containers

Video: Fedora 23 LXC - Debian SID and CentOS 7 XFCE containers via X2Go

| | | | | |

Being a LONG-TIME OpenVZ user, I've been avoiding LXC some. Mainly because it wasn't quite done yet. I thought I'd give it a try on Fedora 23 to see how well it works... and the answer is surprisingly... fairly well. I made two screencast (without sound). I just used the lxc-{whatever} tools rather than virt-manager. Both containers just use the default network config (DHCP handed out via DNSMasq provided by libvirtd) which is NAT'ed private addresses... and were automatically configured and just worked.

Here's a list of all of the container OS Templates they offer on x86:

centos 6 amd64 default 20160205_02:16
centos 6 i386 default 20160205_02:16
centos 7 amd64 default 20160205_02:16
debian jessie amd64 default 20160204_22:42
debian jessie i386 default 20160204_22:42
debian sid amd64 default 20160207_11:58
debian sid i386 default 20160204_22:42
debian squeeze amd64 default 20160204_22:42
debian squeeze i386 default 20160204_22:42
debian wheezy amd64 default 20160204_22:42
debian wheezy i386 default 20160204_22:42
fedora 21 amd64 default 20160205_01:27
fedora 21 i386 default 20160205_01:27
fedora 22 amd64 default 20160205_01:27
fedora 22 i386 default 20160205_01:27
gentoo current amd64 default 20160205_14:12
gentoo current i386 default 20160205_14:12
opensuse 12.3 amd64 default 20160205_00:53
opensuse 12.3 i386 default 20160205_00:53
oracle 6.5 amd64 default 20160205_11:40
oracle 6.5 i386 default 20160205_11:40
plamo 5.x amd64 default 20160207_11:59
plamo 5.x i386 default 20160207_13:13
ubuntu precise amd64 default 20160205_03:49
ubuntu precise i386 default 20160205_03:49
ubuntu trusty amd64 default 20160205_03:49
ubuntu trusty i386 default 20160205_03:49
ubuntu trusty ppc64el default 20160201_03:49
ubuntu vivid amd64 default 20160205_03:49
ubuntu vivid i386 default 20160205_03:49
ubuntu wily amd64 default 20160205_03:49
ubuntu wily i386 default 20160205_03:49
ubuntu xenial amd64 default 20160205_03:49
ubuntu xenial i386 default 20160205_03:49

The first one shows the basics of LXC installation on Fedora 23 (per their wiki page on the subject) as well as creating a Debian SID container, getting it going, installing a lot of software on it including XFCE and most common desktop software... and accessing it via X2Go... and configuring XFCE the way I like it. This one was made on my home laptop and my network is a bit slow so I cut out a few long portions where packages were downloading and installing but everything else is there... yes including quite a bit of waiting for stuff to happen.


lxc-on-fedora-23-debian-sid-GUI-container.webm (25 MB, ~41.5 minutes)

The second video is very similar to the first but it is a remote ssh session with my work machine (where the network is way faster) and shows making a CentOS 7 container, installing XFCE and the same common desktop software, and then connecting to it via X2Go using an ssh proxy, and configuring XFCE how I like it. It was done in a single, un-edited take and includes a bit of waiting as stuff downloads and installs... so you get the complete thing from start to finish.


lxc-on-fedora-23-centos-7-GUI-container.webm (22.7 MB, ~31 minutes)

I recorded the screencasts with vokoscreen at 25 frames-per-second @ slightly larger than 720p resolution... and then converted them to webm (vp9) with ffmpeg @ 200kbit video. They compressed down amazing well. I recommend playback in full-screen as the quality is great. Enjoy!

Video: Alpine Linux-based LiveCD with OpenVZ kernel / tools

| | |

I recently encountered an Alpine Linux developer in the #openvz Freenode IRC channel who was working on an Alpine Linux-based LiveCD that uses the OpenVZ Legacy stable kernel and tools. If you aren't familiar with Alpine Linux (and I wasn't prior), it is a very minimal Linux distro that uses BusyBox. The LiveCD shafire (his IRC nick) created is ~ 100MB in size. Since I know OpenVZ very well, shafire asked me to lend a hand with testing.

