39,59 €
In recent years, containers have gained wide adoption by businesses running a variety of application loads. This became possible largely due to the advent of kernel namespaces and better resource management with control groups (cgroups). Linux containers (LXC) are a direct implementation of those kernel features that provide operating system level virtualization without the overhead of a hypervisor layer.
This book starts by introducing the foundational concepts behind the implementation of LXC, then moves into the practical aspects of installing and configuring LXC containers. Moving on, you will explore container networking, security, and backups. You will also learn how to deploy LXC with technologies like Open Stack and Vagrant. By the end of the book, you will have a solid grasp of how LXC is implemented and how to run production applications in a highly available and scalable way.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 333
Copyright © 2017 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: February 2017
Production reference: 1220217
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78588-894-6
www.packtpub.com
Author
Konstantin Ivanov
Copy Editor
Tom Jacob
Reviewer
Jay Payne
Project Coordinator
Kinjal Bari
Commissioning Editor
Kartikey Pandey
Proofreader
Safis Editing
Acquisition Editor
Mansi Sanghavi
Indexer
Mariammal Chettiyar
Content Development Editor
Radhika Atitkar
Graphics
Kirk D'Penha
Technical Editors
Devesh Chugh
Bhagyashree Rai
Production Coordinator
Aparna Bhagat
Konstantin Ivanov is a Linux systems engineer, an open source developer, and a technology blogger who has been designing, configuring, deploying, and administering large-scale, highly available Linux environments for more than 15 years.
His interests include large distributed systems and task automation, along with solving technical challenges involving multiple technology stacks.
Konstantin received two MS in Computer Science from universities in Bulgaria and the United States, specializing in system and network security and software engineering.
In his spare time, he loves writing technology blogs and spending time with his two boys. He can be reached on LinkedIn at https://www.linkedin.com/in/konstantinivanov or on his blog at http://www.linux-admins.net/.
Jay Payne has been a database administrator 5 at Rackspace for over 10 years, working on the design, development, implementation, and operation of storage systems.
Previously, Jay worked on billing and support systems for hosting companies. For the last 20 years, he has primarily focused on the data life cycle, from database architecture, administration, operations, reporting, disaster recovery, and compliance. He has domain experience in hosting, finance, billing, and customer support industries.
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.
Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1785888943.
If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!
I dedicate this book to my uncle Radoslav, who took me to his work when I was 8 years old in a computer manufacturing facility and sparked a life-long passion for technology and science, and to my parents, Anton and Darinka, who sold the family car to buy me my first computer.
Not too long ago, we used to deploy applications on a single server, scaling up by adding more hardware resources—we called it "the monolith approach." Achieving high availability was a matter of adding more single purpose servers/monoliths behind load balancers, more often than not ending with a cluster of under-utilized systems. Writing and deploying applications also followed this monolithic approach—the software was usually a large binary that provided most, if not all of the functionality. We either had to compile it from source and use some kind of installer, or package it and ship it to a repository.
With the advent of virtual machines and containers, we got away from the server monolith, fully utilizing the available compute resources by running our applications in isolated, resource-confined instances. Scaling up or down applications become a matter of adding more virtual machines or containers on a fleet of servers, then figuring a way to automatically deploy them. We also broke down the single binary application into microservices that communicate with each other through a message bus/queue, taking full advantage of the low overhead that containers provide. Deploying the full application stack is now just a matter of bundling the services into their own containers, creating a single, fully isolated, dependency-complete work unit that is ready to deploy. Using continuous integration patterns and tools such as Jenkins allowed us to automate the build and deploy process even further.
This book is about LXC containers and how to run your applications inside them. Unlike other container solutions such, as Docker, LXC is designed to run an entire Linux system, not just a single process, though the latter is also possible. Even though an LXC container can contain an entire Linux filesystem, the underlined host kernel is shared, no hypervisor layer needed.
This book takes a direct and practical approach to LXC. You will learn how to install, configure, and operate LXC containers along with multiple examples explaining how to run highly scalable and highly available applications inside LXC. You will use monitoring and deployment applications and other third-party tools. You will also learn how to write your own tools that extend the functionality provided by LXC and its various libraries. Finally, you will see a complete OpenStack deployment that adds the intelligence to managing a fleet of compute resources to easily deploy your application inside LXC containers.
