1. ContainerKit
    1. About
    2. Features
    3. Installation
    4. Setup
      1. Network
      2. Cgroup
      3. ContainerKit
      4. Autostart
    5. Control
      1. Creating containers
    6. Selectors
      1. Selector-driven commands
      2. Reserved selectors
      3. Examples
    7. Network internals
    8. Source code

ContainerKit

About

ContainerKit is a console frontend to LXC tools (lightweight virtualization system in Linux kernel). It provides full-stack container management system atop low-level lxc-tools.
Currently we support Ubuntu 10.04 LTS as host(should work also on Debian Squeeze) and Debian Squeeze as guest.

Features

  • Proper multithreaded start/stop/restart of containers.
  • Container creation.
  • Container destroy.
  • Container tagging.
  • Selectors.
  • IP-filtering.
  • Connecting to container console.
  • Container archive and restore.

Installation

Add repository: 

wget http://archive.linux-containers.ru/key.asc -O -|apt-key add -
echo 'deb http://archive.linux-containers.ru/ubuntu lucid main' >> /etc/apt/sources.list

Refresh packages and install "containerkit": 

apt-get update
apt-get install containerkit

Download and unpack template: 

cd /var/containers/.templates
wget http://download.trueoffice.org/templates/debian-minimal.tar.gz
tar xf debian-minimal.tar.gz

Setup

Network

We need a bridge for our virtual network. In /etc/network/interfaces: 

auto br0
iface br0 inet static
	address 192.168.2.1
	netmask 255.255.255.0
	network 192.168.2.0

	pre-up brctl addbr br0
	post-down brctl delbr br0

Restart network: 

/etc/init.d/networking restart

Also we need SNAT-rule for iptables: 

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to-source <ext_ip>

If we plan to give external ip's to containers we shouldn't touch iptables — just add host eth0 to the bridge.

Cgroup

We need to mount cgroup filesystem. Create dir: 

mkdir /cgroup

Put stuff in fstab: 

echo "none /cgroup cgroup defaults 0 0" >> /etc/fstab

Apply mount configuration: 

mount -a

ContainerKit

In /etc/containerkit/config.yml "network" and "general" sections contain parameters individual for each host. Keys names are intuitive.
Usually we have no need to modify "roots" and "executables" sections

Autostart

Containers with "autostart" tag will start at system boot. Add init script to autostart for this. 

update-rc.d containerkit defaults

Control

ContainerKir is invoked by "ck" command.
There are two modes - common and command-line.
Command-line mode has autocompletion feature for commands and container names.

Enter command-line mode: 

ck -s

Show available commands: 

ck cmd-list

(Or press enter in command-line mode without arguments.)

Creating containers

New containers are created with following command: 

ck create

You will be asked in interactive mode for name, ip, and container template.

Also we can add tag: 

ck create --tag test

You can also pass Name, IP and template with —name, —ip, —template arguments.

Selectors

Selector is a container name or tag belongs to containers
Selector with tag looks like ":tagname" and selector with container name just like "containername"

Selector-driven commands

  • start
  • stop
  • restart
  • destroy
  • list
  • tag-add
  • tag-remove
  • tag-list
  • archive
  • restore

Reserved selectors

:all — selects all containers. We don't need to add this tag manually. We assume that all containers have this tag.
:autostart — to start container at system boot you should add "autostart" tag to container.

Examples

Launch all containers with "test" tag: 

ck start :test

Destroy container named "c1": 

ck destroy c1

Add "autostart" tag to container "c2": 

ck tag-add c2 autostart

Add "test" tag to containers with "autostart" tag: 

ck tag-add :autostart test

Network internals

Despite the fact that LXC supports a variety of options for network configuration, ContainerKit, of necessity filtering IP-addresses of guests, using only veth-type network.
Veth is a virtual pair network device, one end of which moves in container namespace, and the other joins the software bridge br0. In fact, the scheme emulates the patch cord and switch
In container device is named eth0, on the host side - veth_ <container_name> (for example, veth_test).
Traffic filtering implemented using ebtables and cuts off all traffic with source ip not allow for container. Same filltering applied for ARP-requests.

Source code

You can checkout ContainerKit repo on github:  http://github.com/KernelMadness/ContainerKit
Also there is svn mirror: http://www.trueoffice.org/svn/solutions/containerkit/