Cgroups and Advanced Linux Container Technology Lab

LXC, Cgroups and Advanced Linux Container Technology Lab

Novell Training Services www.novell.com SUS15 ATT LIVE 2012 LAS VEGAS

Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED. Proprietary Statement Disclaimer Copyright © 2012 Novell, Inc. All rights reserved. Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied Novell, Inc., has intellectual property rights relating to technology embodied in warranties of merchantability or fitness for any particular purpose. the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. Further, Novell, Inc., reserves the right to revise this publication and to make patents listed on the Novell Legal Patents Web page changes to its content, at any time, without obligation to notify any person or (http://www.novell.com/company/legal/patents/) and one or more entity of such revisions or changes. Further, Novell, Inc., makes no additional patents or pending patent applications in the U.S. and in other representations or warranties with respect to any software, and specifically countries. disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to No part of this publication may be reproduced, photocopied, stored on a retrieval any and all parts of Novell software, at any time, without any obligation to notify system, or transmitted without the express written consent of the publisher. any person or entity of such changes.

Novell, Inc. Any products or technical information provided under this Agreement may be 404 Wyman Street, Suite 500 subject to U.S. export controls and the trade laws of other countries. You agree to Waltham, MA 02451 comply with all export control regulations and to obtain any required licenses or U.S.A. classification to export, re-export or import deliverables. You agree not to export www.novell.com or re-export to entities on the current U.S. export exclusion lists or to any Novell Trademarks embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological For Novell trademarks, see the Novell Trademark and Service Mark list weaponry end uses. See the Novell International Trade Services Web (http://www.novell.com/company/legal/trademarks/tmlist.html). page (http://www.novell.com/info/exports/) for more information on Third-Party Materials exporting Novell software. Novell assumes no responsibility for your failure to All third-party trademarks are the property of their respective owners. obtain any necessary export approvals. Software Piracy Throughout the world, unauthorized duplication of software is subject to both This Novell Training Manual is published solely to instruct students in the use of criminal and civil penalties. Novell networking software. Although third-party application software packages are used in Novell training courses, this is for demonstration purposes only and If you know of illegal copying of software, contact your local Software shall not constitute an endorsement of any of these software applications. Antipiracy Hotline. For the Hotline number for your area, access Novell’s World Wide Web page (http://www.novell.com) and look for the piracy Further, Novell, Inc. does not represent itself as having any particular expertise page under “Programs.” in these application software packages and any use by students of the same shall Or, contact Novell’s anti-piracy headquarters in the U.S. at 800-PIRATES (747- be done at the student’s own risk. 2837) or 801-861-7101.

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 3 prohibited. To report suspected copying, please call 1-800-PIRATES

4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

Section 1 Introduction to Croup

In this section you install and begin using croup tools.

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 5 prohibited. To report suspected copying, please call 1-800-PIRATES

1.1 Use Linux Control Groups In this exercise you install, enable, and use Linux control groups (cgroups).

Objectives: Task I: Install and Enable cgroups

Special Instructions and Notes: (none) Task I: Install and Enable cgroups 1. Log in as the root user 2. Enter the following command to install the cgroups package(s) rpm -q libcgroup1 || zypper in -y libcgroup1 3. Enter the following command to activate cgroups: /etc/init.d/boot.cgroup start 4. Enter the following commands to enable cgroups to start at boot time: chkconfig boot.cgroup on 5. Enter the following command to see that cgroups are enabled: mount You should see several entries with /sys/fs/cgroup/subsystem as the mountpoint.

Task II: Administer cgroups Directly via the File System Note: The use of taskset simplifies the example as it binds the xterm calls to the first core. You could use the cpuset subsystem to achieve the same effect, but that would require additional commands. If you don't bind them to the same core, you don't see the effect in top, as they will probably run on different cores, using all the available cpu time. 1. Open a terminal window and su to the root user account. 2. Create two cgroups by creating directories in the /sys/fs/cgroup/cpu directory: cd /sys/fs/cgroup/cpu mkdir higherload lowerload 3. To view the files that were automatically created in the directories, enter