I recorded a screencast that shows using the LiveCD from start to finish. Being very small, and needing storage space for containers, besides the LiveCD you really need a disk partition for permanent storage. The video shows booting the CD, a few manual steps that are needed to get a proper environment established, creating two containers, starting them, entering them and running some simple commands, shutting them down, and shutting down the host. I did all of the testing using a KVM virtual machine which made it easy for video capture. The video runtime is about 11 minutes and there was no editing of the video... everything is absolutely in real-time with no speedups. It is just THAT fast. :)

The embedded video is in webm/vp9 format and should play fine in contemporary versions of Firefox and Google Chrome. If you are using another browser and can't play the video, feel free to use the link under the video to download it and play with a recent version of the VLC media player. Looks like some video feeds that pick up my blog (planet.openvz.org for example) aren't embedding it properly so in that case, use the link under the video. That should work.

If you prefer to download and play in local media player, here's the direct URL:
alpine-based-openvz-livecd-demo.webm

For those interested in screencast creation and video conversion stuff, I used vokoscreen to capture my screen. It natively output a 175.9 MB .mkv file. I used ffmpeg to convert it to a webm file (vp9 video codec, no audio). The resolution is > 480p and the quality is very good... but amazingly, the filesize for the 11 minute video is only 1.7 MB. I guess ffmpeg / vp9 are awesome at comrpession of this genre of video. I set an upper limit of 200 Kbit for the video bitrate but using a variable bitrate it was able to greatly reduce the bitrate for the bulk of the video.

Video: LabX and the GUI web-based desktop

| | |

I signed up for a free service a few weeks back named LabX. I don't remember where I learned about it... some article I saw posted on LXer I think. Anyway... today I got an email invite from them, signed up for an account and gave it a try.

To be honest I don't know much about it yet and I don't know exactly what it is for and what to do with it... but one this is for sure, I like virtualization and remoting protocols... so it is right up my alley. After creating an account I logged in. Turns out the email address you registered with is your username although that isn't exactly clear from the various screens. Once logged in I was able to start and access a virtual environment that was listed as "Ubuntu 14.04". Connecting to it gave me a GUI desktop in my browser. XFCE / Xubuntu. I recorded a 15 minute screencast (no audio) of the session so enjoy.

Please note, the video is of my Firefox web-browser running on my local desktop and the shown browser tab is my connection to the remote GUI container. The raw video was 1276x1373 resolution and 566.7 MB in size (in .mkv format) but I used ffmpeg to resize it to 720x755 @ 400Kbit so it is now 13.8 MB (in webm format). Much smaller and a little blurry but much better for web streaming.

If you prefer to download and play in local media player, here's the direct URL:
LabX-Xubuntu-1404-web-desktop-demo.webm

Video: Super Privileged Containers

| | | | | |

For anyone who hasn't seen this yet who is interested in containers, this is a must see. Watch Red Hat's SELinux guru Dan Walsh explain and demo Super Privileged Containers from the Red Hat Summit 2015. Enjoy!

For those who are iFrame challenged, here's the direct YouTube link: https://www.youtube.com/watch?v=dM2Fc53Dtd4

OpenVZ / Virtuozzo 7 Beta First Impressions

| | |

Odin and the OpenVZ Project announced the beta release of a new version of Virtuozzo today. This is also the next version of OpenVZ as the two are merging closer together. See their release announcement.

There will eventually be two distinct versions... a free version and a commercial version. So far as I can tell they currently call it Virtuozzo 7 but in a comparison wiki page they use the column names Virtuozzo 7 OpenVZ (V7O) and Virtuozzo 7 Commercial (V7C). The original OpenVZ, which is still considered the stable OpenVZ release at this time based on the EL6-based OpenVZ kernel, appears to be called OpenVZ Legacy.

Odin had previously released the source code to a number of the Virtuozzo tools (mailing list post) and followed that up with the release of spec-like source files used by Virtuozzo's vztt OS Template build system. The plan is to migrate away from the OpenVZ specific tools (like vzctl, vzlist, vzquota, and vzmigrate) to the Virtuozzo specific tools although there will probably be some overlap for a while.

The release includes source code, binary packages and a bare-metal distro installer DVD iso.

Bare Metal Installer

I got a chance to check out the bare-metal installer today inside of a KVM virtual machine. I must admit that I'm not very familiar with previous Virtuozzo releases but I am a semi-expert when it comes to OpenVZ. Getting used to the new system is taking some effort but will all be for the better.

I didn't make any screenshots yet of the installer... I may do that later... but it is very similar to that of RHEL7 (and clones) because it is built by and based on CloudLinux... which is based on EL7.