Chapter 1, Introduction to Linux Containers, provides an in-depth exploration of the history of containers in the Linux kernel, along with some fundamental terminology. After going through the basics, you will have a detailed view of how kernel namespaces and control groups (cgroups) are implemented and will be able to experiment with some C system calls.
Chapter 2, Installing and Running LXC on Linux Systems, covers everything that is needed to install, configure, and run LXC on Ubuntu and Red Hat systems. You will learn what packages and tools are required along with different ways of configuring LXC. By the end of this chapter, you will have a Linux system with running LXC containers.
Chapter 3, Command-Line Operations Using Native and Libvirt Tools, is all about running and operating LXC on the command line. The chapter will cover various tools from a list of packages and demonstrate different ways of interacting with your containerized application. The focus will be on the functionality that libvirt and the native LXC libraries provide in controlling the full life cycle of an LXC container.
Chapter 4, LXC Code Integration with Python, will show examples of how to write tools and automate LXC provisioning and management using Python libraries. You will also learn how to create a development environment using Vagrant and LXC.
Chapter 5, Networking in LXC with the Linux Bridge and Open vSwitch, will be a deep dive into networking in the containerized world—connecting LXC to the Linux bridge, using direct connect, NAT, and various other methods. It will also demonstrate more advanced technics of traffic management using Open vSwitch.
Chapter 6, Clustering and Horizontal Scaling with LXC, builds upon the knowledge presented in earlier chapters to build a cluster of Apache containers and demonstrate how to connect them using GRE tunnels with Open vSwitch. The chapter also presents examples of running single process applications inside minimal root filesystem containers.
Chapter 7, Monitoring and Backups in a Containerized World, is about backing up your LXC application containers and deploying monitoring solutions to alert and trigger actions. We are going to see examples of using Sensu and Monit for monitoring, and iSCSI and GlusterFS for creating hot and cold backups.
Chapter 8, Using LXC with OpenStack, demonstrates how to provision LXC containers with OpenStack. It begins by introducing the various components that make OpenStack and how to use the LXC nova driver to automatically provision LXC containers among a pool of compute resources.
Appendix, LXC Alternatives to Docker and OpenVZ, ends the book by demonstrating how other popular container solutions, such as Docker and OpenVZ, came to be and the similarities and differences between them. It also explores practical examples of installing, configuring, and running them alongside LXC.
A beginner-level knowledge of Linux and the command line should be enough to follow along and run the examples. Some Python and C knowledge is required to fully understand and experiment with the code snippets, though the book is not about software development and you can skip Chapter 4, LXC Code Integration with Python altogether, if not interested.
In terms of hardware and software requirements, most examples in the book have been tested in virtual machines utilizing various cloud providers such as Amazon AWS and Rackspace Cloud. We recommend using the latest version of Ubuntu, given Canonical's involvement with the LXC project, though we provide examples with CentOS whenever the installation/operation methods diverge.
This book is for anyone who is curious about Linux containers, from Linux administrators who are looking for in-depth understanding of how LXC works, to software developers who need a quick and easy way to prototype code in an isolated environment without the overhead of a full hypervisor. A DevOps engineer is most likely the best job title for those who want to read the book from cover to cover.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Manually building the root filesystem and configuration files using tools such as debootstrap and yum."
A block of code is set as follows:
#define _GNU_SOURCE #include<stdlib.h> #include<stdio.h> #include<signal.h> #include<sched.h> staticintchildFunc(void *arg) { printf("UID inside the namespace is %ld\n", (long) geteuid()); printf("GID inside the namespace is %ld\n", (long) getegid()); }When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
<head> #define _GNU_SOURCE #include #include #include #include staticintchildFunc(void *arg) { printf("UID inside the namespace is %ld\n", (long) geteuid()); printf("GID inside the namespace is %ld\n", (long) getegid()); }Any command-line input or output is written as follows:
root@ubuntu:~# lsb_release -dc Description: Ubuntu 14.04.5 LTS Codename: trusty root@ubuntu:~#New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Navigate to Networking support | Networking options | 802.1d Ethernet Bridging and select either Y to compile the bridging functionality in the kernel, or M to compile it as a module."
Warnings or important notes appear in a box like this.
