[pve-docs.git] / pct.adoc

ifdef::manvolnum[]
PVE({manvolnum})
================
include::attributes.txt[]

NAME
----

pct - Tool to manage Linux Containers (LXC) on Proxmox VE


SYNOPSYS
--------

include::pct.1-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
Proxmox Container Toolkit
=========================
include::attributes.txt[]
endif::manvolnum[]


Containers are a lightweight alternative to fully virtualized
VMs. Instead of emulating a complete Operating System (OS), containers
simply use the OS of the host they run on. This implies that all
containers use the same kernel, and that they can access resources
from the host directly.

This is great because containers do not waste CPU power nor memory due
to kernel emulation. Container run-time costs are close to zero and
usually negligible. But there are also some drawbacks you need to
consider:

* You can only run Linux based OS inside containers, i.e. it is not
  possible to run Free BSD or MS Windows inside.

* For security reasons, access to host resources need to be
  restricted. This is done with AppArmor, SecComp filters and other
  kernel feature. Be prepared that some syscalls are not allowed
  inside containers.

{pve} uses https://linuxcontainers.org/[LXC] as underlying container
technology. We consider LXC as low-level library, which provides
countless options. It would be to difficult to use those tools
directly. Instead, we provide a small wrapper called `pct`, the
"Proxmox Container Toolkit".

The toolkit it tightly coupled with {pve}. That means that it is aware
of the cluster setup, and it can use the same network and storage
resources as fully virtualized VMs. You can even use the {pve}
firewall, or manage containers using the HA framework.

Our primary goal is to offer an environment as one would get from a
VM, but without the additional overhead. We call this "System
Containers".

NOTE: If you want to run micro-containers (with docker, rct, ...), it
is best to run them inside a VM.


Security Considerations
-----------------------

Containers use the same kernel as the host, so there is a big attack
surface for malicious users. You should consider this fact if you
provide containers to totally untrusted people. In general, fully
virtualized VM provides better isolation.

The good news is that LXC uses many kernel security features like
AppArmor, CGroups and PID and user namespaces, which makes containers
usage quite secure. We distinguish two types of containers:

Privileged containers
~~~~~~~~~~~~~~~~~~~~~

Security is done by dropping capabilities, using mandatory access
control (AppArmor), SecComp filters and namespaces. The LXC team
considers this kind of container as unsafe, and they will not consider
new container escape exploits to be security issues worthy of a CVE
and quick fix. So you should use this kind of containers only inside a
trusted environment, or when no untrusted task is running as root in
the container.

Unprivileged containers
~~~~~~~~~~~~~~~~~~~~~~~

This kind of containers use a new kernel feature, called user
namespaces. The root uid 0 inside the container is mapped to an
unprivileged user outside the container. This means that most security
issues (container escape, resource abuse, ...) in those containers
will affect a random unprivileged user, and so would be a generic
kernel security bug rather than a LXC issue. LXC people think
unprivileged containers are safe by design.


Configuration
-------------

The '/etc/pve/lxc/<CTID>.conf' files stores container configuration,
where '<CTID>' is the numeric ID of the given container. Note that
CTIDs < 100 are reserved for internal purposes. CTIDs need to be
unique - cluster wide. Files are stored inside '/etc/pve/', so they get
automatically replicated to all other cluster nodes.

Those configuration files are simple text files, and you can edit them
using a normal text editor ('vi', 'nano', ...). This is sometimes
useful to do small corrections, but keep in mind that you need to
restart the container to apply such changes.

For that reason, it is usually better to use the 'pct' command to
generate and modify those files, or do the whole thing using the GUI.
Our toolkit is smart enough to instantaneously apply most changes to
running containers (hot plug).