CloudLinux Confusion

What is CloudLinux? CloudLinux is a company that makes a commercial multi-tenant hosting product... that appears to provide container (or container-like) isolation as well as Apache and PHP enhancements specifically for multi-tenant hosting needs. CloudLinux also offers KernelCare-based reboot-less kernel updates. CloudLinux's is definitely independent from Odin and the CloudLinux products are in no way related to Virtuozzo. Odin and CloudLinux are partners however.

Why is the distro based on CloudLinux and does one need a CloudLinux subscription to use it? Well it turns out that Odin really didn't want to put forth all of the effort and time required to produce a completely new EL7-clone. CloudLinux is already an expert at that... so Odin partnered with CloudLinux to produce a EL7-based distro for Virtuozzo 7. While CloudLinux built it and (I think) there are a few underlying CloudLinux packages, everything included is FOSS (Free and Open Source Software). It DOES NOT and WILL NOT require a CloudLinux subscription to use... because it is not related to CloudLinux's product line nor does it contain any of the CloudLinux product features.

The confusion was increased when I did a yum update post-install and if failed with a yum repo error asking me to register with CloudLinux. Turns out that is a bug in this initial release and registration is NOT needed. There is a manual fix of editing a repo file in /etc/yum.repos.ed/) and replacing the incorrect base and updates URLs with a working ones. This and and other bugs that are sure to crop up will be addressed in future iso builds which are currently slated for weekly release... as well as daily package builds and updates available via yum.

More Questions, Some Answers

So this is the first effort to merge Virtuozzo and OpenVZ together... and again... me being very Virtuozzo ignorant... there is a lot to learn. How does the new system differ from OpenVZ? What are the new features coming from Virtuozzo? I don't know if I can answer every conceivable question but I was able to publicly chat with Odin's sergeyb in the #openvz IRC channel on the Freenode IRC network. I also emailed the CloudLinux folks and got a reply back. Here's what I've been able to figure out so far.

Why CloudLinux? - I mentioned that already above, but Odin didn't want to engineer their own EL7 clone so they got CloudLinux to do it for them and it was built specifically for Virtuozzo and not related to any of the CloudLinux products... and you do not need a subscription from Odin nor CloudLinux to use it.

What virtualization does it support? - Previous Virtuozzo products supported not only containers but a proprietary virtual machine hypervisor made by Odin/Parallels. In Virtuozzo 7 (both OpenVZ and Commercial so far as I can tell) the proprietary hypervisor has been replaced with the Linux kernel built-in one... KVM. See: https://openvz.org/QEMU

How about libvirt support? - Anyone familiar with EL7's default libvirtd setup for KVM will be happy to know that it is maintained. libvirtd is running by default and the network interfaces you'd expect to be there, are. virsh and virt-manager should work as expected for KVM.

Odin has been doing some libvirt development and supposedly both virsh and virt-manager should work with VZ7 containers. They are working with upstream. libvirt has supposedly supported OpenVZ for some time but there weren't any client applications that supported OpenVZ. That is changing. See: https://openvz.org/LibVirt

Command line tools? - OpenVZ's vzctl is there as is Virtuozzo's prlctl.

How about GUIs or web-based management tools? - That seems to be unclear at this time. I believe V7C will offer web-based management but I'm not sure about V7O. As mentioned in the previous question, virt-manager... which is a GUI management tool... should be usable for both containers and KVM VMs. virsh / virt-manager VZ7 container support remains to be seen but it is definitely on the roadmap.

Any other new features? - Supposedly VZ7 has a fourth-generation resource management system that I don't know much about yet. Other than the most obvious stuff (EL7-based kernel, KVM, libvirt support, Virtuozzo tools, etc), I haven't had time to absorb much yet so unfortunately I can't speak to many of the new features. I'm sure there are tons.

About OS Templates

I created a CentOS 6 container on the new system... and rather than downloading a pre-created OS Template that is a big .tar.gz file (as with OpenVZ Legacy) it downloaded individual rpm packages. It appears to build OS Templates on demand from current packages on-demand BUT it uses a caching system whereby it will hold on to previously downloaded packages in a cache directory somewhere under /vz/template/. If the desired OS Template doesn't exist already in /vz/template/cache/ the required packages are downloaded, a temporary ploop image made, the packages installed, and then the ploop disk image is compressed and added to /vz/template/cache as a pre-created OS Template. So the end result for my CentOS 6 container created /vz/template/cache/centos-6-x86_64.plain.ploopv2.tar.lz4. I manually downloaded an OpenVZ Legacy OS Template and placed it in /vz/template/cache but it was ignored so at this time, I do not think they are compatible / usable.

