目录
容器技术
前一篇文章介绍了,所谓容器,简单来说是一组资源隔离、资源受限的进程。核心技术使用了Linux内核中的Namespa 和Cgroup。
即利用Linux内核我们就能创建所谓的容器。下面介绍下如何使用lxc来创建简单的容器
LXC
LXC(Linux Containers),即Linux容器,是一个操作系统层面的虚拟化技术。利用Linux内核中的CGroup + Namespace + Chroot技术,其中CGroup提供资源隔离,Namespace提供命名空间隔离,而Chroot是最简单和古老的容器化技术,更改了进程的根目录,限制访问和可见性,把容器内所有的依赖的程序/文件复制到单独的目录中。
#CentOs7.5
#1. 按照lxc lxc-templates
> yum install lxc lxc-templates
#2. lxc-checkconfig ==> cgroup + namespace必须启动
> lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.0-862.3.2.el7.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /bin/lxc-checkconfig
#3. 安装了lxc-templates,默认支持以下容器模板
> ls -l /usr/share/lxc/templates/
总用量 340
-rwxr-xr-x 1 root root 10579 3月 7 2019 lxc-alpine
-rwxr-xr-x 1 root root 13537 3月 7 2019 lxc-altlinux
-rwxr-xr-x 1 root root 10839 3月 7 2019 lxc-archlinux
-rwxr-xr-x 1 root root 9677 3月 7 2019 lxc-busybox
-rwxr-xr-x 1 root root 29971 3月 7 2019 lxc-centos
-rwxr-xr-x 1 root root 10486 3月 7 2019 lxc-cirros
-rwxr-xr-x 1 root root 18342 3月 7 2019 lxc-debian
-rwxr-xr-x 1 root root 18064 3月 7 2019 lxc-download
-rwxr-xr-x 1 root root 49438 3月 7 2019 lxc-fedora
-rwxr-xr-x 1 root root 28253 3月 7 2019 lxc-gentoo
-rwxr-xr-x 1 root root 13965 3月 7 2019 lxc-openmandriva
-rwxr-xr-x 1 root root 13882 3月 7 2019 lxc-opensuse
-rwxr-xr-x 1 root root 35540 3月 7 2019 lxc-oracle
-rwxr-xr-x 1 root root 12233 3月 7 2019 lxc-plamo
-rwxr-xr-x 1 root root 6851 3月 7 2019 lxc-sshd
-rwxr-xr-x 1 root root 24133 3月 7 2019 lxc-ubuntu
-rwxr-xr-x 1 root root 11641 3月 7 2019 lxc-ubuntu-cloud
#4. 创建一个centos容器,该模板是最小化centos
> lxc-create -n lxc_centos_1 -t /usr/share/lxc/templates/lxc-centos
Host CPE ID from /etc/os-release: cpe:/o:centos:centos:7
Checking cache download in /var/cache/lxc/centos/x86_64/7/rootfs ...
Cache found. Updating...
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: download.cf.centos.org
* extras: download.cf.centos.org
* updates: download.cf.centos.org
No packages marked for update
已加载插件:fastestmirror
正在清理软件源: base extras updates
0 package 文件已移除
Update finished
Copy /var/cache/lxc/centos/x86_64/7/rootfs to /var/lib/lxc/lxc_centos_1/rootfs ...
Copying rootfs to /var/lib/lxc/lxc_centos_1/rootfs ...
sed:无法读取 /var/lib/lxc/lxc_centos_1/rootfs/etc/init/tty.conf:没有那个文件或目录
Storing root password in '/var/lib/lxc/lxc_centos_1/tmp_root_pass'
正在终止用户 root 的密码。
passwd: 操作成功
sed:无法读取 /var/lib/lxc/lxc_centos_1/rootfs/etc/rc.sysinit:没有那个文件或目录
sed:无法读取 /var/lib/lxc/lxc_centos_1/rootfs/etc/rc.d/rc.sysinit:没有那个文件或目录
Container rootfs and config have been created.
