting into this.
Why Aren’t We Installing Anything?
Unlike the Suricata tutorial, there’s really nothing to actually install. The LXC kernel module is automatically available in a lot of default kernels to begin with. The only thing you need to install is the LXC userspace tools which can typically be done by installing the lxc package.
What Other Containers Exist?
Besides OVZ, Linux v-Server exists as well which serves the same purpose. Initially I was going to write up about v-Server as well, but there’s two things that stopped me:
I’m not saying that one is better than another, however. LXC is newer to the field but doesn’t require a special kernel, OVZ is free but has limits on where it can be installed, and v-Server combines both worlds but requires its own kernel like OVZ. I am more comfortable with LXC, but if anyone would like a tutorial guide on either or as well let me know.
What Is A Container?
If you’ve ever rented or created a VPS, or used TrueCrypt, you at least have used a container. In a broad sense, a container is something that encapsulates data. Most programs that allow you to create/admin containers put security measures into place so you can’t access someone else’s memory and other means as well, though.
But lets get back to the VPS concept, since this is essentially what this article series will be similar to. There’s one particularly really famous virtualization environment for VPSes and that’s OpenVZ (OVZ). There is also KVM, but that’s a bit different. What OVZ does is, when installed, loads up a specialized kernel that allows you to segment disk space, CPU and memory usage, as well as other features such as bandwidth per container, and locks them in to that specific area of the server. So, if you tell OVZ to only allow a container access to CPU core 1 and only able to use 128MB of RAM, when that container starts up the kernel will know what to allocate for that container (or VPS) and restrict it only to that.
Why Use A Container?
I first got interested in this concept for the VPS reason, so I could manage my own servers without having to rent out a dedicated server. However, once I dived deeper into how VPSes are created, managed and overall used, I thought of other uses for this such as sandboxing.
Sandboxing is a useful technique when you’re unsure of a program’s usage (i.e.: something that was sent via attachment). You create a minimal environment and run the program in that, with it being a container (thus segregated away from the core OS’ resources as much as possible) you can make sure the program is safe without jeopardizing your own environment.
Its also simpler to use than virtualization. A container is basically no different than a virtual machine made in VMware, Virtual Box, Q-EMU, etc..., however, the container actually uses the host’s resources instead of needing its own. For example, a VMware virtual machine (at least in the olden days) didn’t use the host’s CPU but instead a generic AMD imitation. I haven’t used VMware in a very long time so I don’t know if this still stands true but from about 2005 to 2007 it did.
Containers have a lot more uses than this, such as wanting to set up different environments for different purposes without corrupting your current one. Those who program in Python and use virtualenv can understand this, as each virtual environment is virtually a container in their own right.
So Should I Use OVZ For This?
If you’re looking to get into web hosting and selling VPS space, then its definitely worth while. Its not hard to set up (if you’re using Red Hat or CentOS). However, what I discovered is that Linux also has container support built into the kernel (granted, kernels can be customized so your mileage may vary...do some research). The Linux container userspace tools is called LXC which you should be able to install without issues. Most of this is done on Arch Linux’s default kernel (at the time of writing 3.5.0-31 for me), but as long as you have a kernel version >= 2.6.29 complete functionality exists.
What Needs To Be Enabled In the Kernel?
Let me prefix this section with this: “if you don’t know what you are doing, don’t compile the kernel!”
I believe in learning what to do and what’s going on, but compiling the kernel is like fixing your car’s engine. If you screw up a small detail, big problems can definitely occur. If you want to build your own kernel, see your distro’s documentation or go through LFS (Linux From Scratch). Also, compiling your kernel can be boring...took me 2 hour to compile a kernel for Gentoo once and it didn’t even let me use nVidia drivers.
Anyways, back to the topic of this, here’s the basic outline of what your kernel needs enabled to use LXC:
Code:
* General setup[/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Control Group support[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Namespace cgroup subsystem[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Freezer cgroup subsystem[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Cpuset support[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Simple CPU accounting cgroup subsystem[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Resource counters[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Memory resource controllers for Control Groups[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Group CPU scheduler[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Basis for grouping tasks (Control Groups)[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Namespaces support[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> UTS namespace[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> IPC namespace[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> User namespace[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Pid namespace[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Network namespace[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Device Drivers[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Character devices[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Support multiple instances of devpts[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Network device support[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> MAC-VLAN support[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> Virtual ethernet pair device[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Networking[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Networking options[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> 802.1d Ethernet Bridging[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] * Security options[/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial] -> File POSIX Capabilities[/SIZE][/FONT][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR][/FONT][/SIZE][/COLOR]
[COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial][COLOR=#000000][SIZE=15px][FONT=Arial]The structure will most likely change over the course of kernel releases, so you should just use a stock kernel if you’re first getting into this.
Why Aren’t We Installing Anything?
Unlike the Suricata tutorial, there’s really nothing to actually install. The LXC kernel module is automatically available in a lot of default kernels to begin with. The only thing you need to install is the LXC userspace tools which can typically be done by installing the lxc package.
What Other Containers Exist?
Besides OVZ, Linux v-Server exists as well which serves the same purpose. Initially I was going to write up about v-Server as well, but there’s two things that stopped me:
- v-Server requires a custom kernel, which it makes easy-ish to do, and some distros already have it available, but its too much hassle for this purpose
- LXC is easier to type and I have more experience with it
I’m not saying that one is better than another, however. LXC is newer to the field but doesn’t require a special kernel, OVZ is free but has limits on where it can be installed, and v-Server combines both worlds but requires its own kernel like OVZ. I am more comfortable with LXC, but if anyone would like a tutorial guide on either or as well let me know.