The only OS Template available at time of writing was CentOS 6 but I assume they'll eventually have all of the various Linux distros available as in the past... both rpm and deb based ones. We'll just have to wait and see.

As previously mentioned, Odin has already released the source code to vztt (Virtuozzo's OS Template build system) as well as some source files for CentOS, Debian and Ubuntu template creation. They have also admitted that coming from closed source, vztt is a bit over-complicated and not easy-to-use. They plan on changing that ASAP but help from the community would definitely be appreciated.

How about KVM VMs?

I'm currently on vacation and only have access to a laptop running Fedora 22... that I'm typing this from... and didn't want to nuke it... so I installed the bare-metal distro inside of a KVM virtual machine. I didn't really want to try nested KVM. That would definitely not have been a legitimate test of the new system... but I expect libvirtd, virsh, and virt-manager to work and behave as expected.

Conclusion

Despite the lack of perfection in this initial release Virtuozzo 7 shows a lot of promise. While it is a bit jarring coming from OpenVZ Legacy... with all of the changes... the new features... especially KVM... really show promise and I'll be watching all of the updates as they happen. There certainly is a lot of work left to do but this is definitely a good start.

I'd love to hear from other users to find out what experiences they have.

Congrats Odin and OpenVZ! I only wish I had a glass of champagne and could offer up a respectable toast... and that there were others around me to clank glasses with. :)

This article is translated to the Bosnian language by Vlada Catalic.


Video: Containers with systemd

| | | | |

Linux Weekly News had a write-up in their Weekly Edition last week... of Lennart Poettering's talk (Containers with systemd) at LinuxCon Japan 2015. That article should be available freely later this week... but I found a recording of what appears to be the same talk at a different event from April 2015. Here are the slides. Enjoy!

For those with iFrame issues, here's the direct link:
https://www.youtube.com/watch?v=d4SwL2t5Yh4

Here's some documentation on that stuff if you are looking for it.

Want more? How about more of a hands-on approach? Gábor Nyers can provide more... in his presentation from the recent OpenSUSE Conference 2015.

Video: LXD containers vs. KVM

| | | |

Since I'm such a big container fan (been using them on Linux since 2005) and I recently blogged about Docker, LXC, and OpenVZ... how could I pass up posting this? Some Canonical guys gave a presentation at the recent OpenStack Summit on "LXD vs. KVM". What is LXD? It is basically a management service for LXC that supposedly adds a lot of the features LXC was missing... and is much easier to use. For a couple of years now Canonical has shown an interest in LXC and has supposedly be doing a lot of development work around them. I wonder what specifically? They almost seem like the only company who is interested in LXC.. or at least they are putting forth a publicly noticeable effort around them.

Why Should You Care?
If Canonical can actually deliver on their LXD roadmap it is possible that it will be a suitable substitute for OpenVZ. The main "problem" with OpenVZ is that it is not in the mainline kernel, whereas LXC is. In practice you have to purposefully make an OpenVZ host (currently recommended on RHEL6 or clone) but with LXC/LXD any contemporary Linux system should be able to do full-distro containers... aka containers everywhere for everyone.

How About a Roadmap
Where is LXD now? Well, so far it seems to be mostly a technology preview available in Ubuntu 15.04 with the target "usable and production ready" release slated for the next Ubuntu LTS release (16.04)... which if you weren't familiar with their numbering scheme is 2016 April.

That's about a year away, right... so what do they still have left to do? If you go to about 23:30 in the video you'll get to the "Roadmap" section. They have work to do on storage, networking, resource management and usage reporting, and live migration. A bit of that falls within the OpenStack context... integrating with various OpenStack components so containers will be more in parity with VMs for OpenStack users... but still, that's quite a bit of work.

The main thing I care about absolutely being there is isolation and resource management which are really the killer features of OpenVZ. So far as I can tell, LXD does not offer read-only base images and layering like Docker... so that would be an area for improvement I would suggest. BTW they are using CRIU for checkpointing and live migration... thanks Parallels/OpenVZ!

Certainly LXD won't really make it no matter how good it is until it is available in more Linux distributions than just Ubuntu. In a video interview a while back (which I don't have the link handy for at the moment) Mark Shuttleworth stated that he hopes and expects to see LXD in other distributions. One of the first distros I hope to see with LXD is Fedora and that's the reason I tagged this post appropriately.