File Format
~~~~~~~~~~~

Container configuration files use a simple colon separated key/value
format. Each line has the following format:

 # this is a comment
 OPTION: value

Blank lines in those files are ignored, and lines starting with a '#'
character are treated as comments and are also ignored.

It is possible to add low-level, LXC style configuration directly, for
example:

 lxc.init_cmd: /sbin/my_own_init

or

 lxc.init_cmd = /sbin/my_own_init

Those settings are directly passed to the LXC low-level tools.


Container Storage
-----------------

Traditional containers use a very simple storage model, only allowing
a single mount point, the root file system. This was further
restricted to specific file system types like 'ext4' and 'nfs'.
Additional mounts are often done by user provided scripts. This turend
out to be complex and error prone, so we trie to avoid that now.

Our new LXC based container model is more flexible regarding
storage. First, you can have more than a single mount point. This
allows you to choose a suitable storage for each application. For
example, you can use a relatively slow (and thus cheap) storage for
the container root file system. Then you can use a second mount point
to mount a very fast, distributed storage for your database
application.

The second big improvement is that you can use any storage type
supported by the {pve} storage library. That means that you can store
your containers on local 'lvmthin' or 'zfs', shared 'iSCSI' storage,
or even on distributed storage systems like 'ceph'. And it enables us
to use advanced storage features like snapshots and clones. 'vzdump'
can also use the snapshots feature to provide consistent container
backups.

Last but not least, you can also mount local devices directly, or
mount local directories using bind mounts. That way you can access
local storage inside containers with zero overhead. Such bind mounts
also provides an easy way to share data between different containers.


Managing Containers with 'pct'
------------------------------

'pct' is the tool to manage Linux Containers on {pve}. You can create
and destroy containers, and control execution (start, stop, migrate,
...). You can use pct to set parameters in the associated config file,
like network configuration or memory.

CLI Usage Examples
------------------

Create a container based on a Debian template (provided you downloaded
the template via the webgui before)

 pct create 100 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz

Start container 100

 pct start 100

Start a login session via getty

 pct console 100

Enter the LXC namespace and run a shell as root user

 pct enter 100

Display the configuration

 pct config 100

Add a network interface called eth0, bridged to the host bridge vmbr0,
set the address and gateway, while it's running

 pct set 100 -net0 name=eth0,bridge=vmbr0,ip=192.168.15.147/24,gw=192.168.15.1

Reduce the memory of the container to 512MB

 pct set -memory 512 100

Files
------

'/etc/pve/lxc/<CTID>.conf'::

Configuration file for the container '<CTID>'.


Container Advantages
--------------------

- Simple, and fully integrated into {pve}. Setup looks similar to a normal
  VM setup. 

  * Storage (ZFS, LVM, NFS, Ceph, ...)

  * Network

  * Authentification

  * Cluster

- Fast: minimal overhead, as fast as bare metal

- High density (perfect for idle workloads)

- REST API

- Direct hardware access


Technology Overview
-------------------

- Integrated into {pve} graphical user interface (GUI)

- LXC (https://linuxcontainers.org/)

- cgmanager for cgroup management

- lxcfs to provive containerized /proc file system

- apparmor

- CRIU: for live migration (planned)

- We use latest available kernels (4.2.X)

- image based deployment (templates)

- Container setup from host (Network, DNS, Storage, ...)


ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
0c6b782f DM	1	ifdef::manvolnum[]
	2	PVE({manvolnum})
	3	================
38fd0958	4	include::attributes.txt[]
0c6b782f DM	5
	6	NAME
	7	----
	8
	9	pct - Tool to manage Linux Containers (LXC) on Proxmox VE
	10
	11
	12	SYNOPSYS
	13	--------
	14
	15	include::pct.1-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
	22	Proxmox Container Toolkit
	23	=========================
38fd0958	24	include::attributes.txt[]
0c6b782f DM	25	endif::manvolnum[]
0c6b782f DM	26
4a2ae9ed DM	27
	28	Containers are a lightweight alternative to fully virtualized