Edit the config file to check/enable networking setup.
The temporary root password is stored in:
'/var/lib/lxc/lxc_centos_1/tmp_root_pass'
The root password is set up as expired and will require it to be changed
at first login, which you should do as soon as possible. If you lose the
root password or wish to change it without starting the container, you
can change it from the host by running the following command (which will
also reset the expired flag):
chroot /var/lib/lxc/lxc_centos_1/rootfs passwd
#4.1 首先下载rootfs
#4.2 默认所有的容器文件,放置在 /var/lib/lxc/${CONTAINER_NAME}下
#4.3 默认root的密码放置在 /var/lib/lxc/${CONTAINER_NAME}/tmp_root_pass
#4.4
> tree -L 3 /var/lib/lxc/
/var/lib/lxc/
└── lxc_centos_1 ----> 容器名称
├── config ----> 容器配置文件
├── rootfs ----> 容器rootfs
│ ├── bin -> usr/bin
│ ├── boot
│ ├── dev
│ ├── etc
│ ├── home
│ ├── lib -> usr/lib
│ ├── lib64 -> usr/lib64
│ ├── media
│ ├── mnt
│ ├── opt
│ ├── proc
│ ├── root
│ ├── run
│ ├── sbin -> usr/sbin
│ ├── selinux
│ ├── srv
│ ├── sys
│ ├── tmp
│ ├── usr
│ └── var
└── tmp_root_pass ----> 容器root的默认密码
22 directories, 2 files
# 5. 启动lxc容器 lxc_centos_1,默认为出错。缺失网桥信息 virbr0
> lxc-start -n lxc_centos_1
lxc-start: lxc_start.c: main: 336 The container failed to start.
lxc-start: lxc_start.c: main: 338 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 340 Additional information can be obtained by setting the --logfile and --logpriority options.
> lxc-start -n lxc_centos_1
lxc-start: conf.c: instantiate_veth: 3115 failed to attach 'vethVQUR2Q' to the bridge 'virbr0': No such device
lxc-start: conf.c: lxc_create_network: 3407 failed to create netdev
lxc-start: start.c: lxc_spawn: 875 failed to create the network
lxc-start: start.c: __lxc_start: 1149 failed to spawn 'lxc_centos_1'
lxc-start: lxc_start.c: main: 336 The container failed to start.
lxc-start: lxc_start.c: main: 340 Additional information can be obtained by setting the --logfile and --logpriority options.
#6. 创建网桥virbr0
#6.1 查看当前系统的网桥
> ip link show type bridge
#6.2 创建一个网桥
> ip link add name virbr0 type bridge
#6.3 enable该网桥
> ip link set virbr0 up
#7. 再次启动lxc容器 lxc_centos_1, 默认前台进程启动
> lxc-start -n lxc_centos_1
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
Running in a container, ignoring fstab device entry for /dev/root.
Cannot add dependency job for unit display-manager.service, ignoring: Unit not found.
[ OK ] Reached target Remote File Systems.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Swap.
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Created slice Root Slice.
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Created slice User and Session Slice.
[ OK ] Created slice System Slice.
[ OK ] Reached target Slices.
[ OK ] Created slice system-getty.slice.
[ OK ] Listening on Journal Socket.
Mounting Huge Pages File System...
Starting Read and set NIS domainname from /etc/sysconfig/network...
Mounting POSIX Message Queue File System...
Starting Journal Service...
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Paths.
[ OK ] Listening on Delayed Shutdown Socket.
Starting Remount Root and Kernel File Systems...
[ OK ] Mounted Huge Pages File System.
[ OK ] Started Read and set NIS domainname from /etc/sysconfig/network.
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Started Journal Service.
[ OK ] Started Remount Root and Kernel File Systems.
Starting Configure read-only root support...
Starting Flush Journal to Persistent Storage...
[ OK ] Reached target Local File Systems (Pre).
