Nested lxc

One of the core features of cgmanager is to easily, safely, and transparently support the cgroup requirements of container nesting. Processes can administer cgroups exactly the same way whether inside a container or not. This also makes nested lxc very easy.

To create a container in which you can use cgroups, first create a container as usual (note, do this on an Ubuntu 14.04 system, unless you have enabled all the pieces you need – which I am not covering here):

sudo lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64

Now to bind the cgmanager socket inside the container,

echo "lxc.mount.auto = cgroup" | sudo tee -a /var/lib/lxc/t1/config

If you also want to be able to start nested containers, then you need to use an apparmor profile which allows lxc mounting:

echo "lxc.aa_profile = lxc-container-default-with-nesting" | \
	sudo tee -a /var/lib/lxc/t1/config

Now, simply start the container

sudo lxc-start -n t1

You can run the cgmanager testsuite,

sudo apt-get -y install cgmanager-tests
cd /usr/share/cgmanager/tests
sudo ./runtests.sh

and use the cgm program to interact with cgmanager

cgm ping
sudo cgm create all compile
sudo cgm chown all compile 1000 1000
cgm movepid all compile $$

If you changed the aa_profile to permit nesting, then you can simply create and use containers inside the t1 container.

What I showed here is using privileged (root-owned) containers. In this case, the lxc-container-default-with-nesting profile is actually far less safe than the default profile. However, when using unprivileged containers (https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/) for at least the first layer, nesting works the exact same way, and the profile safety difference becomes moot.

About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Nested lxc

  1. Kevin Wilson says:

    Just a little query:
    Can be a state when there will be difference between:
    echo “lxc.mount.auto = cgroup” | sudo tee -a /var/lib/lxc/t1/config
    and
    echo “lxc.mount.auto = cgroup” >> /var/lib/lxc/t1/config

  2. Kevin Wilson says:

    I didn’t think about it….
    Now seriously:
    How about sudo echo “lxc.mount.auto = cgroup” >> /var/lib/lxc/t1/config
    Is there any difference between this command and the command you are using ?

    • s3hh says:

      Yes. When you type ”’sudo echo whatever >> somefile”’, the ‘>>’ is interpreted by your unprivileged shell, not by sudo. Your unprivileged shell doesn’t have the rights to append to /var/lib/lxc/t1/config.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s