	29	VMs. Instead of emulating a complete Operating System (OS), containers
	30	simply use the OS of the host they run on. This implies that all
	31	containers use the same kernel, and that they can access resources
	32	from the host directly.
	33
	34	This is great because containers do not waste CPU power nor memory due
	35	to kernel emulation. Container run-time costs are close to zero and
	36	usually negligible. But there are also some drawbacks you need to
	37	consider:
	38
	39	* You can only run Linux based OS inside containers, i.e. it is not
	40	possible to run Free BSD or MS Windows inside.
	41
	42	* For security reasons, access to host resources need to be
	43	restricted. This is done with AppArmor, SecComp filters and other
	44	kernel feature. Be prepared that some syscalls are not allowed
	45	inside containers.
	46
	47	{pve} uses https://linuxcontainers.org/[LXC] as underlying container
	48	technology. We consider LXC as low-level library, which provides
	49	countless options. It would be to difficult to use those tools
	50	directly. Instead, we provide a small wrapper called `pct`, the
	51	"Proxmox Container Toolkit".
	52
	53	The toolkit it tightly coupled with {pve}. That means that it is aware
	54	of the cluster setup, and it can use the same network and storage
	55	resources as fully virtualized VMs. You can even use the {pve}
	56	firewall, or manage containers using the HA framework.
	57
	58	Our primary goal is to offer an environment as one would get from a
	59	VM, but without the additional overhead. We call this "System
	60	Containers".
	61
70a42028 DM	62	NOTE: If you want to run micro-containers (with docker, rct, ...), it
70a42028 DM	63	is best to run them inside a VM.
4a2ae9ed DM	64
	65
	66	Security Considerations
	67	-----------------------
	68
	69	Containers use the same kernel as the host, so there is a big attack
	70	surface for malicious users. You should consider this fact if you
	71	provide containers to totally untrusted people. In general, fully
	72	virtualized VM provides better isolation.
	73
	74	The good news is that LXC uses many kernel security features like
	75	AppArmor, CGroups and PID and user namespaces, which makes containers
	76	usage quite secure. We distinguish two types of containers:
	77
	78	Privileged containers
	79	~~~~~~~~~~~~~~~~~~~~~
	80
	81	Security is done by dropping capabilities, using mandatory access
	82	control (AppArmor), SecComp filters and namespaces. The LXC team
	83	considers this kind of container as unsafe, and they will not consider
	84	new container escape exploits to be security issues worthy of a CVE
	85	and quick fix. So you should use this kind of containers only inside a
	86	trusted environment, or when no untrusted task is running as root in
	87	the container.
	88
	89	Unprivileged containers
	90	~~~~~~~~~~~~~~~~~~~~~~~
	91
	92	This kind of containers use a new kernel feature, called user
	93	namespaces. The root uid 0 inside the container is mapped to an
	94	unprivileged user outside the container. This means that most security
	95	issues (container escape, resource abuse, ...) in those containers
	96	will affect a random unprivileged user, and so would be a generic
	97	kernel security bug rather than a LXC issue. LXC people think
	98	unprivileged containers are safe by design.
	99
7fc230db DM	100
	101	Configuration
	102	-------------
	103
	104	The '/etc/pve/lxc/<CTID>.conf' files stores container configuration,
	105	where '<CTID>' is the numeric ID of the given container. Note that
	106	CTIDs < 100 are reserved for internal purposes. CTIDs need to be
	107	unique - cluster wide. Files are stored inside '/etc/pve/', so they get
	108	automatically replicated to all other cluster nodes.
	109
	110	Those configuration files are simple text files, and you can edit them
55fb2a21 DM	111	using a normal text editor ('vi', 'nano', ...). This is sometimes
	112	useful to do small corrections, but keep in mind that you need to
	113	restart the container to apply such changes.
	114
	115	For that reason, it is usually better to use the 'pct' command to
	116	generate and modify those files, or do the whole thing using the GUI.
	117	Our toolkit is smart enough to instantaneously apply most changes to
	118	running containers (hot plug).
7fc230db DM	119
	120
	121	File Format
	122	~~~~~~~~~~~
	123
	124	Container configuration files use a simple colon separated key/value
	125	format. Each line has the following format:
	126
	127	# this is a comment
	128	OPTION: value
	129