6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

ls higherload 4. Set the values you want to use in the different groups: echo 6 > higherload/cpu.shares echo 4 > lowerload/cpu.shares 5. Start processes and assign them to one of the groups by entering taskset c 0 xterm bg orange & taskset c 0 xterm bg green & This will open two xterm windows with different background colors. 6. In the orange xterm, enter echo $$ > /sys/fs/cgroup/cpu/higherload/tasks This will add the shell running within the xterm to the tasks within the cpu/higherload cgroup. 7. In the green xterm, enter echo $$ > /sys/fs/cgroup/cpu/lowerload/tasks This will add the shell running within the xterm to the tasks within the cpu/lowerload cgroup. 8. In the the terminal window, enter top 9. In each of the xterms, enter md5sum /dev/urandom In the output of top, you should see one md5sum process with 60% CPU load, the other one with 40%. 10. View the content of one of the tasks files by entering cat /sys/fs/cgroup/cpu/higherload/tasks You should see two PIDs - the one that you added using the echo command, and that of the md5sum process that was added to the list automatically because child processes become part of the cgroup of their parent process. 11. In the green xterm window, put the md5sum process in the background and start another one by pressing Ctrl+z and then entering: bg md5sum /dev/urandom 12. Watch the output of top - the two md5sum processes in the lowerload cgroup should now each use 20% of the CPU load. 13. Close the green xterm window and watch the output of top - the remaining md5sum process should now use close to 100% of the CPU load. 14. Close the orange xterm window.

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 7 prohibited. To report suspected copying, please call 1-800-PIRATES

15. Remove the cgroups by entering rmdir /sys/fs/cgroup/cpu/{higher,lower}load

Task III: Administer cgroups via cg* Commands In this task, you will use the cpuset subsystem to pin the processes to one CPU/core instead of the taskset command. 1. Open a terminal window and su to the root user account. 1. Create two cgroups, using the cgcreate command: cgcreate g cpu,cpuset:higherload cgcreate g cpu,cpuset:lowerload This will create subdirectories in the cpu and cpuset subsystem directories. 2. Set the values you want to use, using the the following cgset command: cgset r cpu.shares=6 r cpuset.cpus=0 higherload cgset r cpu.shares=4 r cpuset.cpus=0 lowerload 3. The following is required for cpusets.cpus to work properly (see man cpuset) cgset r cpuset.mems=0 higherload cgset r cpuset.mems=0 lowerload 4. Start processes and assign them to one of the groups, using the following cgexec commands: cgexec g cpu,cpuset:higherload xterm bg orange & cgexec g cpu,cpuset:lowerload xterm bg green & 5. In the the terminal window, enter top 6. In each of the xterms, enter md5sum /dev/urandom In the output of top, you should see one md5sum process with 60% CPU load, the other one with 40%. 7. Close the xterm windows. In the terminal window, enter cgclear to remove all cgroups. (End of Exercise)

8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

1.2 Configure /etc/cgconfig.conf In this exercise you configure cgroups so specific groups get created when the system boots. Then you modify a start script so the daemon is assigned to a cgroup upon startup.

Objectives: Task I: Create the /etc/cgconfig.conf File Task II: Modify the /etc/init.d/apache2 File

Special Instructions and Notes: (none) Task I: Create the /etc/cgconfig.conf File 1. Log in as the root user and open a terminal window. 2. Copy the /usr/share/doc/packages/libcgroup1/cgconfig.conf file to /etc: cp /usr/share/doc/packages/libcgroup1/cgconfig.conf /etc 3. Open the /etc/cgconfig.conf file in an editor of your choice, remove the comment characters in front of the group section, and change the GIDs so the content of the file looks similar to the following: group daemons/www { perm { task { uid = root; gid = www; } admin { uid = root; gid = root; } } cpu { cpu.shares = 1000; } }

group daemons/ftp { perm { task { uid = root; gid = ftp;

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 9 prohibited. To report suspected copying, please call 1-800-PIRATES

} admin { uid = root; gid = root; } } cpu { cpu.shares = 500; } } # #mount { # cpu = /mnt/cgroups/cpu; # cpuacct = /mnt/cgroups/cpuacct; #}

4. Start the /etc/init.d/cgconfig script and make sure it is executed when the system boots: /etc/init.d/cgconfig start chkconfig cgconfig on 5. View the entries in /sys/fs/cgroups/cpu/ that were created based on the above configuration, using ls and cat.

Task II: Modify the /etc/init.d/apache2 File In this task, you modify the /etc/init.d/apache2 file so that the Apache processes are automatically assigned to the daemons/www cgroup that you created in Task I. 1. Log in as the root user and open a terminal window. 2. Modify the Apache2 start script to assign the Apache process to the daemons/www cgroup you created in Task I: Search for the line within the start section of the case statement that contains the startproc command and add cgexec g cpu:daemons/www to the line so it looks like the following (in one line): eval cgexec -g cpu:daemons/www startproc -f -t $ {APACHE_START_TIMEOUT:-2} $cmdline

Save the file and close the editor. 3. Start Apache by entering rcapache2 start 4. Check if processes were added to the respective task file, using the following command: cat /sys/fs/cgroup/cpu/daemons/www/tasks

10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

You should see a list of PIDs 5. Enter the following command to view the PIDs of the Apache processes ps aux | grep apache Compare the PIDs in the output of ps with those in the tasks file. They should be the same. (End of Exercise)

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 11 prohibited. To report suspected copying, please call 1-800-PIRATES

Section 2 Introduction to LXC

In this section you being using LXC.