Broadening the Echosystem
Historically I've been a bit of an anti-Canonical person but thinking more about it recently and taking the emotion out of it... I do wish Ubuntu success because we definitely need more FLOSS companies doing well financially in the market... and I think Red Hat (and OpenVZ) will have an incentive to do better. Competition is good, right? Anyway, enjoy the video. BTW, everything they tout as a benefit of LXD over KVM (density, speed of startup, scalability, etc) is also true of OpenVZ for almost a decade now.

For those with iFrame issues, here's the YouTube link: LXD vs. KVM

Containers Should Contain
Let's face it, Docker (in its current form) sucks. Why? Well, ok... Docker doesn't totally suck... because it is for applications and not a full system... but if a container doesn't contain, it isn't a container. That's just how language works. If you have an airplane that doesn't fly, it isn't an airplane, right? Docker should really say it is an "Uncontainer" or "Uncontained containers"... or better yet, just use a different word. What word? I'm not sure. Do you have any suggestions? (Email me: dowdle@montanalinux.org)

What is containment? For me it is really isolation and resource control. If a container doesn't do that well, call it something else. OpenVZ is a container. No, really. It contains. OpenVZ didn't start life using the word container. On day one they were calling them "Virtual Environments" (VEs). Then a year or two later they decided "Virtual Private Server" (VPS) was the preferred term. Some time after switching to VPS, VPS became quite ambiguous and used by hosting companies using hardware virtualization backends like Xen and VMware (KVM wasn't born yet or was still a baby). Then OpenVZ finally settled on the word "container".

If you want a fairly good history of the birth and growth of OpenVZ over the years, see Kir's recent presentation.

Hopefully LXD will live up to "container" but we'll have to wait and see.

OpenVZ Survey Answers

| | |

One of the Virtuozzo folks sent a link to an OpenVZ survey that I filled out. It requires a Google account. I do have one but I try to avoid using it as much as possible.

Just wanted to share my answers to the, "What features are absent in OpenVZ from your point of view?" question.

1) Base images and layering like that of Docker. Docker mostly sucks but the ease and speed of deployment is amazing. The OpenVZ container creation tools... can they be adapted to use a pre-existing ploop image as a read-only base image?

2) Application containers. While I don't have a personal need for them quite yet I can definitely see how they are handy for developers as well as those into fleet computing.

3) qcow2 disk images are very popular with KVM. It isn't clear to me what benefits ploop offers over qcow2 or vice-versa. It would be nice if OpenVZ could use or convert qcow2 disk images.

4) Better OS Template tools. OpenVZ's vzpkg tool bit-rotted because there weren't enough developer resources to keep it alive. As a result OpenVZ's official OS Templates have been being built with the proprietary Virtuozzo tools for some time. I understand that is changing in the not too distant future with the public release of more of Virtuozzo's tools. I'm not familiar with those so I don't know how good they are... but yes, more attention to OS Template creation and management tools is needed. This is especially true if and when OpenVZ adds application containers and/or disk layering features.

5) Better integration with LXC in the mainline kernel. I think LXC and Docker could be a stepping stone to OpenVZ / Virtuozzo... if the OpenVZ tools worked reasonably well with LXC in the mainline kernel... and it was clear to the user what features they could gain if they moved up to OpenVZ and/or Virtuozzo.

6) An entry-level web panel. OpenVZ Web Panel seems somewhat popular but I've always been turned off by its reliance on Ruby... and unsure of its security-related testing. The recent Packt Publishing book, "OpenVZ Essentials" by Mark Furman spends half of the book covering OpenVZ Web Panel. It would be nice if OWP was adopted in some way or replaced with something similar to offer an entry-level web-based management system like VMware does with ESXi. If considered, I'd strongly recommend that there is a clear differentiation between the features in the entry-level web-panel and those commercially offered. I know a few companies are selling OpenVZ compatible web-interfaces... like SolusVM, Proxmox VE, etc.

7) More modern kernel support... but that is in-the-works.

Video: Docker Container Security

| |

Red Hat's Dan Walsh is *THE* SELinux expert. He gave a presentation on Docker container security at the recent DockerCon 14. If you have any interest in containers or Docker, this is probably worth viewing. Enjoy!

Video: LFNW 2013 - Seven problems of Linux Containers

| | | |

Kir Kolyshkin from the OpenVZ Project talks about Linux Containers:

Syndicate content