]>
Commit | Line | Data |
---|---|---|
0c6b782f DM |
1 | ifdef::manvolnum[] |
2 | PVE({manvolnum}) | |
3 | ================ | |
38fd0958 | 4 | include::attributes.txt[] |
0c6b782f DM |
5 | |
6 | NAME | |
7 | ---- | |
8 | ||
9 | pct - Tool to manage Linux Containers (LXC) on Proxmox VE | |
10 | ||
11 | ||
12 | SYNOPSYS | |
13 | -------- | |
14 | ||
15 | include::pct.1-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
20 | ||
21 | ifndef::manvolnum[] | |
22 | Proxmox Container Toolkit | |
23 | ========================= | |
38fd0958 | 24 | include::attributes.txt[] |
0c6b782f DM |
25 | endif::manvolnum[] |
26 | ||
4a2ae9ed DM |
27 | |
28 | Containers are a lightweight alternative to fully virtualized | |
29 | VMs. Instead of emulating a complete Operating System (OS), containers | |
30 | simply use the OS of the host they run on. This implies that all | |
31 | containers use the same kernel, and that they can access resources | |
32 | from the host directly. | |
33 | ||
34 | This is great because containers do not waste CPU power nor memory due | |
35 | to kernel emulation. Container run-time costs are close to zero and | |
36 | usually negligible. But there are also some drawbacks you need to | |
37 | consider: | |
38 | ||
39 | * You can only run Linux based OS inside containers, i.e. it is not | |
40 | possible to run Free BSD or MS Windows inside. | |
41 | ||
42 | * For security reasons, access to host resources need to be | |
43 | restricted. This is done with AppArmor, SecComp filters and other | |
44 | kernel feature. Be prepared that some syscalls are not allowed | |
45 | inside containers. | |
46 | ||
47 | {pve} uses https://linuxcontainers.org/[LXC] as underlying container | |
48 | technology. We consider LXC as low-level library, which provides | |
49 | countless options. It would be to difficult to use those tools | |
50 | directly. Instead, we provide a small wrapper called `pct`, the | |
51 | "Proxmox Container Toolkit". | |
52 | ||
53 | The toolkit it tightly coupled with {pve}. That means that it is aware | |
54 | of the cluster setup, and it can use the same network and storage | |
55 | resources as fully virtualized VMs. You can even use the {pve} | |
56 | firewall, or manage containers using the HA framework. | |
57 | ||
58 | Our primary goal is to offer an environment as one would get from a | |
59 | VM, but without the additional overhead. We call this "System | |
60 | Containers". | |
61 | ||
70a42028 DM |
62 | NOTE: If you want to run micro-containers (with docker, rct, ...), it |
63 | is best to run them inside a VM. | |
4a2ae9ed DM |
64 | |
65 | ||
66 | Security Considerations | |
67 | ----------------------- | |
68 | ||
69 | Containers use the same kernel as the host, so there is a big attack | |
70 | surface for malicious users. You should consider this fact if you | |
71 | provide containers to totally untrusted people. In general, fully | |
72 | virtualized VM provides better isolation. | |
73 | ||
74 | The good news is that LXC uses many kernel security features like | |
75 | AppArmor, CGroups and PID and user namespaces, which makes containers | |
76 | usage quite secure. We distinguish two types of containers: | |
77 | ||
78 | Privileged containers | |
79 | ~~~~~~~~~~~~~~~~~~~~~ | |
80 | ||
81 | Security is done by dropping capabilities, using mandatory access | |
82 | control (AppArmor), SecComp filters and namespaces. The LXC team | |
83 | considers this kind of container as unsafe, and they will not consider | |
84 | new container escape exploits to be security issues worthy of a CVE | |
85 | and quick fix. So you should use this kind of containers only inside a | |
86 | trusted environment, or when no untrusted task is running as root in | |
87 | the container. | |
88 | ||
89 | Unprivileged containers | |
90 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
91 | ||
92 | This kind of containers use a new kernel feature, called user | |
93 | namespaces. The root uid 0 inside the container is mapped to an | |
94 | unprivileged user outside the container. This means that most security | |
95 | issues (container escape, resource abuse, ...) in those containers | |
96 | will affect a random unprivileged user, and so would be a generic | |
97 | kernel security bug rather than a LXC issue. LXC people think | |
98 | unprivileged containers are safe by design. | |
99 | ||
70a42028 DM |
100 | Container Storage |
101 | ----------------- | |
102 | ||
103 | Traditional containers use a very simple storage model, only allowing | |
