pct: add info about container storage
[pve-docs.git] / pct.adoc
CommitLineData
0c6b782f
DM
1ifdef::manvolnum[]
2PVE({manvolnum})
3================
38fd0958 4include::attributes.txt[]
0c6b782f
DM
5
6NAME
7----
8
9pct - Tool to manage Linux Containers (LXC) on Proxmox VE
10
11
12SYNOPSYS
13--------
14
15include::pct.1-synopsis.adoc[]
16
17DESCRIPTION
18-----------
19endif::manvolnum[]
20
21ifndef::manvolnum[]
22Proxmox Container Toolkit
23=========================
38fd0958 24include::attributes.txt[]
0c6b782f
DM
25endif::manvolnum[]
26
4a2ae9ed
DM
27
28Containers are a lightweight alternative to fully virtualized
29VMs. Instead of emulating a complete Operating System (OS), containers
30simply use the OS of the host they run on. This implies that all
31containers use the same kernel, and that they can access resources
32from the host directly.
33
34This is great because containers do not waste CPU power nor memory due
35to kernel emulation. Container run-time costs are close to zero and
36usually negligible. But there are also some drawbacks you need to
37consider:
38
39* You can only run Linux based OS inside containers, i.e. it is not
40 possible to run Free BSD or MS Windows inside.
41
42* For security reasons, access to host resources need to be
43 restricted. This is done with AppArmor, SecComp filters and other
44 kernel feature. Be prepared that some syscalls are not allowed
45 inside containers.
46
47{pve} uses https://linuxcontainers.org/[LXC] as underlying container
48technology. We consider LXC as low-level library, which provides
49countless options. It would be to difficult to use those tools
50directly. Instead, we provide a small wrapper called `pct`, the
51"Proxmox Container Toolkit".
52
53The toolkit it tightly coupled with {pve}. That means that it is aware
54of the cluster setup, and it can use the same network and storage
55resources as fully virtualized VMs. You can even use the {pve}
56firewall, or manage containers using the HA framework.
57
58Our primary goal is to offer an environment as one would get from a
59VM, but without the additional overhead. We call this "System
60Containers".
61
70a42028
DM
62NOTE: If you want to run micro-containers (with docker, rct, ...), it
63is best to run them inside a VM.
4a2ae9ed
DM
64
65
66Security Considerations
67-----------------------
68
69Containers use the same kernel as the host, so there is a big attack
70surface for malicious users. You should consider this fact if you
71provide containers to totally untrusted people. In general, fully
72virtualized VM provides better isolation.
73
74The good news is that LXC uses many kernel security features like
75AppArmor, CGroups and PID and user namespaces, which makes containers
76usage quite secure. We distinguish two types of containers:
77
78Privileged containers
79~~~~~~~~~~~~~~~~~~~~~
80
81Security is done by dropping capabilities, using mandatory access
82control (AppArmor), SecComp filters and namespaces. The LXC team
83considers this kind of container as unsafe, and they will not consider
84new container escape exploits to be security issues worthy of a CVE
85and quick fix. So you should use this kind of containers only inside a
86trusted environment, or when no untrusted task is running as root in
87the container.
88
89Unprivileged containers
90~~~~~~~~~~~~~~~~~~~~~~~
91
92This kind of containers use a new kernel feature, called user
93namespaces. The root uid 0 inside the container is mapped to an
94unprivileged user outside the container. This means that most security
95issues (container escape, resource abuse, ...) in those containers
96will affect a random unprivileged user, and so would be a generic
97kernel security bug rather than a LXC issue. LXC people think
98unprivileged containers are safe by design.
99
70a42028
DM
100Container Storage
101-----------------
102
103Traditional containers use a very simple storage model, only allowing
104a single mount point, the root file system. This was further
105restricted to specific file system types like 'ext4' and 'nfs'.
106Additional mounts are often done by user provided scripts. This turend
107out to be complex and error prone, so we trie to avoid that now.
108
109Our new LXC based container model is more flexible regarding
110storage. First, you can have more than a single mount point. This
111allows you to choose a suitable storage for each application. For
112example, you can use a relatively slow (and thus cheap) storage for
113the container root file system. Then you can use a second mount point
114to mount a very fast, distributed storage for your database
115application.
116
117The second big improvement is that you can use any storage type
118supported by the {pve} storage library. That means that you can store
119your containers on local 'lvmthin' or 'zfs', shared 'iSCSI' storage,
120or even on distributed storage systems like 'ceph'. And it enables us
121to use advanced storage features like snapshots and clones. 'vzdump'
122can also use the snapshots feature to provide consistent container
123backups.
124
125Last but not least, you can also mount local devices directly, or
126mount local directories using bind mounts. That way you can access
127local storage inside containers with zero overhead. Such bind mounts
128also provides an easy way to share data between different containers.
129
4a2ae9ed
DM
130
131Managing Containers with 'pct'
132------------------------------
133
0c6b782f
DM
134'pct' is a tool to manages Linux Containers (LXC). You can create and
135destroy containers, and control execution
136(start/stop/suspend/resume). Besides that, you can use pct to set
137parameters in the associated config file, like network configuration
138or memory.
139
140CLI Usage Examples
141------------------
142
143Create a container based on a Debian template (provided you downloaded
144the template via the webgui before)
145
146 pct create 100 /var/lib/vz/template/cache/debian-8.0-standard_8.0-1_amd64.tar.gz
147
148Start container 100
149
150 pct start 100
151
152Start a login session via getty
153
154 pct console 100
155
156Enter the LXC namespace and run a shell as root user
157
158 pct enter 100
159
160Display the configuration
161
162 pct config 100
163
164Add a network interface called eth0, bridged to the host bridge vmbr0,
165set the address and gateway, while it's running
166
167 pct set 100 -net0 name=eth0,bridge=vmbr0,ip=192.168.15.147/24,gw=192.168.15.1
168
169Reduce the memory of the container to 512MB
170
171 pct set -memory 512 100
172
173Files
174------
175
176'/etc/pve/lxc/<vmid>.conf'::
177
178Configuration file for the container <vmid>
179
180
181Container Advantages
182--------------------
183
184- Simple, and fully integrated into {pve}. Setup looks similar to a normal
185 VM setup.
186
187 * Storage (ZFS, LVM, NFS, Ceph, ...)
188
189 * Network
190
191 * Authentification
192
193 * Cluster
194
195- Fast: minimal overhead, as fast as bare metal
196
197- High density (perfect for idle workloads)
198
199- REST API
200
201- Direct hardware access
202
203
204Technology Overview
205-------------------
206
207- Integrated into {pve} graphical user interface (GUI)
208
209- LXC (https://linuxcontainers.org/)
210
211- cgmanager for cgroup management
212
213- lxcfs to provive containerized /proc file system
214
215- apparmor
216
217- CRIU: for live migration (planned)
218
219- We use latest available kernels (4.2.X)
220
221- image based deployment (templates)
222
223- Container setup from host (Network, DNS, Storage, ...)
224
225
226ifdef::manvolnum[]
227include::pve-copyright.adoc[]
228endif::manvolnum[]
229
230
231
232
233
234
235