{"id":6260,"date":"2019-02-19T09:45:46","date_gmt":"2019-02-19T15:45:46","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=6260"},"modified":"2019-02-19T14:55:04","modified_gmt":"2019-02-19T20:55:04","slug":"best-practices-for-configuring-linux-containers","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/best-practices-for-configuring-linux-containers\/","title":{"rendered":"Best Practices for Configuring Linux Containers"},"content":{"rendered":"

By Des Nnochiri<\/span><\/strong><\/span><\/p>\n

\u00a0<\/p>\n

Within a Linux network or development system, launching a limited set of applications or services (often known as microservices) in a self-sustaining container or sandboxed environment is sometimes necessary. A container enables administrators to decouple a specific set of software applications from the operating system and have them run within a clean, minimal, and isolated Linux environment of their own. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

All the files required to run a Linux container are sourced from a distinct image, so Linux containers remain portable and consistent as they move from development, through to testing, and ultimately to production. The contents of a container image can be thought of as an isolated installation of a Linux distribution\u2014complete with RPM packages, configuration files, libraries, dependencies, and so on. Maintaining this isolation is a critical part of preserving the integrity of each container. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image Source: Linux Journal<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Ensuring Isolation<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Processes running within a properly-configured container are prevented from monitoring or affecting processes running in another. If isolation is properly maintained, then containerized services should also not influence or disturb the host machine.\u00a0 <\/span><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Control groups, or cgroups, are a Linux kernel feature that controls and limits the resource usage for a process or for groups of processes. The cgroups feature makes use of an initialization system known as systemd, which sets up the user space and manages the isolated processes.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Kernel namespaces allow a variety of identities to be virtualized within the Linux kernel, including process IDs, network names, and user namespaces\u2014which ensure that users and groups enjoying privileges for certain operations inside the container can be denied those rights outside the container.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Laying the Groundwork for Container Creation<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Before configuring the Linux environment, you\u2019ll need to verify that the current user has both a uid and gid entry defined in \/etc\/subuid and \/etc\/subgid. Writing for Linux Journal<\/a>,<\/u> Petros Koutoupis<\/span><\/span> offers the following example (together with the screenshots and other syntax instances quoted in this article):<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ cat \/etc\/subuid<\/span><\/p>\n

petros:100000:65536<\/span><\/p>\n

$ cat \/etc\/subgid<\/span><\/p>\n

petros:100000:65536<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Configuring the Linux Environment for Containers<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

if it doesn\u2019t already exist, you\u2019ll need to create the ~\/.config\/lxc directory, then copy the configuration file \/etc\/lxc\/default.conf to ~\/.config\/lxc\/default.conf. The following:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

lxc.id_map = u 0 100000 65536<\/span><\/p>\n

lxc.id_map = g 0 100000 65536<\/span><\/p>\n

\u00a0<\/span><\/p>\n

should be added to the end of the file, which will be of the form:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ cat ~\/.config\/lxc\/default.conf<\/span><\/p>\n

lxc.network.type = veth<\/span><\/p>\n

lxc.network.link = lxcbr0<\/span><\/p>\n

lxc.network.flags = up<\/span><\/p>\n

lxc.network.hwaddr = 00:16:3e:xx:xx:xx<\/span><\/p>\n

lxc.id_map = u 0 100000 65536<\/span><\/p>\n

lxc.id_map = g 0 100000 65536<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Replace the first column of the \/etc\/lxc\/lxc-usernet file with your user name (e.g., petros veth lxcbr0 10). Then either reboot the node or log the user out and then back in.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

To verify that the veth networking driver is currently loaded, type the following:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ lsmod|grep veth<\/span><\/p>\n

veth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>16384\u00a0 <\/span>0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

If the driver has not been loaded yet, use:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo modprobe veth<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Managing Containers with the LXC Utilities <\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The Linux Containers project (LXC) provides tools, templates, libraries, and language bindings to improve the user experience when downloading, running, and managing containers. The LXC utilities employ a simple command line, but in order to use them, you need to install them first.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Before the installation on Red Hat Linux or CentOS, you\u2019ll first have to install the EPEL repositories. Distributions like Ubuntu or Debian will complete the LXC installation simply through typing:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo apt-get install lxc<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Downloading a Container<\/span><\/h2>\n

\u00a0<\/span><\/span><\/p>\n

The following command may be used to download a container image named \u201cexample-container\u201d:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-create -t download -n example-container<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The LXC utilities will display three prompts, inviting you to choose the container\u2019s Linux distribution, release, and architecture. For example:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Distribution: ubuntu<\/span><\/p>\n

Release: xenial<\/span><\/p>\n

Architecture: amd64<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Once you press Enter, the rootfs of the selected container will be downloaded locally and configured.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Starting a Container<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

To start the container, type:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-start -n example-container -d<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Using the -d option d\u00e6monizes the container and sets it to run in the background. The foreground option (where you can observer the container\u2019s boot process and be prompted to log in) may be denoted by the -F qualifier. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Troubleshooting Tips<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The screenshot below illustrates the kind of syntax you can use to deploy the LXC utilities troubleshooting tools, if any glitches are encountered; for example, if a container fails to initiate properly:<\/span><\/p>\n

