Curs 7 - Virtualizarea bazata pe containere · 2017-02-20 · I se bazeaz a pe Linux kernel cgroup...

Curs 7Virtualizarea bazata pe containere

Servicii avansate pentru ISP

10 aprilie 2016

SAISP Curs 7, Virtualizarea bazata pe containere 1/67

Outline

Virtualizare

OS-level virtualization

OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


Virtualizare

I abstractizarea resurselor unui sistem de calculI memorie virtualaI mas, ini virtualeI emulareI virtualizarea stocarii

I system virtual machine

I process virtual machine


De ce virtualizare?

I mediu ınchis, separat de mas, ina gazdaI securitateI sigurant, aI control

I cost redus

I utilizare eficienta a resurselor (server consolidation)

I snapshot – refacerea facila a starii unui sistem de operare


Tipuri de virtualizare

I virtualizare completa (full-virtualization)I virtualizare asistata hardware (hardware-assisted virtualization)

I paravirtualizare (paravirtualization)

I virtualizare la nivelul sistemului de operare (operating-systemlevel virtualization)

I Cu ce difera virtualizarea de emulare?I la virtualizare, cea mai mare parte a instruct, iunilor se executa

pe sistemul fizicI se poate emula o arhitectura diferita de arhitectura sistemului

fizic

I hypervisorI hosted virtualization (type 2 hypervisor)I bare metal virtualization (type 1 hypervisor)






I Cu ce difera virtualizarea de emulare?

I la virtualizare, cea mai mare parte a instruct, iunilor se executape sistemul fizic

I se poate emula o arhitectura diferita de arhitectura sistemuluifizic







I Cu ce difera virtualizarea de emulare?I la virtualizare, cea mai mare parte a instruct, iunilor se executa

pe sistemul fizicI se poate emula o arhitectura diferita de arhitectura sistemului

fizic



Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari



I multiple instant, e user-space izolate

I virtual environment, virtual private server, container

I nucleu partajat cu sistemul de baza

I hypervisor integrat ın nucleu

I chroot extins

I OpenVZ, Linux-VServer, FreeVPS, FreeBSD jail, lxc


OS-level virtualization (2)


Avantaje/dezavantaje OS-level virtualization

I viteza, overhead redus – hypervisor-ul este integrat rapid ınnucleu

I crearea rapida de containere (un sistem de fis, iere s, i un set deconfigurat, ii)

I interact, iunea facila din cadrul sistemului de baza

I erorile nucleului sunt comune; un crash la nivelul nucleului semanifesta la nivelul sistemului de baza s, i containerelor

I flexibilitate redusa din perspectiva rularii mai multor tipuri desisteme de operare

I dificultat, i ın alocarea resurselor per CT (CPU, memorie, disk)

I nu poate fi folosita pentru kernel development/kernel testing

I dificil de virtualizat networking


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


Descriere generala

I virtualizare la nivelul sistemului de operareI acelas, i kernel folosit atat pe sistemul host cat s, i de catre

containere

I kernel Linux modificat + utilitare de control pentru user-space

I http://wiki.openvz.org/Main_Page

I baza pentru Parallels Virtuozzo Containers


http://wiki.openvz.org/Main_Page

Arhitectura OpenVZ


Terminologie

I CT (container)

I VE (Virtual Environment)

I VPS (Virtual Private Server)

I CTID (container ID), VEID

I CT0 = VE0 = host system

I host system = hardware node = HW = HN

I OS template

I UBC (User Beancounters)


Containere OpenVZ

I componente containerI sistem de fis, iere (biblioteci, aplicat, ii, /proc virtualizat, /sys

virtualizat, lock-uri virtualizate)I utilizatori s, i grupuriI arbore de procese (PID-uri virtualizate; ın fiecare container init

are PID-ul 1)I ret, ea (interfat, a de ret, ea virtuala, reguli netfilter, tabela de

rutare)I dispozitive (oricare container poate avea acces direct la

hardware, daca se dores, te)

I limitari soft s, i hard pentru resurse (“limit” vs. “barrier”)

I resursele neutilizate pot fi folosite de alte containere


Avantaje OpenVZ

I VPS (root access)

