X

Step Up to Modern Cloud Development

Linux-Containers — Part 1: Overview

Guest Author

Containers by Phil Parker, on Flickr
"Containers" by Phil Parker (CC BY 2.0).

Linux Containers (LXC)
provide a means to isolate individual services or
applications as well as of a complete Linux operating system from other
services running on the same host. To
accomplish this, each
container gets its own directory structure, network devices, IP
addresses and process
table. The processes running in other containers or the host system are
not visible from inside a container. Additionally, Linux Containers
allow for fine
granular
control of resources like RAM, CPU or disk I/O.

Generally speaking, Linux Containers use a completely different
approach than "classicial" virtualization technologies like href="http://www.linux-kvm.org/">KVM or
Xen (on which href="http://www.oracle.com/us/technologies/virtualization/oraclevm/overview/">Oracle
VM Server for x86
is based on). An application running inside a container will be
executed directly on the operating system kernel of the host
system, shielded from all other running processes in a sandbox-like
environment. This allows a very direct and fair distribution of CPU and
I/O-resources. Linux containers can offer the best possible
performance and several possibilities for managing and sharing the
resources
available.

Similar to Containers
(or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version
runs on the host as well as in the containers; it is not possible to
run
different Linux kernel versions or other operating systems like
Microsoft Windows or Oracle Solaris for x86 inside a container.
However, it is possible to run different Linux distribution versions
(e.g. Fedora Linux in a container on top of an Oracle Linux host),
provided it supports the version of the Linux kernel that runs on the
host. This approach has one caveat, though - if any of the containers
causes a kernel crash, it will bring down all other containers (and the
host system) as well.

For example, Oracle's Unbreakable Enterprise Kernel Release 2
(2.6.39) is supported for both Oracle Linux 5 and 6. This makes it
possible to run Oracle Linux 5 and 6 container instances on top of an
Oracle Linux 6 system. Since Linux Containers are fully implemented on
the OS level (the Linux kernel), they can be easily combined with other
virtualization technologies. It's certainly possible to set up Linux
containers within a virtualized Linux instance that runs inside Oracle
VM Server for Oracle VM Virtualbox.

Some use cases for Linux Containers include:

  • Consolidation of multiple
    separate Linux systems on one server
    : instances of Linux systems
    that are not performance-critical or only see sporadic use (e.g. a fax
    or print server or intranet services) do not necessarily need a
    dedicated
    server for their operations. These can easily be consolidated to run
    inside containers on a single server, to preserve energy and rack space.

  • Running multiple instances of an
    application in parallel
    , e.g. for different users or customers.
    Each user receives his "own" application instance, with a defined level
    of service/performance. This prevents that one user's application could
    hog the entire system and ensures, that each user only has access to
    his own data set. It also helps to save main memory — if multiple
    instances of a same process are running, the Linux kernel can share
    memory pages
    that are identical and unchanged across all application instances. This
    also applies to shared libraries that applications may use, they are
    generally held in memory once and mapped to multiple processes.
  • Quickly creating sandbox
    environments for development and testing purposes:

    containers that have been created and configured once can be archived
    as templates and can be duplicated (cloned) instantly on demand. After
    finishing the activity, the clone can safely be discarded. This allows
    to provide repeatable software builds and test environments, because
    the system will always be reset to its initial state for each run.
    Linux Containers also boot significantly faster than "classic" virtual
    machines, which can save a lot of time when running frequent build or
    test runs on applications.

  • Safe execution of an individual
    application
    : if an application running inside a container has
    been compromised because of a security vulnerability, the host system
    and other containers remain unaffected. The potential damage can be
    minimized, analyzed and resolved directly from the host system.

Note: Linux Containers on
Oracle Linux 6 with the
Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as
Technology Preview - their use
is only recommended for testing and
evaluation purposes.

The Open-Source project "Linux
Containers
" (LXC) is driving the development of the technology
behind this, which is based on the "Control Groups" (CGroups) and "Name
Spaces" functionality of the Linux kernel. Oracle is actively involved
in the Linux Containers development and contributes patches to the
upstream LXC code base.

Control Groups provide means to manage and monitor
the allocation of resources for individual processes or process groups.
Among other things, you can restrict the maximum amount of memory, CPU
cycles as well as the disk and network throughput (in MB/s or IOP/s)
that are available for an
application.

Name Spaces help to isolate
process groups from each other, e.g. the visibility of other running
processes or the exclusive access to a network device. It's also
possible to restrict a process group's access and visibility of the
entire file system hierarchy (similar to a classic "chroot"
environment).


CGroups and Name Spaces provide the foundation on which Linux
containers are based on, but they can actually be used independently as
well.

A more detailed description of how Linux Containers can be
created and managed on Oracle Linux will be explained in the second
part of this article.

Additional links related to Linux Containers:

  • OTN Article: href="http://www.oracle.com/technetwork/articles/servers-storage-admin/zones-containers-virtualization-1880908.html">The
    Role of Oracle Solaris Zones and Linux Containers in a Virtualization
    Strategy
  • Linux Containers on
    Wikipedia

- Lenz Grimmer

Follow me on:

Personal Blog | Facebook | Twitter | Linux Blog |

Join the discussion

Comments ( 2 )
  • guest Wednesday, August 7, 2013

    thanks Lenz for the overview about linux containers


  • russellk Saturday, August 23, 2014

    Why is not possible to run a 'Windows Container,' for shared dependencies? Why couldn't I theoretically have windows in a container running on finite memory just for the purposes of reading it's libraries and classes to run the programs that depend on them?


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha