FT2000+/64 LXC 容器虚拟化系统解决方案 （V1.0） 天津飞腾信息技术有限公司 二零一九年八月 更新记录 版本号 发布部门 作者 发布日期 备注 1.0 飞腾软件技术方案部 2 谢明 2019-08-12 初稿 版权所有© 天津飞腾信息技术有限公司 2019。保留一切权利。 注意 天津飞腾信息技术有限公司对其发行的或与合作公司共同发行的包括但不限于产品的全部内容及材料所 拥有版权等知识产权，受法律保护。非经本公司书面许可，任何单位及个人不得擅自摘抄、复制本文档 内容的部分或全部，并不得以任何形式传播。 免责声明 我们仅仅提供技术上的咨询，对利用文档搭建环境所从事的研发活动没有技术支持责任，对相关研发成 果没有连带责任。 目 录 1 编写目的 ........................................................................................................................................ 2 2 LXC 容器 ........................................................................................................................................ 2 3 LXC 容器的搭建 ........................................................................................................................... 2 3.1 内核编译选项 ......................................................................................................................... 2 3.2 联网安装 lxc ............................................................................................................................ 7 3.3 创建 lxc 容器 ........................................................................................................................... 9 3.4 启动容器 ............................................................................................................................... 10 3.5 停止容器 ............................................................................................................................... 10 3.6 lxc 常用命令 ........................................................................................................................... 10 1 1 编写目的 本文主要记录了 lxc 容器相关概念的介绍，lxc 容器的搭建，lxc 容器所需要的内核选项，相关的配置 等。下面所有验证和实验都是在飞腾 2000+/64 平台上完成的，后续更新的版本中我们会继续完善相关的 功能和测试。 2 LXC 容器 LXC 为 Linux Container 的简写。可以提供轻量级的虚拟化，以便隔离进程和资源，而且不需要提供指令解释机 制以及全虚拟化的其他复杂性。容器有效地将由单个操作系统管理的资源划分到孤立的组中，以更好地在孤立的组 之间平衡有冲突的资源使用需求。下图是 KVM 虚拟机和容器之间的区别： KVM Container APP Guest OS Hypervisor APP Host OS Host OS 可以看出来，容器中的的程序是直接运行在 Host OS 上，省去了 Guest OS 和 hypervisor 层，所以效 率大大提高。与传统虚拟化技术相比，它的优势在于： 1）与宿主机使用同一个内核，性能损耗小； 2）不需要指令级模拟； 3）不需要即时(Just-in-time)编译； 4）容器可以在 CPU 核心的本地运行指令，不需要任何专门的解释机制； 5）避免了准虚拟化和系统调用替换中的复杂性； 6）轻量级隔离，在隔离的同时还提供共享机制，以实现容器与宿主机的资源共享。 3 LXC 容器的搭建 3.1 内核编译选项 内核版本 v4.19.1，为了使系统支持 LXC，内核必须选上如下选项。 General setup ---> <*> Kernel .config support [*] Enable access to .config through /proc/config.gz Kernel Performance Events And Counters ─> [*] Kernel performance events and counters [*] Control Group support ---> [*] Memory controller 2 [*] IO controller [*] CPU controller ---> [*] PIDs controller [*] RDMA controller [*] Freezer controller [*] Cpuset controller [*] Include legacy /proc/<pid>/cpuset file [*] Device controller [*] Simple CPU accounting controller [*] Perf controller [*] Namespaces support ---> [*] UTS namespace [*] IPC namespace [*] User namespace [*] PID Namespaces [*] Network namespace [*] Checkpoint/restore support [*] Networking support ---> --- Networking support Networking options ---> <M> Packet socket <M> Packet: sockets monitoring interface <M> Unix domain sockets <M> UNIX: socket monitoring interface <M> Transformation user configuration interface <M> PF_KEY sockets [*] TCP/IP networking [*] IP: kernel level autoconfiguration [*] IP: DHCP support [*] IP: BOOTP support [*] IP: RARP support -*- IP: TCP syncookie support <M> Virtual (secure) IP: tunneling <M> IP: IPsec transport mode <M> IP: IPsec tunnel mode <M> IP: IPsec BEET mode <M> INET: socket monitoring interface <M> UDP: socket monitoring interface [*] TCP: advanced congestion control ---> <M> Binary Increase Congestion (BIC) control <*> CUBIC TCP <M> TCP Westwood+ <M> H-TCP <M> The IPv6 protocol ---> 3 <M> IPv6: IPsec transport mode <M> IPv6: IPsec tunnel mode <M> IPv6: IPsec BEET mode <M> IPv6: IPv6-in-IPv4 tunnel (SIT driver) [*] Network packet filtering framework (Netfilter) ---> [*] Advanced netfilter configuration <M> Bridged IP/ARP packets filtering Core Netfilter Configuration ---> [*] Netfilter ingress support {M} Netfilter NFACCT over NFNETLINK interface {M} Netfilter NFQUEUE over NFNETLINK interface {M} Netfilter LOG over NFNETLINK interface {M} Netfilter OSF over NFNETLINK interface <M> Netfilter connection tracking support -*- Connection mark tracking support [*] Connection tracking zones [*] Supply CT list in procfs (OBSOLETE) [*] Connection tracking events [*] Connection tracking timeout [*] Connection tracking timestamping -*- Connection tracking labels [*] DCCP protocol connection tracking support [*] SCTP protocol connection tracking support [*] UDP-Lite protocol connection tracking support <M> Amanda backup protocol support <M> FTP protocol support <M> H.323 protocol support <M> IRC protocol support <M> NetBIOS name service protocol support <M> SNMP service protocol support <M> PPtP protocol support <M> SANE protocol