I numar mare de mas, ini virtuale (overhead redus)

I gestiune facila a ıntregului sistem (update de kernel, vzctl)

I creare/gestiune facila a unui container


Instalare pe Debian

I Adaugare repo OpenVZhttp://openvz.org/Installation_on_Debian

I apt-get install linux-image-openvz-686

I apt-get install vzctl vzquota vzprocps vzdump


http://openvz.org/Installation_on_Debian

Templates

I template = arhiva .tar.gz cu root filesystem

I /var/lib/vz/template/cache/I exemplu: debian-4.1-amd64-minimal.tar.gz

I vzctl create $VEID

--ostemplate debian-4.1-amd64-minimal


Templates (cont.)

I apt-get install debootstrap

I debootstrap --arch i386 lenny

/var/lib/vz/private/100

I tar czf

/var/lib/vz/template/cache/debian-5.0.tar.gz

/var/lib/vz/private/100

I vzctl create ...


Configurare globala

I /etc/vz/vz.confI VE_ROOTI IPTABLESI TEMPLATE

I /etc/init.d/vz {start, stop, restart}


Configurare la nivelul container-ului

I parametriI startupI ret, eaI QoS (limitari resurse)

I vzctl set $VEID <param>=<value> --save


Comenzi utile

I vzlist

I vzctl start 100

I vzctl stop 100

I vzctl restart 100

I vzctl set <veid> [options]I vzctl set 100 --ipadd 10.10.1.2 --saveI vzctl set 100 --nameserver 10.10.1.2 --save

...

I vzctl create 100 [...]

I vzctl destroy 100


Ce nu pot, i sa faci ın OpenVZ?

I module de kernel

I kernel development

I traffic shaping

I unele caracteristici ale iptables


Tuning & limitations

I UBC (User Beancounters)I privvmpages – memorie pentru aplicat, ii

I barrier: 2048 MBI limit: 2096 MBI vzctl set 100 --privvmpages 2048m:2096m --save

I numtcpsock – numar de socket, i TCP

I tcpsndbuf, tcprcvbuf – buffer de transmisie/recept, ie


Interfet, e

I venet – layer 3 virtualized network interfaceI similara unei legaturi point-to-pointI vzctl set $VEID --ipadd 10.0.0.1 --saveI vzctl set $VEID --ipdel 10.0.0.1 --save

I veth – layer 2 virtualized network interfaceI vzctl set $VEID --netif_add eth0 --saveI vzctl set $VEID --netif_del eth0 --save


Bridge-uri

I AvantajeI acces direct la interfat, a de ret, eaI adrese IP unice accesibile din exterior (fara a folosi NAT)

I DezavantajeI configurare complexa

I bridge-utils: brctl


Utilizarea bridge-urilor


Bridge-uri (cont.)

I crearea unui bridge: brctl addbr br0

I adaugarea unei interfet, e ın bridgeI brctl addif br0 eth0I brctl addif br0 veth101.0 #eth0 din VE 101I ...

I status bridge: brctl show br0


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


LXC

I Linux containers

I integrat ın nucleul Linux de la versiunea 2.6.29

I http://lxc.sourceforge.net/

I se bazeaza pe Linux kernel cgroupI LXC Tools

I lxc-create, lxc-info, lxc-ps, lxc-start, lxc-executeI fis, ier de configurare

lxc.utsname = my_ssh_container

lxc.network.type = veth

lxc.network.flags = up

lxc.network.link = br0

lxc.network.ipv4 = 10.0.2.16/24


http://lxc.sourceforge.net/

cgroups

I Control Groups

I agregarea proceselor ın subsisteme (grupuri ierarhice)

I interfat, a pentru alte subsisteme – hook-uri pentru altesubsisteme (accounting, limiting, isolate resource usage)

I consecint, a a mai multor eforturi: cpusets, ResGroups,UserBeanCounters, virtual server namespaces

I mount -t cgroup cgroup /cgroup


Cum arata cgroups?

