Difference between revisions of "LXC"
Jump to navigation
Jump to search
(crtools -> criu) |
|||
| Line 59: | Line 59: | ||
=== Preparations === | === Preparations === | ||
| − | You not only need to [[Installation | install]] the | + | You not only need to [[Installation | install]] the criu, but also check that the iproute2 utility (<code>ip</code>) is v3.6.0 or higher. |
| − | You can clone the [http://git.kernel.org/?p=linux/kernel/git/shemminger/iproute2.git;a=summary git repo] or download the [http://kernel.org/pub/linux/utils/net/iproute2/ tarball] to compile it manually. In order to tell to | + | You can clone the [http://git.kernel.org/?p=linux/kernel/git/shemminger/iproute2.git;a=summary git repo] or download the [http://kernel.org/pub/linux/utils/net/iproute2/ tarball] to compile it manually. In order to tell to criu where the proper ip tool is set the <code>CR_IP_TOOL</code> environment variable. |
=== Dump and restore === | === Dump and restore === | ||
Dumping and restoring an LXC contianer means -- dumping a subtree of processes starting from container init plus all kinds of namespaces. | Dumping and restoring an LXC contianer means -- dumping a subtree of processes starting from container init plus all kinds of namespaces. | ||
| − | Restoring is symmetrical. The way LXC container works imposes some more requirements on | + | Restoring is symmetrical. The way LXC container works imposes some more requirements on criu usage. |
* In order to properly isolate container from unwanted networking communication during checkpoint/restore you should provide a script for locking/unlocking the container network (see below) | * In order to properly isolate container from unwanted networking communication during checkpoint/restore you should provide a script for locking/unlocking the container network (see below) | ||
| Line 73: | Line 73: | ||
Typically a container dump command will look like | Typically a container dump command will look like | ||
<pre> | <pre> | ||
| − | + | criu dump | |
--tcp-established # allow for TCP connections dump | --tcp-established # allow for TCP connections dump | ||
-n net -n mnt -n ipc -n pid # dump all the namespaces container uses | -n net -n mnt -n ipc -n pid # dump all the namespaces container uses | ||
| Line 82: | Line 82: | ||
and restore command like | and restore command like | ||
<pre> | <pre> | ||
| − | + | criu restore | |
--tcp-established | --tcp-established | ||
-n net -n mnt -n ipc -n pid | -n net -n mnt -n ipc -n pid | ||
| Line 92: | Line 92: | ||
</pre> | </pre> | ||
| − | We also find it useful to use the <code>--restore-detached</code> option for restore to make contianer reparent to init rather than hanging on a | + | We also find it useful to use the <code>--restore-detached</code> option for restore to make contianer reparent to init rather than hanging on a criu process launched from shell. Another useful option is the <code>--pidfile</code> one -- you will be able to find out the host-side pid of a container init after restore. |
Also note, that there's a BUG in how LXC prepares the /dev filesystem for a container which sometimes makes it impossible to dump and container. The <code>--evasive-devices</code> option can help. | Also note, that there's a BUG in how LXC prepares the /dev filesystem for a container which sometimes makes it impossible to dump and container. The <code>--evasive-devices</code> option can help. | ||
| Line 99: | Line 99: | ||
=== Example === | === Example === | ||
| − | We have [http://git.criu.org/?p=crtools.git;a=tree;f=test/app-emu/lxc;hb=HEAD an application test] for dumping/restoring an LXC Container. You may look at it for better understanding how to dump and restore your container with | + | We have [http://git.criu.org/?p=crtools.git;a=tree;f=test/app-emu/lxc;hb=HEAD an application test] for dumping/restoring an LXC Container. You may look at it for better understanding how to dump and restore your container with criu. |
This test contains two scripts: | This test contains two scripts: | ||
;[http://git.criu.org/?p=crtools.git;a=blob;f=test/app-emu/lxc/run.sh;hb=HEAD run.sh] | ;[http://git.criu.org/?p=crtools.git;a=blob;f=test/app-emu/lxc/run.sh;hb=HEAD run.sh] | ||
| − | :This is the main script, which executes '' | + | :This is the main script, which executes ''criu'' two times for dumping and restoring CT. It contains a working commands for dumping and restoring a container. |
;[http://git.criu.org/?p=crtools.git;a=blob;f=test/app-emu/lxc/network-script.sh;hb=HEAD network-script.sh] | ;[http://git.criu.org/?p=crtools.git;a=blob;f=test/app-emu/lxc/network-script.sh;hb=HEAD network-script.sh] | ||
Revision as of 16:50, 30 April 2013
This article describes how to perform checkpoint-restore for an LXC container.