\u00a0<\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/span><\/p>\n

(Image Source: Linux Journal<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

There\u2019s a diagnostic facility which allows you to check the current status of a given container:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image Source: Linux Journal<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/span><\/p>\n

You can also do this from the command line by typing the following, which lists all of the installed containers:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-ls -f<\/span><\/p>\n

NAME\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>STATE\u00a0\u00a0 <\/span>AUTOSTART GROUPS IPV4\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>IPV6<\/span><\/p>\n

example-container RUNNING 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>\u2013\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>10.0.3.28 \u2013<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Assigning Access Rights<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The password command enables administrators to attach directly to the currently running container, create a list of authorized users, and assign or change their relevant passwords.<\/span><\/p>\n

\u00a0<\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/span><\/p>\n

(Image Source: Linux Journal<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Oversight for administrators is also available on the host system (rather than from within a container itself), via the following syntax which may be used to observe which LXC processes have been initiated and are running after a container has been launched:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image Source: Linux Journal<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Stopping a Container<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

From the host machine, type:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-stop -n example-container<\/span><\/p>\n

\u00a0<\/span><\/p>\n

You can then verify the status of the stopped container, using:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-ls -f<\/span><\/p>\n

NAME\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>STATE\u00a0\u00a0 <\/span>AUTOSTART GROUPS IPV4 IPV6<\/span><\/p>\n

example-container STOPPED 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>\u2013\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>\u2013\u00a0\u00a0\u00a0 <\/span>\u2013<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-info -n example-container<\/span><\/p>\n

Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>example-container<\/span><\/p>\n

State:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>STOPPED<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Destroying a Container<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Like any virtual environment, a container may be discarded once it has served its purpose. From the host system, type:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-destroy -n example-container<\/span><\/p>\n

(The confirmation dialog will read: Destroyed container example-container)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The following command will verify that the selected container has actually been destroyed:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo lxc-info -n example-container<\/span><\/p>\n

(example-container doesn\u2019t exist)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Note that a container has to be stopped before it can be destroyed.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Advanced Configuration Options<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The LXC utilities enable an administrator to modify a container\u2019s configuration file (located in \/var\/lib\/lxc), if it\u2019s necessary to configure one or more containers to take on a number of different tasks. This syntax will give access to the relevant configuration file:<\/span><\/p>\n

\u00a0<\/span><\/p>\n

$ sudo su<\/span><\/p>\n

# cd \/var\/lib\/lxc<\/span><\/p>\n

# ls<\/span><\/p>\n

example-container <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Balancing Privileged and Unprivileged Containers<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Unprivileged containers run with a mapping of the container\u2019s root UID to a non-root UID on the host system. This adds a layer of security which makes it harder for an attacker to compromise the container and gain root privileges to the underlying host machine.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Privileged containers don\u2019t provide this level of segregation from the host and can potentially leave a system vulnerable. So it\u2019s a good idea to minimize their use as much as possible.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Choosing Between LXC and Docker<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

We\u2019ve spoken a lot about the LXC utilities, which are the \u201cnative\u201d Linux solution for container management<\/a><\/span>. But a proprietary management system known as Docker also exists, which has been licensed by Apache as an open-source containerization solution for automating the tasks of creating and deploying micro-services inside containers. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Docker uses the kernel cgroup subsystem and takes an image-based approach in treating containers like extremely lightweight and modular virtual machines. Portability and rapid deployment are its main strengths, enhanced by the ability to easily roll back an image layer to its previous version.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

However, Docker restricts containers to run as a single process and doesn\u2019t support persistent storage. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Ultimately, the choice of which container management option (or combination of tools) to use will be determined by the operational and administrative demands of your Linux environment.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

By Des Nnochiri \u00a0 Within a Linux network or development system, launching a limited set of applications or services (often known as microservices) in a self-sustaining container or sandboxed environment is sometimes necessary. A container enables administrators to decouple a specific set of software applications from the operating system and have them run within a […]<\/p>\n","protected":false},"author":15,"featured_media":6295,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,447,9],"tags":[192,464,291,465,458,450,456,457,463,468,455,398,421,451,448,454,459,420,461,449,188,466,452,453,460,64,462,467],"class_list":["post-6260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-how-to","category-linux","category-technical","tag-access","tag-access-rights","tag-authorization","tag-authorized-users","tag-cgroups","tag-container","tag-container-isolation","tag-control-groups","tag-debian","tag-docker","tag-isolation","tag-linux","tag-linux-configuration","tag-linux-containers","tag-linux-development-system","tag-linux-isolation","tag-linux-kernel","tag-linux-network","tag-lxc","tag-microservice","tag-network","tag-privileged-containers","tag-rpm","tag-rpm-package","tag-systemd","tag-troubleshooting","tag-ubuntu","tag-unprivileged-containers"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=6260"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6260\/revisions"}],"predecessor-version":[{"id":6279,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6260\/revisions\/6279"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/6295"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=6260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=6260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=6260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}