I fis, iere ce cont, in informat, ii despre grup

I grupate pe categorii (cpuset.xxx, memory.xxx)

I un nou subgrup/subsistem are un subdirector, cont, inandaceleas, i fis, iere

I de exemplu, fis, ierul tasks cont, ine procesele din subsistem


Comenzi utile

I lxc-create

I lxc-start

I lxc-stop

I lxc-console

I lxc-cgroup

I lxc-ps

I lxc-list


Cum se ıntampla pe Debian

I apt-get install lxc

I mkdir /cgroup

I mount -t cgroup cgroup /cgroup -o

cpuacct,memory,devices,cpu,freezer,blkio

I lxc-create -n mycontainer -t debian – TUI

I configurare networking

I lxc-start -n mycontainer

I lxc-console -n mycontainer


Configurare networking

I bridged networking

I se poate configura accesul la Internet pe container prineditarea directa (din sistemul host) a fis, ierul/etc/network/interfaces aferent

1 auto br0

2 iface br0 inet dhcp

3 bridge ports eth0

4 bridge fd 0

5 bridge maxwait 0


Configurare LXC

I ın /var/lib/lxc/$container/config

I lxc-cgroup pentru configurare dinamica

I sistemul de fis, iere ın /var/lib/lxc/$container/rootfs

I se poate folosi chroot pentru accesarea acestuia


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


Linux-VServer

I nu este legat de LVS – Linux Virtual ServerI patch peste nucleul Linux

I aptitude install linux-image-vserver-686

util-vserver vserver-debiantools

I “partit, ie” (resurse alocate) – security context

I sistemul virtualizat – virtual private server (kick-start init)

I newserver, vserver, /etc/vservers/


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


Interfet, e de gestiune a solut, iilor de virtualizare

I graficeI integrate ın cadrul aplicat, iei (VMware, VirtualBox)I Virtual Machine Manager (libvirt, Python)I Proxmox Virtual Environment

I CLII qemuI vzctlI virsh (libvirt)I vmware-cmd


API de virtualizare

I automation API

I VMware VIX API

I VirtualBox API

I Xen API

I libvirt


Operat, ii cu API de virtualizare

I conectare la hypervisor

I listare mas, ini virtuale

I pornire mas, ina virtuala

I autentificare la mas, ina virtuala

I rulare proces pe mas, ina virtuala

I copiere pe/de pe mas, ina virtuala

I oprire mas, ina virtuala

I deconectare de la hypervisor


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


libvirt

I interact, iune cu solut, ii de virtualizare (ın principal Linux)

I C API, binding-uri ın alte limbaje

I suport init, ial/principal pentru Xen, Qemu, KVM

I suport pentru LXC, OpenVZ, VMware ESX/GSX, VirtualBox(drivere)

I daemon de control (libvirtd) acolo unde este cazul – nuexista hypervisor (Qemu, KVM)


Instalare

I # apt-get install libvirt0 libvirt-bin

libvirt-dev libvirt-doc virtinst

I libvirt-bin – daemon libvirt(/etc/default/libvirt-bin)

I virtinst – comenzi pentru creare/clonare de mas, ini virtuale


Connection URI

I identificarea driverului s, i, eventual, a sistemului de la distant, a

I test:///default – test

I xen:/// – Xen

I qemu:///system, qemu:///session – Qemu, KVM

I openvz:///system – OpenVZ

I openvz://example.com/system – remote connection


Drivers

I delegarea implementarii unui driver specific unei solut, ii devirtualizare

I selectat pe baza URI-ului

I Xen, QEMU, LXC, test, OpenVZ, VirtualBox, VMware ESX


virsh

I interfat, a de comanda a mas, inilor virtuale

I construita peste libvirt

I virsh <command> <domain-id>

I $ sudo virsh -c openvz:///system list

I $ sudo virsh -c openvz:///system

Welcome to virsh, the virtualization interactive

terminal.

...

