Linux Containers (LXC) on Slackware® 13.37

Overview

Linux Containers (LXC) provide an operating system level mechanism for running multiple isolated server instances (containers). Resource management is provided through control groups and resource isolation is provided through namespaces. The level of virtualisation is somewhere between that of chroot and KVM or Xen; container instances run the same kernel as the host system.

The method below describes how to run LXC in Slackware64 13.37

For additional information, please consult the references below.

Method

Prior to Slackware 13.37, it was neccessary to run a custom kernel and userland tools package. This is no longer necessary since the kernels supplied with Slackware 13.37 already support LXC. A new lxc package of userland tools is also provided in Slackware 13.37. Other than ensuring that the lxc package is installed (its in the ap disk set), there's not much left to do :)
Here are the steps:

Set up control groups.

Set up control groups, manually first , with the commands:

mkdir -p /cgroup
mount none -t cgroup /cgroup

If that works OK, add the following line to /etc/fstab:

none /cgroup cgroup defaults 0 0

Prepare host network for containers.

The host machine can share its network to provide connectivity for its container(s) using a bridge or by NAT (Network Address Translation). In either case, first ensure that IP forwarding is enabled in the host (this may already be enabled as part of your networking and firewall setup). In a terminal, run:

echo 1 > /proc/sys/net/ipv4/ip_forward

In a bridge network, all running containers will appear on the same network as the host machine. Each container could then use dhcp to obtain its own ip address, or it could be set up manually with (valid) entries in the container's /etc/rc.d/rc.inet1.conf file. Bridge networking can be set up in the host with the following commands:

/sbin/brctl addbr br0
/sbin/brctl setfd br0 0
/sbin/ifconfig br0 192.168.11.22 netmask 255.255.255.0 promisc up
/sbin/brctl addif br0 eth0
/sbin/ifconfig eth0 0.0.0.0 up
/sbin/route add default gw 192.168.11.1 br0

Please note that this example assumes the host machine has ip address 192.168.11.22 on network device eth0 and uses 192.168.11.1 as its gateway; these settings must be changed to reflect the local network circumstances.

An alternative to such a bridge network is for the host to use NAT to provide a separate address range for its containers. In this case each container has an ip address in a separate network from the host. A bridge point is set up with the ip address which will later be used as the gateway for each of the containers. In the following example, assume the new (private) network for the containers will be 192.168.100.0/24 with the gateway being 192.168.100.1. The NAT network is then set up in the host with the following commands:

/sbin/brctl addbr br0
/sbin/brctl setfd br0 0
/sbin/ifconfig br0 192.168.100.1 netmask 255.255.255.0 promisc up
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Whether to use a bridge or NAT for container networking depends on your local requirements and preference. Either way, when you have a set of commands that work, its a good idea to put them in an rc script in /etc/rc.d/ so that the bridge or NAT is set up automatically at each system boot.

Configuration is a lttle more complex if there is a need to simultaneously run some containers in a bridge network and others in a NAT network.

Create a container or find one from somewhere.

See our container creation recipe which uses the lxc-create (from the lxc userland tools package) with a template. Please also see Matteo Bernardini's excellent article at http://slackware.ponce.cc/blog/ which explains this method and links to a suitable template (which can, of course, be modified for specific local needs).

Also, see how its done for Slackware with OpenVZ (another container based virtualisation system for Linux)

Running the container.

If a container has been constructed as per the UQVislab container recipe (and perhaps tarballed for future reuse), it probably needs some fine tuning before it will run successfully. Most importantly, it needs to be renamed - it doesn't make sense to run multiple containers with the same name. In this example we'll change the default name generic_1337 to atest_01:

mv /var/lib/lxc/generic_1337 /var/lib/lxc/atest_01

Now we change all instances of the old name in the container to the new name:

sed -i -e "s/generic_1337/atest_01/g" /var/lib/lxc/atest_01/config
sed -i -e "s/generic_1337/atest_01/g" /var/lib/lxc/atest_01/etc/fstab

Now, to start using the container, run:

lxc-start -n atest_01

This should produce some familiar output as the container system "boots up". Once its up and running, connect to it with ssh (assuming network was set up correctly) or run:

lxc-console -n atest_01

which will provide a console login prompt.

To stop the container system, run:

lxc-stop -n atest_01

At this point, you can start and stop the container systems as many times as you like.

To eventually remove it from the system, run:

lxc-destroy -n atest_01

Issues

Installing Nvidia graphics bundle in a Linux Container needs some special attention.
Can anyone suggest a good way to propogate multicast traffic between containers and host when using NAT for the containers?

References

LXC Home Page
Pimp my Slack (Matteo Bernardini)
LXC HOWTO (Dwight Schauer)
Fedora/Ubuntu-centric HOWTO (Bodhi Zazen)
OpenVZ wiki
OLD (SL-13.1) LXC Slackware HOWTO

Contact

Please send any questions, comments, advice etc., to Chris Willing <c.willing _at_ uq.edu.au>

Slackware® is a registered trademark of Slackware Linux.