<46>systemd-journald[17]: Received request to flush runtime journal from PID 1
[ OK ] Started Flush Journal to Persistent Storage.
[ OK ] Started Configure read-only root support.
Starting Load/Save Random Seed...
[ OK ] Reached target Local File Systems.
Starting Create Volatile Files and Directories...
[ OK ] Started Load/Save Random Seed.
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timers.
[ OK ] Reached target Basic System.
Starting Permit User Sessions...
Starting Login Service...
[ OK ] Started D-Bus System Message Bus.
Starting LSB: Bring up/down networking...
[ OK ] Started Permit User Sessions.
Starting Cleanup of Temporary Directories...
[ OK ] Started Command Scheduler.
[ OK ] Started Console Getty.
[ OK ] Reached target Login Prompts.
[ OK ] Started Login Service.
[ OK ] Started Cleanup of Temporary Directories.
CentOS Linux 7 (Core)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64
lxc_centos_1 login:
#7.1 查看lxc容器 lxc_centos_1 状态 ---> 对应的进程PID=12159
> lxc-info -n lxc_centos_1
Name: lxc_centos_1
State: RUNNING
PID: 12159
CPU use: 0.07 seconds
BlkIO use: 0 bytes
Memory use: 1008.00 KiB
KMem use: 0 bytes
Link: vethY6XL29
TX bytes: 2.97 KiB
RX bytes: 648 bytes
Total bytes: 3.60 KiB
#7.2 宿主机器查看进程PID=12159
> ps -ef |grep 12159
#7.3 宿主机器上,namespace
>ls -l /proc/$$/ns/
总用量 0
lrwxrwxrwx 1 root root 0 2月 29 03:43 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 2月 29 03:43 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 2月 29 03:43 net -> net:[4026531956]
lrwxrwxrwx 1 root root 0 2月 29 03:43 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 2月 29 03:43 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 2月 29 03:43 uts -> uts:[4026531838]
#7.4 PID=12159的namespace ========> 可以看出来,namespace进行了隔离
> ls -l /proc/12159/ns
总用量 0
lrwxrwxrwx 1 root root 0 2月 29 03:40 ipc -> ipc:[4026532502]
lrwxrwxrwx 1 root root 0 2月 29 03:40 mnt -> mnt:[4026532498]
lrwxrwxrwx 1 root root 0 2月 29 03:40 net -> net:[4026532505]
lrwxrwxrwx 1 root root 0 2月 29 03:40 pid -> pid:[4026532503]
lrwxrwxrwx 1 root root 0 2月 29 03:43 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 2月 29 03:40 uts -> uts:[4026532501]
#8. root账户登陆容器lxc_centos_1 密码存放在 /var/lib/lxc/${CONTAINER}/tmp_root_pass
> ls -l /var/lib/lxc/lxc_centos_1/tmp_root_pass
-rw------- 1 root root 25 2月 29 03:25 /var/lib/lxc/lxc_centos_1/tmp_root_pass
#8.1
lxc_centos_1 login: root
Password:
You are required to change your password immediately (root enforced)
Changing password for root.
(current) UNIX password:
New password:
New password:
Retype new password:
[root@lxc_centos_1 ~]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 03:40 ? 00:00:00 /sbin/init
root 30 1 0 03:40 ? 00:00:00 /usr/lib/systemd/systemd-logind
dbus 31 1 0 03:40 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 34 1 0 03:40 ? 00:00:00 /usr/sbin/crond -n
root 192 1 0 03:41 ? 00:00:00 /usr/sbin/sshd -D
root 193 1 0 03:41 ? 00:00:00 /usr/sbin/rsyslogd -n
root 198 1 36 03:43 ? 00:01:58 /usr/lib/systemd/systemd-journald
root 200 1 0 03:47 ? 00:00:00 login -- root
root 201 200 0 03:48 lxc/console 00:00:00 -bash
root 214 201 0 03:49 lxc/console 00:00:00 ps -ef
[root@lxc_centos_1 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)