I comenzi utile: start, shutdown, reboot, create, setmem,setvcpus, console


virsh cu LXC

1 <domain type=’lxc’>2 <name>vm1</name>3 <memory>32768</memory>4 <os>5 <type>exe</type>6 <init>/init</init>7 </os>8 <vcpu>1</vcpu>9 <clock offset=’utc’/>10 <on poweroff>destroy</on poweroff>11 <on reboot>restart</on reboot>12 <on crash>destroy</on crash>13 <devices>14 <emulator>/usr/libexec/libvirt lxc</emulator>15 <filesystem type=’mount’>16 <source dir=’/var/lib/lxc/mycontainer/rootfs’/>17 <target dir=’/’/>18 </filesystem>19 <interface type=’network’>20 <source network=’default’/>21 </interface>22 <console type=’pty’ />23 </devices>24 </domain>


virsh cu LXC (2)

I virsh --connect lxc:/// define mycontainer.xml

I virsh --connect lxc:/// start mycontainer

I virsh --connect lxc:/// console mycontainer


Basic API

I virConnectPtr – structura de date pentru conexiuni

I virDomainPtr – structura de date pentru domenii

I virErrorPtr – pentru lucrul cu errori

I import libvirt – Python

I #include <libvirt/libvirt.h>, #include<libvirt/virterror.h> – C


Python example

1 import libvirt

2 import sys

3

4 # check /usr/share/pyshared/libvirt.py5

6 if name ==’ main ’:

7 conn=libvirt.open(’openvz:///system’)

8 print ’Listing running domains’

9 for id in conn.listDomainsID():

10 dom = conn.lookupByID(id)

11 print "id: ", id, "name: ", dom.name()

12

13 dom = conn.lookupByID(100)

14

15 print "stopping domain 100 ... ",

16 sys.stdout.flush()

17 dom.shutdown()

18 print "done"

19

20 print "starting domain 100 ... ",

21 sys.stdout.flush()

22 dom.create()

23 print "done"SAISP Curs 7, Virtualizarea bazata pe containere 51/67

C example

I Demo din code/

I http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/

libvirt-C-example.zip


http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/libvirt-C-example.zip

http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/libvirt-C-example.zip

C example Makefile

1 CFLAGS = -Wall -g

2 LDLIBS = -lvirt

3

4 all: openvz-list-start-stop

5

6 openvz-list-start-stop: openvz-list-start-stop.o

7

8 openvz-list-start-stop.o: openvz-list-start-stop.c

9

10 clean:11 -rm -f openvz-list-start-stop

openvz-list-start-stop.o *∼


Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


vmxfile

I fis, ier de configurare a unei mas, ini virtuale

I ın general executabil (#!/usr/bin/vmware)

I este transmis ca identificator comenzilor de automatizare dincadrul VMware


VIX API

I http://www.vmware.com/support/developer/vix-api/

I VMware Virtualization API

I automatizare, gestiune s, i interact, iune cu mas, inile virtuale

I VMware ESX/GSX, Workstation, Player, vCenter

I C, Perl, COM (Visual Basic, C#)

I Linux & Windows

I versiunea 1.8, 1.10 beta


http://www.vmware.com/support/developer/vix-api/

Instalare

I descarcare de pe site-ul VIX API (trebuie sa va ınregistrat, i)

I sudo bash VMware-VIX-1.8.1-207905.x86_64.bundle

I pentru dezinstalare: vmware-installer -u vmware-vix

I pentru operat, ii de interact, iune este nevoie de VMware Toolspe sistemul guest

I instalat ın /usr/lib/vmware-vix/

I documentat, ie s, i exemple ın /usr/share/doc/vmware-vix/

I acces local la documentat, ie:file:///usr/share/doc/vmware-vix/index.html


Interfat, a CLI

I similara virsh – permite gestiunea mas, inilor virtualeI vmware-cmd

I pentru versiuni serverI doar pentru gestiune (pornire, oprire, adaugare de discuri)I nu ofera comenzi de interact, iune cu sistemul guest

I vmrunI construita peste VIX APII gestiunea completa s, i interact, iunea cu mas, inile virtuale


Funct, ionalitat, i VIX API

I identificarea mas, inii virtuale se realizeaza prin caleacompleta catre fis, ierul .vmx

I listare mas, ini virtuale porniteI vmrun -T ws list

I pornirea mas, inii virtualeI vmrun -T ws start /path/to/vmx

I oprirea mas, inii virtualeI vmrun -T ws stop /path/to/vmx

I snapshotI vmrun -T ws snapshot /path/to/vmx snapshotName

I listarea proceselor dintr-o mas, ina virtualaI vmrun -T ws -gu username -gp password

listProcessesInGuest /path/to/vmx


VIX API – Not, iuni de baza

I object-based, se folosesc handle-uri (VixHandle)