	130	Blank lines in those files are ignored, and lines starting with a '#'
	131	character are treated as comments and are also ignored.
	132
	133	It is possible to add low-level, LXC style configuration directly, for
	134	example:
	135
	136	lxc.init_cmd: /sbin/my_own_init
	137
	138	or
	139
	140	lxc.init_cmd = /sbin/my_own_init
	141
	142	Those settings are directly passed to the LXC low-level tools.
	143
	144
70a42028 DM	145	Container Storage
	146	-----------------
	147
	148	Traditional containers use a very simple storage model, only allowing
	149	a single mount point, the root file system. This was further
	150	restricted to specific file system types like 'ext4' and 'nfs'.
	151	Additional mounts are often done by user provided scripts. This turend
	152	out to be complex and error prone, so we trie to avoid that now.
	153
	154	Our new LXC based container model is more flexible regarding
	155	storage. First, you can have more than a single mount point. This
	156	allows you to choose a suitable storage for each application. For
	157	example, you can use a relatively slow (and thus cheap) storage for
	158	the container root file system. Then you can use a second mount point
	159	to mount a very fast, distributed storage for your database
	160	application.
	161
	162	The second big improvement is that you can use any storage type
	163	supported by the {pve} storage library. That means that you can store
	164	your containers on local 'lvmthin' or 'zfs', shared 'iSCSI' storage,
	165	or even on distributed storage systems like 'ceph'. And it enables us
	166	to use advanced storage features like snapshots and clones. 'vzdump'
	167	can also use the snapshots feature to provide consistent container
	168	backups.
	169
	170	Last but not least, you can also mount local devices directly, or
	171	mount local directories using bind mounts. That way you can access
	172	local storage inside containers with zero overhead. Such bind mounts
	173	also provides an easy way to share data between different containers.
	174
4a2ae9ed DM	175
	176	Managing Containers with 'pct'
	177	------------------------------
	178
9dfe82f1 DM	179	'pct' is the tool to manage Linux Containers on {pve}. You can create
	180	and destroy containers, and control execution (start, stop, migrate,
	181	...). You can use pct to set parameters in the associated config file,
	182	like network configuration or memory.
0c6b782f DM	183
	184	CLI Usage Examples
	185	------------------
	186
	187	Create a container based on a Debian template (provided you downloaded
	188	the template via the webgui before)
	189
	190	pct create 100 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz
	191
	192	Start container 100
	193
	194	pct start 100
	195
	196	Start a login session via getty
	197
	198	pct console 100
	199
	200	Enter the LXC namespace and run a shell as root user
	201
	202	pct enter 100
	203
	204	Display the configuration
	205
	206	pct config 100
	207
	208	Add a network interface called eth0, bridged to the host bridge vmbr0,
	209	set the address and gateway, while it's running
	210
	211	pct set 100 -net0 name=eth0,bridge=vmbr0,ip=192.168.15.147/24,gw=192.168.15.1
	212
	213	Reduce the memory of the container to 512MB
	214
	215	pct set -memory 512 100
	216
	217	Files
	218	------
	219
9dfe82f1	220	'/etc/pve/lxc/<CTID>.conf'::
0c6b782f	221
9dfe82f1	222	Configuration file for the container '<CTID>'.
0c6b782f DM	223
	224
	225	Container Advantages
	226	--------------------
	227
	228	- Simple, and fully integrated into {pve}. Setup looks similar to a normal
	229	VM setup.
	230
	231	* Storage (ZFS, LVM, NFS, Ceph, ...)
	232
	233	* Network
	234
	235	* Authentification
	236
	237	* Cluster
	238
	239	- Fast: minimal overhead, as fast as bare metal
	240
	241	- High density (perfect for idle workloads)
	242
	243	- REST API
	244
	245	- Direct hardware access
	246
	247
	248	Technology Overview
	249	-------------------
	250
	251	- Integrated into {pve} graphical user interface (GUI)
	252
	253	- LXC (https://linuxcontainers.org/)
	254
	255	- cgmanager for cgroup management
	256
	257	- lxcfs to provive containerized /proc file system
	258
	259	- apparmor
	260
	261	- CRIU: for live migration (planned)
	262
	263	- We use latest available kernels (4.2.X)
	264
	265	- image based deployment (templates)
	266
	267	- Container setup from host (Network, DNS, Storage, ...)
	268
	269
	270	ifdef::manvolnum[]
	271	include::pve-copyright.adoc[]
	272	endif::manvolnum[]
	273
	274
	275
	276
	277
	278
	279