Tips and tricks appear like this.
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can download the code files by following these steps:
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Containerization-with-LXC. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/ContainerizationwithLXC_ColorImages.pdf.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.
Nowadays, deploying applications inside some sort of a Linux container is a widely adopted practice, primarily due to the evolution of the tooling and the ease of use it presents. Even though Linux containers, or operating-system-level virtualization, in one form or another, have been around for more than a decade, it took some time for the technology to mature and enter mainstream operation. One of the reasons for this is the fact that hypervisor-based technologies such as KVM and Xen were able to solve most of the limitations of the Linux kernel during that period and the overhead it presented was not considered an issue. However, with the advent of kernel namespaces and control groups (cgroups) the notion of a light-weight virtualization became possible through the use of containers.
In this chapter, I'll cover the following topics:
The current state of Linux containers is a direct result of the problems that early OS designers were trying to solve – managing memory, I/O, and process scheduling in the most efficient way.
In the past, only a single process could be scheduled for work, wasting precious CPU cycles if blocked on an I/O operation. The solution to this problem was to develop better CPU schedulers, so more work can be allocated in a fair way for maximum CPU utilization. Even though the modern schedulers, such as the Completely Fair Scheduler (CFS) in Linux do a great job of allocating fair amounts of time to each process, there's still a strong case for being able to give higher or lower priority to a process and its subprocesses. Traditionally, this can be accomplished by the nice() system call, or real-time scheduling policies, however, there are limitations to the level of granularity or control that can be achieved.
Similarly, before the advent of virtual memory, multiple processes would allocate memory from a shared pool of physical memory. The virtual memory provided some form of memory isolation per process, in the sense that processes would have their own address space, and extend the available memory by means of a swap, but still there wasn't a good way of limiting how much memory each process and its children can use.
To further complicate the matter, running different workloads on the same physical server usually resulted in a negative impact on all running services. A memory leak or a kernel panic could cause one application to bring the entire operating system down. For example, a web server that is mostly memory bound and a database service that is I/O heavy running together became problematic. In an effort to avoid such scenarios, system administrators would separate the various applications between a pool of servers, leaving some machines underutilized, especially at certain times during the day, when there was not much work to be done. This is a similar problem as a single running process blocked on I/O operation is a waste of CPU and memory resources.
The solution to these problems is the use of hypervisor based virtualization, containers, or the combination of both.
The hypervisor as part of the operating system is responsible for managing the life cycle of virtual machines, and has been around since the early days of mainframe machines in the late 1960s. Most modern virtualization implementations, such as Xen and KVM, can trace their origins back to that era. The main reason for the wide adoption of these virtualization technologies around 2005 was the need to better control and utilize the ever-growing clusters of compute resources. The inherited security of having an extra layer between the virtual machine and the host OS was a good selling point for the security minded, though as with any other newly adopted technology there were security incidents.
Nevertheless, the adoption of full virtualization and paravirtulization significantly improved the way servers are utilized and applications provisioned. In fact, virtualization such as KVM and Xen is still widely used today, especially in multitenant clouds and cloud technologies such as OpenStack.
Hypervisors provide the following benefits, in the context of the problems outlined earlier:
Arguably the main reason against using any sort of virtualization technology today is the inherited overhead of using multiple kernels in the same OS. It would be much better, in terms of complexity, if the host OS can provide this level of isolation, without the need for hardware extensions in the CPU, or the use of emulation software such as QEMU, or even kernel modules such as KVM. Running an entire operating system on a virtual machine, just to achieve a level of confinement for a single web server, is not the most efficient allocation of resources.
Over the last decade, various improvements to the Linux kernel were made to allow for similar functionality, but with less overhead – most notably the kernel namespaces and cgroups. One of the first notable technologies to leverage those changes was LXC, since kernel 2.6.24 and around the 2008 time frame. Even though LXC is not the oldest container technology, it helped fuel the container revolution we see today.
The main benefits of using LXC include:
It is worth mentioning that containers are not inherently as secure as having a hypervisor between the virtual machine and the host OS. However, in recent years, great progress has been made to narrow that gap using Mandatory Access Control (MAC) technologies such as SELinux and AppArmor, kernel capabilities, and cgroups, as demonstrated in later chapters.