I VixHost_abcd – operat, ii pe host

I VixVM_abcd – operat, ii pe guest

I operat, ii asincrone – folosire VixJob_Wait pentru

I VixError, VixJob_GetError, Vix_GetErrorText as, teptare


Elemente VIX API

I succesiunea obis, nuita a operat, iilorI VixHost_RegisterVMI VixHost_ConnectI VixVM_PowerOnI VixVM_LoginInGuestI work, workI VixVM_LogoutFromGuestI VixVM_PoweroffI Vix_ReleaseHandleI VixHost_UnregisterVM


Makefile pe Linux

1 CFLAGS = -Wall -g

2 CPPFLAGS = -I/usr/include/vmware-vix

3 LDLIBS = -lvixAllProducts -ldl

4

5 all: powerOn

6

7 powerOn: powerOn.c

8

9 clean:10 -rm -f powerOn powerOn.o *∼


Exemplu C

I Demo din code/

I http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/

vix-C-example.zip


http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/vix-C-example.zip

http://elf.cs.pub.ro/saisp/res/cursuri/curs-07/vix-C-example.zip

Cuvinte cheie

I virtualizare

I interfet, e de gestiune a MV

I API de virtualizare

I OS-level virtualization

I Virtual Private Servers(VPS)

I LXC

I OpenVZ

I template

I container

I cgroups

I rootfs

I bridging

I lxc-start, lxc-create,lxc-stop

I lxc-list, lxc-ps,lxc-cgroup

I lxc-console

I brctl

I virsh

I connection URI

I virsh

I libvirtd

I virConnectPtr,virDomainPtr

I VIX API

I vmware-cmd


Resurse utile

I http://lxc.sourceforge.net/

I http://wiki.debian.org/LXC

I https://help.ubuntu.com/community/LXC

I https://wiki.archlinux.org/index.php/Linux_Containers

I http://en.gentoo-wiki.com/wiki/LXC

I http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt

I http://www.ibm.com/developerworks/linux/library/l-lxc-containers/


http://lxc.sourceforge.net/

http://wiki.debian.org/LXC

https://help.ubuntu.com/community/LXC

https://wiki.archlinux.org/index.php/Linux_Containers

http://en.gentoo-wiki.com/wiki/LXC

http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt

http://www.ibm.com/developerworks/linux/library/l-lxc-containers/

Resurse utile (2)

I http://libvirt.org/

I http://www.ibm.com/developerworks/linux/library/l-libvirt/

I http://www.vmware.com/support/esx21/doc/vmware-cmd.html

I http://www.vmware.com/pdf/vix180_vmrun_command.pdf

I http://www.vmware.com/support/developer/vix-api/

I http://www.vmware.com/support/developer/vix-api/vix18_reference/

I http://www.centos.org/docs/5/html/5.2/Virtualization/

chap-Virtualization-Managing_guests_with_virsh.html

I M. Bolte et al. – Non-intrusive virtualization management using libvirt

I University of Victoria – Creating and Controlling KVM Guests using libvirt


http://libvirt.org/

http://www.ibm.com/developerworks/linux/library/l-libvirt/

http://www.vmware.com/support/esx21/doc/vmware-cmd.html

http://www.vmware.com/pdf/vix180_vmrun_command.pdf

http://www.vmware.com/support/developer/vix-api/

http://www.vmware.com/support/developer/vix-api/vix18_reference/

http://www.centos.org/docs/5/html/5.2/Virtualization/chap-Virtualization-Managing_guests_with_virsh.html

http://www.centos.org/docs/5/html/5.2/Virtualization/chap-Virtualization-Managing_guests_with_virsh.html

Outline

Virtualizare


OpenVZ

LXC

Linux-VServer

API de virtualizare

libvirt

VIX API

Intrebari


Curs 7 - Virtualizarea bazata pe containere · 2017-02-20 · I se bazeaz a pe Linux kernel cgroup...

Documents

Transcript of Curs 7 - Virtualizarea bazata pe containere · 2017-02-20 · I se bazeaz a pe Linux kernel cgroup...