104 | a single mount point, the root file system. This was further | |
105 | restricted to specific file system types like 'ext4' and 'nfs'. | |
106 | Additional mounts are often done by user provided scripts. This turend | |
107 | out to be complex and error prone, so we trie to avoid that now. | |
108 | ||
109 | Our new LXC based container model is more flexible regarding | |
110 | storage. First, you can have more than a single mount point. This | |
111 | allows you to choose a suitable storage for each application. For | |
112 | example, you can use a relatively slow (and thus cheap) storage for | |
113 | the container root file system. Then you can use a second mount point | |
114 | to mount a very fast, distributed storage for your database | |
115 | application. | |
116 | ||
117 | The second big improvement is that you can use any storage type | |
118 | supported by the {pve} storage library. That means that you can store | |
119 | your containers on local 'lvmthin' or 'zfs', shared 'iSCSI' storage, | |
120 | or even on distributed storage systems like 'ceph'. And it enables us | |
121 | to use advanced storage features like snapshots and clones. 'vzdump' | |
122 | can also use the snapshots feature to provide consistent container | |
123 | backups. | |
124 | ||
125 | Last but not least, you can also mount local devices directly, or | |
126 | mount local directories using bind mounts. That way you can access | |
127 | local storage inside containers with zero overhead. Such bind mounts | |
128 | also provides an easy way to share data between different containers. | |
129 | ||
4a2ae9ed DM |
130 | |
131 | Managing Containers with 'pct' | |
132 | ------------------------------ | |
133 | ||
0c6b782f DM |
134 | 'pct' is a tool to manages Linux Containers (LXC). You can create and |
135 | destroy containers, and control execution | |
136 | (start/stop/suspend/resume). Besides that, you can use pct to set | |
137 | parameters in the associated config file, like network configuration | |
138 | or memory. | |
139 | ||
140 | CLI Usage Examples | |
141 | ------------------ | |
142 | ||
143 | Create a container based on a Debian template (provided you downloaded | |
144 | the template via the webgui before) | |
145 | ||
146 | pct create 100 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz | |
147 | ||
148 | Start container 100 | |
149 | ||
150 | pct start 100 | |
151 | ||
152 | Start a login session via getty | |
153 | ||
154 | pct console 100 | |
155 | ||
156 | Enter the LXC namespace and run a shell as root user | |
157 | ||
158 | pct enter 100 | |
159 | ||
160 | Display the configuration | |
161 | ||
162 | pct config 100 | |
163 | ||
164 | Add a network interface called eth0, bridged to the host bridge vmbr0, | |
165 | set the address and gateway, while it's running | |
166 | ||
167 | pct set 100 -net0 name=eth0,bridge=vmbr0,ip=192.168.15.147/24,gw=192.168.15.1 | |
168 | ||
169 | Reduce the memory of the container to 512MB | |
170 | ||
171 | pct set -memory 512 100 | |
172 | ||
173 | Files | |
174 | ------ | |
175 | ||
176 | '/etc/pve/lxc/<vmid>.conf':: | |
177 | ||
178 | Configuration file for the container <vmid> | |
179 | ||
180 | ||
181 | Container Advantages | |
182 | -------------------- | |
183 | ||
184 | - Simple, and fully integrated into {pve}. Setup looks similar to a normal | |
185 | VM setup. | |
186 | ||
187 | * Storage (ZFS, LVM, NFS, Ceph, ...) | |
188 | ||
189 | * Network | |
190 | ||
191 | * Authentification | |
192 | ||
193 | * Cluster | |
194 | ||
195 | - Fast: minimal overhead, as fast as bare metal | |
196 | ||
197 | - High density (perfect for idle workloads) | |
198 | ||
199 | - REST API | |
200 | ||
201 | - Direct hardware access | |
202 | ||
203 | ||
204 | Technology Overview | |
205 | ------------------- | |
206 | ||
207 | - Integrated into {pve} graphical user interface (GUI) | |
208 | ||
209 | - LXC (https://linuxcontainers.org/) | |
210 | ||
211 | - cgmanager for cgroup management | |
212 | ||
213 | - lxcfs to provive containerized /proc file system | |
214 | ||
215 | - apparmor | |
216 | ||
217 | - CRIU: for live migration (planned) | |
218 | ||
219 | - We use latest available kernels (4.2.X) | |
220 | ||
221 | - image based deployment (templates) | |
222 | ||
223 | - Container setup from host (Network, DNS, Storage, ...) | |
224 | ||
225 | ||
226 | ifdef::manvolnum[] | |
227 | include::pve-copyright.adoc[] | |
228 | endif::manvolnum[] | |
229 | ||
230 | ||
231 | ||
232 | ||
233 | ||
234 | ||
235 |