Linux-Containers — Part 1: Overview
By Lenz Grimmer on Jun 26, 2013
Linux Containers (LXC) provide a means to isolate individual services or applications as well as of a complete Linux operating system from other services running on the same host. To accomplish this, each container gets its own directory structure, network devices, IP addresses and process table. The processes running in other containers or the host system are not visible from inside a container. Additionally, Linux Containers allow for fine granular control of resources like RAM, CPU or disk I/O.
Generally speaking, Linux Containers use a completely different approach than "classicial" virtualization technologies like KVM or Xen (on which Oracle VM Server for x86 is based on). An application running inside a container will be executed directly on the operating system kernel of the host system, shielded from all other running processes in a sandbox-like environment. This allows a very direct and fair distribution of CPU and I/O-resources. Linux containers can offer the best possible performance and several possibilities for managing and sharing the resources available.
Similar to Containers
(or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version
runs on the host as well as in the containers; it is not possible to
different Linux kernel versions or other operating systems like
Microsoft Windows or Oracle Solaris for x86 inside a container.
However, it is possible to run different Linux distribution versions
(e.g. Fedora Linux in a container on top of an Oracle Linux host),
provided it supports the version of the Linux kernel that runs on the
host. This approach has one caveat, though - if any of the containers
causes a kernel crash, it will bring down all other containers (and the
host system) as well.
For example, Oracle's Unbreakable Enterprise Kernel Release 2
(2.6.39) is supported for both Oracle Linux 5 and 6. This makes it
possible to run Oracle Linux 5 and 6 container instances on top of an
Oracle Linux 6 system. Since Linux Containers are fully implemented on
the OS level (the Linux kernel), they can be easily combined with other
virtualization technologies. It's certainly possible to set up Linux
containers within a virtualized Linux instance that runs inside Oracle
VM Server for Oracle VM Virtualbox.
Some use cases for Linux Containers include:
- Consolidation of multiple
separate Linux systems on one server: instances of Linux systems
that are not performance-critical or only see sporadic use (e.g. a fax
or print server or intranet services) do not necessarily need a
server for their operations. These can easily be consolidated to run
inside containers on a single server, to preserve energy and rack space.
- Running multiple instances of an application in parallel, e.g. for different users or customers. Each user receives his "own" application instance, with a defined level of service/performance. This prevents that one user's application could hog the entire system and ensures, that each user only has access to his own data set. It also helps to save main memory — if multiple instances of a same process are running, the Linux kernel can share memory pages that are identical and unchanged across all application instances. This also applies to shared libraries that applications may use, they are generally held in memory once and mapped to multiple processes.
- Quickly creating sandbox
environments for development and testing purposes:
containers that have been created and configured once can be archived
as templates and can be duplicated (cloned) instantly on demand. After
finishing the activity, the clone can safely be discarded. This allows
to provide repeatable software builds and test environments, because
the system will always be reset to its initial state for each run.
Linux Containers also boot significantly faster than "classic" virtual
machines, which can save a lot of time when running frequent build or
test runs on applications.
- Safe execution of an individual
application: if an application running inside a container has
been compromised because of a security vulnerability, the host system
and other containers remain unaffected. The potential damage can be
minimized, analyzed and resolved directly from the host system.
Note: Linux Containers on Oracle Linux 6 with the Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as Technology Preview - their use is only recommended for testing and evaluation purposes.
The Open-Source project "Linux
Containers" (LXC) is driving the development of the technology
behind this, which is based on the "Control Groups" (CGroups) and "Name
Spaces" functionality of the Linux kernel. Oracle is actively involved
in the Linux Containers development and contributes patches to the
upstream LXC code base.
Control Groups provide means to manage and monitor
the allocation of resources for individual processes or process groups.
Among other things, you can restrict the maximum amount of memory, CPU
cycles as well as the disk and network throughput (in MB/s or IOP/s)
that are available for an
Name Spaces help to isolate
process groups from each other, e.g. the visibility of other running
processes or the exclusive access to a network device. It's also
possible to restrict a process group's access and visibility of the
entire file system hierarchy (similar to a classic "chroot"
A more detailed description of how Linux Containers can be
created and managed on Oracle Linux will be explained in the second
part of this article.
Additional links related to Linux Containers:
- OTN Article: The Role of Oracle Solaris Zones and Linux Containers in a Virtualization Strategy
- Linux Containers on Wikipedia
- Lenz Grimmer