Preparing a Linux Container
Requirements
- A console should be disabled (
lxc.console = none) - udev should not run inside containers (
mv /sbin/udevd{,.bcp})
Preparing a host environment
- Mount cgroupfs
$ mount -t cgroup c /cgroup
- Create a network bridge
# cat /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge BOOTPROTO=dhcp ONBOOT=yes DELAY=5 NM_CONTROLLED=n $ cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NM_CONTROLLED="no" ONBOOT="yes" BRIDGE=br0
Create and start a container
- Download an OpenVZ template and extract it.
curl http://download.openvz.org/template/precreated/centos-6-x86_64.tar.gz | tar -xz -C test-lxc
- Create config files
$ cat ~/test-lxc.conf lxc.console=none lxc.utsname = test-lxc lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.mount = /root/test-lxc/etc/fstab lxc.rootfs = /root/test-lxc-root/
$ cat /root/test-lxc/etc/fstab none /root/test-lxc-root/dev/pts devpts defaults 0 0 none /root/test-lxc-root/proc proc defaults 0 0 none /root/test-lxc-root/sys sysfs defaults 0 0 none /root/test-lxc-root/dev/shm tmpfs defaults 0 0
- Register the container
$ lxc-create -n test-lxc -f test-lxc.conf
- Start the container
$ mount --bind test-lxc test-lxc-root/ $ lxc-start -n test-lxc
Checkpoint and restore an LXC Container
Preparations
You not only need to install the criu, but also check that the iproute2 utility (ip) is v3.6.0 or higher.
You can clone the git repo or download the tarball to compile it manually. In order to tell to criu where the proper ip tool is set the CR_IP_TOOL environment variable.
Dump and restore
Dumping and restoring an LXC contianer means -- dumping a subtree of processes starting from container init plus all kinds of namespaces. Restoring is symmetrical. The way LXC container works imposes some more requirements on criu usage.
- In order to properly isolate container from unwanted networking communication during checkpoint/restore you should provide a script for locking/unlocking the container network (see below)
- When restoring a container with veth device you may specify a name for the host-side veth device
- In order to checkpoint and restore alive TCP connections you should use the
--tcp-establishedoption
Typically a container dump command will look like
criu dump
--tcp-established # allow for TCP connections dump
-n net -n mnt -n ipc -n pid # dump all the namespaces container uses
--action-script "net-script.sh" # use net-script.sh to lock/unlock networking
-D dump/ -o dump.log # set images dir to dump/ and put logs into dump.log file
-t ${init-pid} # start dumping from task ${init-pid}. It should be container's init
and restore command like
criu restore
--tcp-established
-n net -n mnt -n ipc -n pid
--action-script "net-script.sh"
--veth-pair eth0=${veth-name} # when restoring a veth link use ${veth-name} for host-side device end
--root ${path} # path to container root. It should be a root of a (bind)mount
-D data/ -o restore.log
-t ${init-pid}
We also find it useful to use the --restore-detached option for restore to make contianer reparent to init rather than hanging on a criu process launched from shell. Another useful option is the --pidfile one -- you will be able to find out the host-side pid of a container init after restore.
Also note, that there's a BUG in how LXC prepares the /dev filesystem for a container which sometimes makes it impossible to dump and container. The --evasive-devices option can help.
More details on the option mentioned can be found in Usage and Advanced usage pages.
Example
We have an application test for dumping/restoring an LXC Container. You may look at it for better understanding how to dump and restore your container with criu.
This test contains two scripts:
- run.sh
- This is the main script, which executes criu two times for dumping and restoring CT. It contains a working commands for dumping and restoring a container.
- network-script.sh
- This one is used to lock and unlock CT's network as described above.