Centos – Linux containers (LXC) on Red Hat/CentOS EL6 – lxc-create versus libvirt

centoscontainerslibvirtlxcredhat

It's tricky trying to stay within the good graces of Red Hat and still plan for system longevity…

I've been a proponent of Linux Containers (LXC) for over a year. My initial installations were based on information gleaned from online tutorials, like this one and this one. This centered around the lxc-create, lxc-start|stop and lxc-destroy commands and modifying existing OpenVZ templates.

This works well and is happily running in production. However, I am bringing up some additional systems and decided to check Red Hat's current documentation regarding containers in EL6. I was surprised to see their official stance on this.

In Does RHEL 6 provide LXC tools needed to use Linux Containers?, Red Hat describes LXC as a Technology Preview and suggests using libvirt to manage create and manage containers.

Yet Oracle advocates a totally different containerization technique in its Unbreakable Linux.

There appears to be some missing functionality in the libvirt method, but my initial approach with lxc-* commands was a bit of a manual process… I can't quite tell what's right or the "accepted" means of managing containers on EL6.

What's the conventional wisdom regarding LXC and RHEL-like systems today?
How are you implementing them in your organization?
Are there any advantages to one approach versus the other(s)?
Can these coexist?

Best Answer

What's the conventional wisdom regarding LXC and RHEL-like systems today?

Personally, I find the current setup somewhat lacking. LXC seems more at the forefront -- certainly more maintained.

How are you implementing them?

In terms of offering it as a virtualization option I am not. I find the current technological setup lacking.

No username namespace.
Certain mountpoints are not namespace aware (cgroups, selinux)
Values in /proc are misleading system globals that dont account for the resource partitioning in namespaces.
Breaks audit.

I do find it really nice tool for application level containment however. We use namespaces and cgroups directly to contain network and IPC resources for certain user-ran web applications. We provide our own interface to control it. In RHEL7 I'm considering moving this functionality to libvirt-lxc as the newer revisions of libvirt support the concept of user ACLs.

For virtualization in terms of a fully initialized system I'm waiting to wee what is offered in RHEL7, but in all honesty, I feel we might only see a good enough solution once we're on a later minor release of RHEL7 and then perhaps only on a technology preview state.

Keep your eye out on systemd-nspawn something tells me in the next 18 months or so it might take its place is the best tool to do fully linux contained virtualization, be it that the systemd authors make it clear its not secure right now! I wouldnt be surprised if libvirt drops libvirt-lxc eventually and just offers a wrapper around systemd-nspawn with systemd slices defined.

Also, be wary theres been a lot of talk over the last 6 months in regards to re-implementing cgroups as a kernel programmer interface rather than a filesystem interface (perhaps using netlink or something, haven't checked) so systemd should be very hot on the tail of getting that right very quickly.

Are there any advantages to one approach versus the other?

I think the LXC option (not libvirt-lxc) is better maintained. Having read the libvirt-lxc sourcecode, it feels rushed. Traditional LXC certainly has newer features whicih have been better tested. Both require a degree of compatibility by the init system being ran in them, but I suspect that you'll find LXC slightly more "turn-key" than the libvirt-lxc option particularly in regards getting distros to work in them.

Can these coexist?

Sure, remember that for all intents and purposes, both are doing the same thing. Organizing namespaces, cgroups and mount points. All the primitives are dealt with by the kernel itself. Both lxc implementations just offer a mechanism for interfacing with the kernel options available.

Related Solutions

Centos – The real differences between Red Hat Enterprise Linux (RHEL) and CentOS

Short of doing installations of both and running a fancy diff between the two and manually picking through the output, there's no real way to prove to most people that they're the same. Yes, they use the same compiler, and the same linker, and the same libraries, all with the same options, but many people don't see induction as proof.

Linux – Why are the XFS filesystems suddenly consuming more space and full of sparse files

I traced this issue back to a discussion about a commit to the XFS source tree from December 2010. The patch was introduced in Kernel 2.6.38 (and obviously, later backported into some popular Linux distribution kernels).

The observed fluctuations in disk usage are a result of a new feature; XFS Dynamic Speculative EOF Preallocation.

This is a move to reduce file fragmentation during streaming writes by speculatively allocating space as file sizes increase. The amount of space preallocated per file is dynamic and is primarily a function of the free space available on the filesystem (to preclude running out of space entirely).

It follows this schedule:

freespace       max prealloc size
  >5%             full extent (8GB)
  4-5%             2GB (8GB >> 2)
  3-4%             1GB (8GB >> 3)
  2-3%           512MB (8GB >> 4)
  1-2%           256MB (8GB >> 5)
  <1%            128MB (8GB >> 6)

This is an interesting addition to the filesystem as it may help with some of the massively fragmented files I deal with.

The additional space can be reclaimed temporarily by freeing the pagecache, dentries and inodes with:

sync; echo 3 > /proc/sys/vm/drop_caches

The feature can be disabled entirely by defining an allocsize value during the filesystem mount. The default for XFS is allocsize=64k.

The impact of this change will probably be felt by monitoring/thresholding systems (which is how I caught it), but has also affected database systems and could cause unpredictable or undesired results for thin-provisioned virtual machines and storage arrays (they'll use more space than you expect).

All in all, it caught me off-guard because there was no clear announcement of the filesystem change at the distribution level or even in monitoring the XFS mailing list.

Edit:
Performance on XFS volumes with this feature is drastically improved. I'm seeing consistent < 1% fragmentation on volumes that previously displayed up to 50% fragmentation. Write performance is up globally!

Stats from the same dataset, comparing legacy XFS to the version in EL6.3.

Old:

# xfs_db -r -c frag /dev/cciss/c0d0p9
actual 1874760, ideal 1256876, fragmentation factor 32.96%

New:

# xfs_db -r -c frag /dev/sdb1
actual 1201423, ideal 1190967, fragmentation factor 0.87%

Best Answer

Related Solutions

Centos – The real differences between Red Hat Enterprise Linux (RHEL) and CentOS

Linux – Why are the XFS filesystems suddenly consuming more space and full of sparse files

Related Topic