support <M> SIP protocol support <M> TFTP protocol support <M> Connection tracking netlink interface <M> Connection tracking timeout tuning via Netlink <M> Connection tracking helpers in user-space via Netlink [*] NFQUEUE and NFLOG integration with Connection Tracking <M> Netfilter nf_tables support <M> Netfilter nf_tables set infrastructure [*] Netfilter nf_tables mixed IPv4/IPv6 tables support [*] Netfilter nf_tables netdev tables support <M> Netfilter nf_tables number generator module <M> Netfilter nf_tables conntrack module 4 <M> Netfilter nf_tables counter module <M> Netfilter nf_tables connlimit module <M> Netfilter nf_tables log module <M> Netfilter nf_tables limit module <M> Netfilter nf_tables masquerade support <M> Netfilter nf_tables redirect support <M> Netfilter nf_tables nat module <M> Netfilter nf_tables tunnel module <M> Netfilter nf_tables stateful object reference module <M> Netfilter nf_tables queue module <M> Netfilter nf_tables quota module <M> Netfilter nf_tables reject support <M> Netfilter nf_tables hash module <M> Netfilter nf_tables socket match support <M> Netfilter nf_tables passive OS fingerprint support <M> Netfilter nf_tables tproxy support -M- Netfilter packet duplication support <M> Netfilter nf_tables netdev packet duplication support <M> Netfilter flow table mixed IPv4/IPv6 module <M> Netfilter flow table module {M} Netfilter Xtables support (required for ip_tables) *** Xtables combined modules *** -M- nfmark target and match support -M- ctmark target and match support <M> set target and match support *** Xtables targets *** <M> AUDIT target support <M> CHECKSUM target support <M> "CLASSIFY" target support <M> "CONNMARK" target support <M> "DSCP" and "TOS" target support -M- "HL" hoplimit target support <M> "HMARK" target support <M> IDLETIMER target support <M> LOG target support <M> "MARK" target support -M- "SNAT and DNAT" targets support -M- "NETMAP" target support <M> "NFLOG" target support <M> "NFQUEUE" target Support -M- "RATEEST" target support -M- REDIRECT target support <M> "TEE" - packet cloning to alternate destination <M> "TPROXY" target transparent proxying support 5 <M> "TCPMSS" target support <M> "TCPOPTSTRIP" target support *** Xtables matches *** <M> "addrtype" address type match support <M> "bpf" match support <M> "control group" match support <M> "cluster" match support <M> "comment" match support <M> "connbytes" per-connection counter match support <M> "connlabel" match support <M> "connlimit" match support <M> "connmark" connection mark match support <M> "conntrack" connection tracking match support <M> "cpu" match support <M> "dccp" protocol match support <M> "devgroup" match support <M> "dscp" and "tos" match support -M- "ecn" match support <M> "esp" match support <M> "hashlimit" match support <M> "helper" match support -M- "hl" hoplimit/TTL match support <M> "ipcomp" match support <M> "iprange" address range match support <M> "ipvs" match support <M> "l2tp" match support <M> "length" match support <M> "limit" match support <M> "mac" address match support <M> "mark" match support <M> "multiport" Multiple port match support <M> "nfacct" match support <M> "osf" Passive OS fingerprint match <M> "owner" match support <M> IPsec "policy" match support <M> "physdev" match support <M> "pkttype" packet type match support <M> "quota" match support <M> "rateest" match support <M> "realm" match support <M> "recent" match support <M> "sctp" protocol match support <M> "socket" match support <M> "state" match support 6 <M> "statistic" match support <M> "string" match support <M> "tcpmss" match support <M> "time" match support <M> "u32" match support <M> IP set support --->全选 <M> IP virtual server support --->全选 IP: Netfilter Configuration --->全选 IPv6: Netfilter Configuration --->全选 [*] Ethernet Bridge nf_tables support ---> <M> Netfilter nf_tables bridge reject support <M> Ethernet Bridge tables (ebtables) support --->全选 <M> 802.1d Ethernet Bridging <M> 802.1Q/802.1ad VLAN Support <M> NETLINK: socket monitoring interface [*] Network priority cgroup -*- Network classid cgroup Device Drivers ---> [*] Network device support ---> <M> MAC-VLAN support <M> Virtual ethernet pair device File systems ---> <M> FUSE (Filesystem in Userspace) support 3.2 联网安装 lxc apt-get install lxc apt-get install python3-lxc apt-get install lxc-templates apt-get install librbd1 安装完以上软件后，执行命令 ifconfig -a，能够看到 lxcbr0 网卡信息，如下所示： lxcbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 10.0.3.1 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::216:3eff:fe00:0 prefixlen 64 scopeid 0x20<link> ether 00:16:3e:00:00:00 txqueuelen 1000 (Ethernet) RX packets 31 bytes 3305 (3.3 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 26 bytes 3254 (3.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0