LXC in Ubuntu 12.04 LTS by Stéphane Graber

不少人已经在询问Ubuntu12.04 LTS上LXC的更新状态了。这个博客代表了我们在刚刚过去的6个月里工作的概览，并提供指向对新功能更详细的描述的博客的链接

什么是LXC?

LXC是一个通过控制内核命名空间(kernal namespaces)和控制组(cgroup)特性来创建系统或应用容器(application container)的用户空间工具

LXC大概是这么一回事：

LXC感觉像一个飘忽在chroot和一个虚拟机之间的东西

使用"宿主(host)"的内核来运行一个完整的LINUX系统

在容器中跑的进程从外部是可见的

不需要任何特殊的硬件，在所有支持的架构上都能工作

A libvirt driver for LXC exists (libvirt-lxc), however it doesn’t use the “lxc” userspace tool even though it uses the same kernel features.

让 LXC 更简单

12.04 LTS的一个主要的任务就是让LXC变得脑残都会用。为了实现这个伟大的目标，我们一方面修复已知漏洞，另一方面提升LXC的默认设置。

现在只要下面这些命令就能在Ubuntu 12.04 LTS 上创建一个基本的容器并运行了：

sudo apt-get install lxc
sudo lxc-create -t ubuntu -n my-container
sudo lxc-start -n my-container

LXC默认使用与你的主机相同的版本和架构，附加选项可以使用 -help列出。登录用户名/密码为ubuntu/ubuntu.

另一个使LXC更简单的举措是我们将把普通系统转变成容器的额外工作(hack)降低到了零!

从12.04开始，我们不用做任何改动就可以在容器里运行一个标准的Ubuntu系统，而且现在竟然还可以在一个容器里直接跑VM镜像！

The ubuntu-cloud template also lets you get one of our EC2/cloud images and have it start as a container instead of a cloud instance:

sudo apt-get install lxc cloud-utils
sudo lxc-create -t ubuntu-cloud -n my-cloud-container
sudo lxc-start -n my-cloud-container

And finally, if you want to test the new cool stuff, you can also use juju with
LXC:

[ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa
sudo apt-get install juju apt-cacher-ng zookeeper lxc libvirt-bin --no-install-recommends
sudo adduser $USER libvirtd
juju bootstrap
sed -i "s/ec2/local/" ~/.juju/environments.yaml
echo " data-dir: /tmp/juju" >> ~/.juju/environments.yaml
juju bootstrap
juju deploy mysql
juju deploy wordpress
juju add-relation wordpress mysql
juju expose wordpress

# To tail the logs
juju debug-log

# To get the IPs and status
juju status

使 LXC 更安全

另一个在Ubuntu 12.04中的LXC的主要目标是使其更安全。

John Johansen did an amazing work of extending apparmor to let us implement per-container apparmor profiles and prevent most known dangerous behaviours from happening in a container.

John Johansen扩展了apparmor使我们能实现per-container apparmor profiles 并防止在容器中发生的绝大部分已知的危险行为

注意：除非我们在内核中应用了用户命名空间，我们并不会说LXC是root safe的，但是，随Ubuntu 12.04发布的默认的apparmor设置封杀了一切我们已知的安全问题。

This mostly means that write access to /proc and /sys are heavily restricted, mounting filesystems is also restricted, only allowing known-safe filesystems to be mounted by default. Capabilities are also restricted in the default LXC profile to prevent a container
from loading kernel modules or control apparmor.

这意味着对 /proc和/sys的写操作是很大程度上被限制的，挂载文件系统也是被限制的，根据默认，只有已知安全的文件系统才能被挂载。操作能力(Capabilities)在默认LXC设置中也是被限制的，防止挂载系统模块或者控制apparmor之类的危险的事。

更多细节在此：

Serge’s
blog post on LXC in 12.04 and apparmor

Wiki page on security and
LXC

Other cool new stuff

Emulated architecture containers

It’s now possible to use
qemu-user-static with LXC to run containers of non-native architectures, for example:

sudo apt-get install lxc qemu-user-static
sudo lxc-create -n my-armhf-container -t ubuntu -- -a armhf
sudo lxc-start -n my-armhf-container

临时容器

Quite a bit of work also went into lxc-start-ephemeral, the tool letting you start a copy of an existing container using an overlay filesystem, discarding any change you make on shutdown:

这个工具使你在一个覆盖的文件系统上运行一个已有容器的拷贝，当关机时会撤销所有更改。

sudo apt-get install lxc
sudo lxc-create -n my-container -t ubuntu
sudo lxc-start-ephemeral -o my-container

嵌套容器

你现在可以在容器中再运行一个容器！

For that to work, you first need to create a new apparmor profile as the default one doesn’t allow this for security reason.

I already did that for you, so the few commands below will download it and install it in /etc/apparmor.d/lxc/lxc-with-nesting. This profile (or something close to it) will ship in Ubuntu 12.10 as an example of alternate apparmor profile for container.

sudo apt-get install lxc
sudo lxc-create -t ubuntu -n my-host-container -t ubuntu
sudo wget https://www.stgraber.org/download/lxc-with-nesting -O /etc/apparmor.d/lxc/lxc-with-nesting
sudo /etc/init.d/apparmor reload
sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" /var/lib/lxc/my-host-container/config
sudo lxc-start -n my-host-container
(in my-host-container) sudo apt-get install lxc
(in my-host-container) sudo stop lxc
(in my-host-container) sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc
(in my-host-container) sudo start lxc
(in my-host-container) sudo lxc-create -n my-sub-container -t ubuntu
(in my-host-container) sudo lxc-start -n my-sub-container

文档

Outside of the existing manpages and blog posts I mentioned throughout this post, Serge Hallyn did a very good job at creating a whole section dedicated to LXC in the Ubuntu Server Guide.

You can read it here: https://help.ubuntu.com/12.04/serverguide/lxc.html

Next steps

Next week we have the Ubuntu Developer
Summit in Oakland, CA. There we’ll be working on the plans for LXC in Ubuntu 12.10. We currently have two sessions scheduled:

LXC
containers introduction, demo and Q&A

LXC work
for Q

If you want to make sure the changes you want will be in Ubuntu 12.10, please make sure to join these two sessions. It’s possible to participate remotely to the Ubuntu Developer Summit, through IRC and audio streaming.

My personal hope for LXC in Ubuntu 12.10 is to have a clean liblxc library that can be used to create bindings and be used in languages like python. Working towards that goal should make it easier to do automated testing of LXC and cleanup our current tools.

I hope this post made you want to try LXC or for existing users, made you discover some of the new features that appeared in Ubuntu 12.04. We’re actively working on improving LXC both upstream and in Ubuntu, so do not hesitate to report
bugs(preferably with “ubuntu-bug lxc”).