12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

2.1 Create a Simple LXC Container In this exercise you create a simple LXC container using a template.

Objectives: Task I: Install LXC Task II: Create a Basic Configuration File for the Container Task III: Create the LXC Container Task IV: Enable root Logins to the New Container Task V: Test the New Container

Special Instructions and Notes: A network bridge name br0 must exist before performing this exercise Task I: Install LXC 1. As the root user, use zypper to search for the "lxc" package to install: zypper se lxc You should see the "lxc" package available. 2. Assuming it is not installed, use zypper to install the "lxc" package: zypper in lxc

Task II: Create a Basic Configuration File for the Container To create an LXC container you must have a basic configuration file that defines the network configuration for the container. 1. As the root user, in the text editor of your choice, create and open the /root/basic- sles.conf file to be edited 2. Add the following lines to the file: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up 3. Save the file and close the text editor

Task III: Create the LXC Container Before starting a container the container must be created. This can be done by running the lxc-create command and referencing a template. the template will create everything required for the container: config file, rootfs, etc.

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 13 prohibited. To report suspected copying, please call 1-800-PIRATES

1. As the root user, enter the following command to create the LXC container: lxc-create -n basic-sles -f /root/basic-sles.conf -t sles When the command is finished running you should have a new container named basic-sles in /var/lib/lxc/ 2. Enter the following command to see that the container was created: lxc-ls The command should show a list of the existing container which in this case is only basic-sles 3. Enter the following command to see the current state of the new container: lxc-info basic-sles The command should show that the container is state is STOPPED

Task IV: Enable root Logins to the New Container The basic SLES container needs to have the root password set and the console added to the securetty file so that the root user can log in to the container. 1. To set the root password in the new container, enter the following commands: chroot /var/lib/lxc/basic-sles/rootfs passwd root (enter password: linux) exit 2. To allow the root user to log into the new container, In the text editor of your choice, open the /var/lib/lxc/basic-sles/rootfs/etc/securetty file to be edited 3. Add the following line to the end of the file: console Save the file and close the text editor

Task V: Test the New Container 1. Enter the following commands to ensure that the network bridge named br0 is up and running: brctl show ip link show dev br0 You should see that the br0 bridge is created and up Note: If br0 doesn't exist, enter the following commands to create it and bring it up: brctl addbr br0

14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

ip link set up dev br0 Re-run the brctl show and ip link show commands to verify it worked

2. Enter the following command to start the new container: lxc-start -n basic-sles You should see the boot messages while the container starts and then be placed at a login prompt 3. Log into the container with the following credentials: Username: root Password: linux You should be at shell prompt as root in the new container 4. In another terminal window, enter the following command to see the current state of the new container: lxc-info -n basic-sles You should see that the container's state is RUNNING 5. Close the terminal window that you launched and are currently logged into the container in 6. Enter the followng to view the current state of the container: lxc-info -n basic-sles You should see that the container is still running even though you close the terminal that launched it 7. Open another terminal window and enter the following command to connect to the console of the running container: lxc-console -n basic-sles You should be at a login prompt of the container 8. In another terminal window, enter the following command to shutdown the container: lxc-stop -n basic-sles 9. Enter the following command to see the current state of the container: lxc-info -n basic-sles You should see that the current state of the container is now STOPPED

(End of Exercise)

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 15 prohibited. To report suspected copying, please call 1-800-PIRATES

2.2 Mirror a System in LXC In this exercise you using the lxc-jailbird.sh script to mirror an existing systrem into and LXC conainter.

Objectives: Task I: Title Task II: Title Task III: Title

Special Instructrisions and Notes: You will need to obain the lxc-jailbird.sh script from the instructor. The script may already have been added to your virtual machine environment: check /root/bin to see if is there. Task I: Prepare the lxc-jailbird.sh Script In this task you prepare the script for execution. 1. After you have located the lxc-jailbird.sh script, copy it to /root/bin. 2. Make its permissions executable.

Task II: Prepare an LXC Container using the lxc-jailbird.sh script

1. Using a name of your own chosing, create a container with lxc-jailbird.sh: cd /var/lib/lxc lxc-jailbird.sh YOURNAMEHERE

• field1: value

• field2: value 2. Start the script using the methods you learned from previous labs and explore the container you created. 3. Stop your container and sync the elements necessary for a full system. 4. This will likely take some trial and error but the instructor has additional tools to do this if you would like some help.

16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES

After completion of this exercise you will have created, stopped, started,and explored LXC containers.

(End of Exercise)

Version 1 Copying all or part of this manual, or distributing such copies, is strictly 17 prohibited. To report suspected copying, please call 1-800-PIRATES

18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1 To report suspected copying, please call 1-800-PIRATES