LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

November 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS November 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL: not a good choice as a workstation
From:	Vladimir Mosgalin <[log in to unmask]>
Reply To:	Vladimir Mosgalin <[log in to unmask]>
Date:	Sun, 9 Nov 2014 01:58:46 +0300
Content-Type:	text/plain
Parts/Attachments:	text/plain (90 lines)

Hi ToddAndMargo!

On 2014.11.08 at 11:06:00 -0800, ToddAndMargo wrote next:

> Hi Vladimir,
>
> Do you have a good reference you like that I could
> learn this container stuff?

Containers are pretty basic concepts. Were links I provided (as well as
systemd-nspawn page) not enough?

Basically it's chroot on steroids, allows program (or lots of programs,
up to "all the programs in typical operating system, starting from
init") execute in lightweight isolation - filesystem isolation, socket
isolation, process space isolation and limits (memory, CPU, IO etc) for
whole container. (chroot offers only low-quality filesystem isolation).

There are various ways of doing this isolation, on Linux most popular
and used in production would be OpenVZ (used for many years). More
modern way is LXC (available in EL since EL7 out of the box). It is a
much newer technology but we use it in production already on new systems
instead of OpenVZ and it works.

Applications in containers run at full speed, but environments you can
run are limited, because host kernel version is the same.
E.g. under SL7 you can perfectly run SL6 or F20 containers or any other
Linux distributions compatible with 3.10 kernel, but it's not
guaranteed that you'll be able to run, say, EL3 (kernel 2.4 based)
container or future distributions which require features from newer
kernels.

Since containers themselves is very simple concept and there aren't as
many complex technologies and pitfalls involved as with virtualization,
there isn't much read about containers themselves. You can get familiar
with certain isolation (container) technology. Just google for some
documentation on its basic usage and that's it. In many aspects
containers are way, way simpler than virtualization so there just isn't
much you need to know to use them.

I already explained basics, so I don't know what to add about it. If
you want me to repeat it:

OpenVZ - works great, production-ready, not supported from the box on
any popular Linux distribution (requires special kernel and tools).
Unless you need to work with existing installation, don't bother.

LXC (native tools) - new, semi-production ready, works on EL7 out
of the box, except for few pitfalls which might be fixed in the future
(we got affected by selinux problems - kernel hanged/crashed (!) with
selinux enabled, had to disable it; also got affected by bug
https://bugzilla.redhat.com/show_bug.cgi?id=1004724 when running
PostgreSQL in container; there is workaround)

LXC under libvirt - very new, not production ready, but this is the way
RedHat wants you to use containers. There is documentation available
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Resource_Management_and_Linux_Containers_Guide/index.html
From our experience, it doesn't work well enough yet to be used in
production. Very immature tools and various problems. But, it will play
nice with selinux when it'll work better.

Note that documentation from link above still might be useful to you,
even if you won't use LXC under libvirt

Docker - a way to run single application in any kind of container. Very
new, very hot technology, lots of interest in it (Redhat recently had
webinar about docker, for example). Very easy to use, but its usage is
limited comparing to container technology as a whole and it's still
immature/not production ready.
There is some documentation from the link above.
When this technology matures, it *will* be the best solution for your
task ("run Fedora 20 wine under SL7") and similar ones.

systemd-nspawn - think of it as of very primitive alternative to
Docker. Very limited and primitive and not for production usage (and
likely will never be), but easy to use and excellent for simple use at
desktop systems right now.
The documentation would be its manpage and resources on the internet.
http://maci0.wordpress.com/2014/05/02/run-any-applications-on-rhel7-containerized-with-3d-acceleration-and-pulseaudio-steam-pidgin-vlc/
is a good link (the command line with lots of bind mount arguments shows
how to let application use high-performance interface to X11 and even
run 3D applications without speed loss), as well as
http://www.alapshin.com/posts/systemd-chroot/ (in Russian).

Vladimir

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV