]>
Commit | Line | Data |
---|---|---|
0c6b782f DM |
1 | ifdef::manvolnum[] |
2 | PVE({manvolnum}) | |
3 | ================ | |
38fd0958 | 4 | include::attributes.txt[] |
0c6b782f DM |
5 | |
6 | NAME | |
7 | ---- | |
8 | ||
9 | pct - Tool to manage Linux Containers (LXC) on Proxmox VE | |
10 | ||
11 | ||
12 | SYNOPSYS | |
13 | -------- | |
14 | ||
15 | include::pct.1-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
20 | ||
21 | ifndef::manvolnum[] | |
22 | Proxmox Container Toolkit | |
23 | ========================= | |
38fd0958 | 24 | include::attributes.txt[] |
0c6b782f DM |
25 | endif::manvolnum[] |
26 | ||
4a2ae9ed DM |
27 | |
28 | Containers are a lightweight alternative to fully virtualized | |
29 | VMs. Instead of emulating a complete Operating System (OS), containers | |
30 | simply use the OS of the host they run on. This implies that all | |
31 | containers use the same kernel, and that they can access resources | |
32 | from the host directly. | |
33 | ||
34 | This is great because containers do not waste CPU power nor memory due | |
35 | to kernel emulation. Container run-time costs are close to zero and | |
36 | usually negligible. But there are also some drawbacks you need to | |
37 | consider: | |
38 | ||
39 | * You can only run Linux based OS inside containers, i.e. it is not | |
40 | possible to run Free BSD or MS Windows inside. | |
41 | ||
42 | * For security reasons, access to host resources need to be | |
43 | restricted. This is done with AppArmor, SecComp filters and other | |
44 | kernel feature. Be prepared that some syscalls are not allowed | |
45 | inside containers. | |
46 | ||
47 | {pve} uses https://linuxcontainers.org/[LXC] as underlying container | |
48 | technology. We consider LXC as low-level library, which provides | |
49 | countless options. It would be to difficult to use those tools | |
50 | directly. Instead, we provide a small wrapper called `pct`, the | |
51 | "Proxmox Container Toolkit". | |
52 | ||
53 | The toolkit it tightly coupled with {pve}. That means that it is aware | |
54 | of the cluster setup, and it can use the same network and storage | |
55 | resources as fully virtualized VMs. You can even use the {pve} | |
56 | firewall, or manage containers using the HA framework. | |
57 | ||
58 | Our primary goal is to offer an environment as one would get from a | |
59 | VM, but without the additional overhead. We call this "System | |
60 | Containers". | |
61 | ||
62 | NOTE: If you want to run micro-containers with docker, it is best to | |
63 | run them inside a VM. | |
64 | ||
65 | ||
66 | Security Considerations | |
67 | ----------------------- | |
68 | ||
69 | Containers use the same kernel as the host, so there is a big attack | |
70 | surface for malicious users. You should consider this fact if you | |
71 | provide containers to totally untrusted people. In general, fully | |
72 | virtualized VM provides better isolation. | |
73 | ||
74 | The good news is that LXC uses many kernel security features like | |
75 | AppArmor, CGroups and PID and user namespaces, which makes containers | |
76 | usage quite secure. We distinguish two types of containers: | |
77 | ||
78 | Privileged containers | |
79 | ~~~~~~~~~~~~~~~~~~~~~ | |
80 | ||
81 | Security is done by dropping capabilities, using mandatory access | |
82 | control (AppArmor), SecComp filters and namespaces. The LXC team | |
83 | considers this kind of container as unsafe, and they will not consider | |
84 | new container escape exploits to be security issues worthy of a CVE | |
85 | and quick fix. So you should use this kind of containers only inside a | |
86 | trusted environment, or when no untrusted task is running as root in | |
87 | the container. | |
88 | ||
89 | Unprivileged containers | |
90 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
91 | ||
92 | This kind of containers use a new kernel feature, called user | |
93 | namespaces. The root uid 0 inside the container is mapped to an | |
94 | unprivileged user outside the container. This means that most security | |
95 | issues (container escape, resource abuse, ...) in those containers | |
96 | will affect a random unprivileged user, and so would be a generic | |
97 | kernel security bug rather than a LXC issue. LXC people think | |
98 | unprivileged containers are safe by design. | |
99 | ||
100 | ||
101 | Managing Containers with 'pct' | |
102 | ------------------------------ | |
103 | ||
0c6b782f DM |
104 | 'pct' is a tool to manages Linux Containers (LXC). You can create and |
105 | destroy containers, and control execution | |
106 | (start/stop/suspend/resume). Besides that, you can use pct to set | |
107 | parameters in the associated config file, like network configuration | |
108 | or memory. | |
109 | ||
110 | CLI Usage Examples | |
111 | ------------------ | |
112 | ||
113 | Create a container based on a Debian template (provided you downloaded | |
114 | the template via the webgui before) | |
115 | ||
116 | pct create 100 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz | |
117 | ||
118 | Start container 100 | |
119 | ||
120 | pct start 100 | |
121 | ||
122 | Start a login session via getty | |
123 | ||
124 | pct console 100 | |
125 | ||
126 | Enter the LXC namespace and run a shell as root user | |
127 | ||
128 | pct enter 100 | |
129 | ||
130 | Display the configuration | |
131 | ||
132 | pct config 100 | |
133 | ||
134 | Add a network interface called eth0, bridged to the host bridge vmbr0, | |
135 | set the address and gateway, while it's running | |
136 | ||
137 | pct set 100 -net0 name=eth0,bridge=vmbr0,ip=192.168.15.147/24,gw=192.168.15.1 | |
138 | ||
139 | Reduce the memory of the container to 512MB | |
140 | ||
141 | pct set -memory 512 100 | |
142 | ||
143 | Files | |
144 | ------ | |
145 | ||
146 | '/etc/pve/lxc/<vmid>.conf':: | |
147 | ||
148 | Configuration file for the container <vmid> | |
149 | ||
150 | ||
151 | Container Advantages | |
152 | -------------------- | |
153 | ||
154 | - Simple, and fully integrated into {pve}. Setup looks similar to a normal | |
155 | VM setup. | |
156 | ||
157 | * Storage (ZFS, LVM, NFS, Ceph, ...) | |
158 | ||
159 | * Network | |
160 | ||
161 | * Authentification | |
162 | ||
163 | * Cluster | |
164 | ||
165 | - Fast: minimal overhead, as fast as bare metal | |
166 | ||
167 | - High density (perfect for idle workloads) | |
168 | ||
169 | - REST API | |
170 | ||
171 | - Direct hardware access | |
172 | ||
173 | ||
174 | Technology Overview | |
175 | ------------------- | |
176 | ||
177 | - Integrated into {pve} graphical user interface (GUI) | |
178 | ||
179 | - LXC (https://linuxcontainers.org/) | |
180 | ||
181 | - cgmanager for cgroup management | |
182 | ||
183 | - lxcfs to provive containerized /proc file system | |
184 | ||
185 | - apparmor | |
186 | ||
187 | - CRIU: for live migration (planned) | |
188 | ||
189 | - We use latest available kernels (4.2.X) | |
190 | ||
191 | - image based deployment (templates) | |
192 | ||
193 | - Container setup from host (Network, DNS, Storage, ...) | |
194 | ||
195 | ||
196 | ifdef::manvolnum[] | |
197 | include::pve-copyright.adoc[] | |
198 | endif::manvolnum[] | |
199 | ||
200 | ||
201 | ||
202 | ||
203 | ||
204 | ||
205 |