Wednesday, April 24, 2013

Linux Containers and Why They Matter

by Dietrich Schmitz

Until recently FreeBSD Jails and SUN Solaris Containers were the only other Virtualized Environment (VE) technology players offering such capabilities.  Now, enter the newest kid on the block: Linux Containers (LXC).

LXC is chroot 'on steroids' and lets not only applications run in isolation but also entire operating systems, even raw image virtual machines.  While not true Virtual Machines, these virtual environments, or containers, can run as multiple instances each in full isolation on a single host.

With the advent of a relatively new technology which became available in Linux Kernel 2.6.24, CGroups (short for Control Groups) was devised and allows the host CPU to better partition memory allocation into 'Namespaces'.  CGroups provide the ability to create Linux Containers with isolation, resource limiting, prioritization, accounting, and control.

So, great.  Now Linux has LXC.  Why does this matter?

For one, LXC is not as resource intensive as traditional Virtual Machines (VMs) in that there is no up-front preload of emulation management software.  Thus, the application spawned in a container is running with no added overhead aside from LXC initialization.  The implication is that aside from the small memory software shim, LXC will have bare metal performance characteristics.  The advantages are clear and the deployment is relatively easy.

In terms of disadvantages, and, unlike VMs however, there is no live-migration capability and other sophisticated management console nicities the likes of which vendors Citrix, VMware and Amazon Web Services offer to users of their cloud 'high availability' Infrastructure as a Service (IaaS).  And there aren't (yet) things like AWS Market Place, where one can pick ready-made virtual-machines fully provisioned and just a matter of minutes away from deploying and having up on your subnet.  No, LXC does demand some manual work, but still, it's not so much as to become burdensome.  It is really worth the effort.

Still, LXC is slowly coming into maturity on Linux with feature API inclusion in OpenStack and Stackato IaaS offerings, for example.

Now present in Fedora 18, one can utilize libvirtd-sandbox, so LXC containers can be easily configured as application sandboxes with a high-degree of security and with minimal effort required as compared to setting up a chroot environment or more labor intensive and difficult to manage sandbox solution such as SELinux.

LXC comes with your Linux Distro's kernel for free.  Competing solution OpenVZ requires a special compiled kernel to create its own container solution.

Taking LXC to the next level is seen in a new product called Docker.

As the above Youtube video suggests and as more software developers employ LXC, you'll see more creative ways of wrapping LXC in generic objects such as Python Go programming language based Docker to facilitate even easier flexible configurability and deployment.

So, there it is.  LXC, yet one more great resource for Linux Developers and Systems Administrators to avail themselves to.  Study up!  It won't be a wasted effort.

-- Dietrich
Enhanced by Zemanta


Post a Comment