Containerize your life! How to live with always not enough resources Joachim von Thadden EMEA Senior Specialist Solution Architect OpenStack Thu 24 ! 2"#$, #&!"pm - (:2"pm OpenStack Summit 2018 - Vancouver Demo 2)44 OpenStack Summit 2018 - Vancouver AGENDA The Promise +irst Steps with ,-. How to /irtuali0e without And now the heavy stu223 /irtuali0ation1 The culprits o2 misusing a 4ontainer +irst Steps with libvirt ,et’s get our 7ngers dirty. OpenStack: 8nstall *ackstack ()44 OpenStack Summit 2018 - Vancouver Disclaimer 4)44 OpenStack Summit 2018 - Vancouver Warning 9 this is not a traditional la53 This ,a5 di22ers from others3 It is not meant to be a guided tour through a technology3 See it more as an e:perimental session to fgure out the 5orders o2 technology9 So e:pect failures% ;uestions and <agile customi0ation=3 And: >ou must not copy?paste 5lindly as you will have to adapt commands to your environment3 !)44 OpenStack Summit 2018 - Vancouver Instead of an USB Stick... 4ontent AB, The slides can be found under the following URL: https://gith b.com/jthadden/#penStack_S mmit_2&'($)ancou*er/doc ma+!e also via my ,aptop: http://'&.193.25'.235/p ! http://'&.193.25'.235/repos http://'&.193.25'.235/isos @)44 OpenStack Summit 2018 - Vancouver 0he Promise C)44 OpenStack Summit 2018 - Vancouver 2ou can 3mis45 se a Container as a full !lo7n Virtual Machine! E*en !etter: 2ou can virtuali:e 7itho t nesting9 $)44 OpenStack Summit 2018 - Vancouver 0he 6 lprit of Virtualization The reason why we don6t like it i2 we are not an enterprise3 ● Besources ● Besourcessss ● Besourcessssssss D)44 OpenStack Summit 2018 - Vancouver #penStack 9 is a Ehale3 A 2ull 5lown OpenStack consists o2 at least ● # 8nstaller (Director or other) (1@HB BAM% 44*As% #""HI .iskG ● ( 4ontrollers FJ#2HB BAM% J4 4*As% 1""HI .iskG ● J2 Computes (>4GI BAM% J4 C*As% 1""HI .iskG ● Some Storage (e g. for live migration) FJ4HB RAM% 2 4*As% >#""HB .iskG At least 60GB RAM, 30 CPUs, 700GB Disk. 8 can do it with 24HI BAM% 2 4*As + HT% #""HB Disk &'G #")44 OpenStack Summit 2018 - Vancouver ;o7 to )irtuali:e without )irtualization? ##)44 OpenStack Summit 2018 - Vancouver ;o7 to Virtualize 7ithout Virtualization< Some type o2 4ontainer is your friend3 ● chroot ● 4ontainer ● Other 8deas1 #2)44 OpenStack Summit 2018 - Vancouver Useful 6ontainer Technologies... and why we can't or don't want to use them Fand I tried them all3G 8 tried them all& ● 4hroot ○ lacking o2 namespace separation and no own networking stack F5ecause o2 the formerG ● .ocker ○ working 5ut pro5lems with (needed) privileged actions ● ,egacy Open/Z (v0ctlG ○ does the Mo5% but you might need to use the upstream package ○ not supported very well ● ,:c ○ does the Mo5% but horri5le to confgure and use ● Systemd'nspawn ○ nested virtuali0ation is a pro5lem #()44 OpenStack Summit 2018 - Vancouver 0he !est wa+ toda+ - and why we have to cry LXD the LXC Daemon ● 8t6s actually a daemon 2or ,-4 ● 4oming from Canonical ' so will pro5a5ly die when Shuttleworth dies ○ IAT it's OpenSource3 So who cares3 ● ,-. is 5ased on ,-4 and that's running out o2 support o2 Bed Hat (and might 5e removed in the 2utureG ○ Never mind% we will use +edora9 "# $ou don%t like the LXD a&&'ao(! ● you can do it as well with Legacy Open/L (install v0ctl-coreG #4)44 OpenStack Summit 2018 - Vancouver The c lprits of misusing a Container #!)44 OpenStack Summit 2018 - Vancouver 6ontainers ha*e se*eral restrictions ● no nested selinux ● restricted systemd ● no auditd ● no sysctl ● no module loading ● pro5lems with subscri5ing ● error with iscsi ○ open 5ug since >EABS now with missing namespacing in scsi'modules ● *ro5a5ly more you will 2ace3 And man$ o# them (an not e)en *een (i'(um)ented *$ 'unnin+ the (ontaine' &'i)ile+ed, #@)44 OpenStack Summit 2018 - Vancouver BU0: so many things are working like a charm ● Booting :'G ● DD% networking ● 7rewalling ● namespaces ● virtuali0ation ● DD D% feeling o2 real machine #C)44 OpenStack Summit 2018 - Vancouver Let’s get o r fngers dirt+... #$)44 OpenStack Summit 2018 - Vancouver Need a )8< There is a /M'8mage o2 an already installed and confgured Fedora-2@ /M (qcow2G& http&))P8*J)isos)+edora-2@'BHTE.;cow2 ● make one with at least 8HI% 24*A% 8"HB HD. based on Fedora 2@% copy 4*A con7g ● start the /M and install Fedora 2@ ➔ on other distros see& https&))linuxcontainers org/l:d)getting-started'cli) ● install needed So2tware dnf -y upgrade dnf -y groupinstall cloud-management dnf -y install libguestfs-tools #D)44 OpenStack Summit 2018 - Vancouver Ena!ling LXD dnf -y copr enable ganto/lxd # don't use ganto/lxc3 for Fedora28 at the moment, instead edit # /etc/yum.repos.d/_copr_ganto-lxd.repo and change $releasever to 27 dnf -y install lxd lxd-client lxd-tools getent group lxd > /dev/null || groupadd -f -r lxd echo "root:1000000:65536" >> /etc/subuid echo "root:1000000:65536" >> /etc/subgid setenforce 0 systemctl start lxd.service usermod --append --groups lxd rhte To make it permanent (e g. in a special /MG& sed -i -e "s/SELINUX=enforcing/SELINUX=permissive/" /etc/selinux/config systemctl enable lxd.service 2")44 OpenStack Summit 2018 - Vancouver ,?D can !e used as a Ser*er daemon E.g. i2 you have some stronger machine in the cellar Add the 2ollowing: lxc config set core.https_address "[::]" lxc config set core.trust_password <your PW> firewall-cmd --add-port=8443/tcp --permanent firewall-cmd --reload 2#)44 OpenStack Summit 2018 - Vancouver Add some storage There are numerous storage options like ● L+S ● Btr2s ● ,/M ● *lain Filesystem <- we will use that Be'login as normal user rhte and e:ecute& lxc storage create default dir lxc profile device add default root disk path=/ pool=default 22)44 OpenStack Summit 2018 - Vancouver @irst Steps 7ith ,?D 2()44 OpenStack Summit 2018 - Vancouver Start your frst light7eight )8 All l:c commands should be issued as user rhte3 lxc image list images:|grep -i centos # remote repository images lxc image list # local available images lxc launch images:centos/7 my-centos7-container lxc exec my-centos7-container /bin/bash lxc list [regexp] # to list containers with state 24)44 OpenStack Summit 2018 - Vancouver Some more 6ommands lxc info my-centos7-container # getting Info lxc {network|profile|config|storage} list lxc {network|profile|config|storage} show lxc config show compute0 --expanded # getting all configs # (like image, storage, security" ps aux | grep "containers compute0" # find the monitoring process of a # container (e.g. if hanging) lxc list security.privileged=true # list all privileged containers lxc start|stop|restart|pause lxc file pull|push|edit <container>/<path> [-] # - means stdout lxc config device add mycontainer vartest disk source=/var/www path=/var/test # attach a dir to a container 2!)44 OpenStack Summit 2018 - Vancouver Prepare a 6ent#S image for our special sage 7ith ,?D ● learn here the easy way ○ to do the things which are not working in an L-.'4ontainer ● we need ○ a pro7le ○ the CentOS image in l:c (you know how to get itG ○ a rc local 7le& https&))raw githubusercontent com)Mthadden/OpenStackQSummitQ2"#$Q/anco uver)master)roles)layer2Q5ootstrap_container)7les)rc.local-container 2@)44 OpenStack Summit 2018 - Vancouver 6reate a ne7 Profle Bemem5er& user is always rhte3 lxc profile create rhosp lxc network attach-profile virbr0 rhosp eth0 lxc profile device add rhosp root disk path=/ pool=default lxc profile set rhosp security.privileged true OpenStack Summit 2018 - Vancouver 2C)44 rc.local → let us go through it, to understand what to do ← on the git repo go to: roles/layer2_bootstrap_container/files/rc.local-container 2$)44 OpenStack Summit 2018 - Vancouver Prepare your 6ent#S with the rc.local lxc image list lxc launch -p rhosp images:centos/7 my-centos7-container lxc exec my-centos7-container /bin/bash # install and start sshd yum -y install openssh-server file systemctl enable sshd && systemctl start sshd passwd root # and try to sshd into it lxc list ssh root@<IP> # get rc.local and execute curl <...> -o /etc/rc.local chmod 755 /etc/rc.local systemctl enable rc-local reboot # look into logfile for execution of rc.local 2D)44 OpenStack Summit 2018 - Vancouver Let’s tr+ some real work! (") OpenStack Summit 2018 - Vancouver 44 Install an I1A (#)44 OpenStack Summit 2018 - Vancouver Prepare the Container Set hostname% ena5le repos and install 7rewalld # ssh into the container hostnamectl set-hostname `hostname`.rhte.internal yum repolist yum install firewalld systemctl enable firewalld && systemctl start firewalld (2)44 OpenStack Summit 2018 - Vancouver Install and Confg re I1A yum -y install ipa-server ipa-server-dns ipa-server-install --setup-dns --forwarder=8.8.8.8 -r \ `dnsdomainname|tr a-z A-Z` -p "changeme" -a "changeme" -U 2>&1 | \ tee ipa-install.out--setup-dns # open the firewall accordingly firewall-cmd --permanent \ --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/ udp,464/udp,53/udp,123/udp} firewall-cmd --reload (()44 OpenStack Summit 2018 - Vancouver 0est I1A kinit admin klist ipa user-find admin # i2 you want to see the we5inter2ace% use on your host something like sshuttle -r root@<yourVMsIP> <yourContainersIP> 2 add the host to your /etc)hosts echo "<IPofContainer> my-centos7-container.rhte.internal" >> /etc/hosts ( Browse to your 8*A https://my-centos7-container.rhte.internal (4)44 OpenStack Summit 2018 - Vancouver No7 try out )8s in 6ontainers9 (!)44 OpenStack Summit 2018 - Vancouver Install lib*irt yum -y install libvirt libvirt-daemon-kvm systemctl enable libvirtd systemctl start libvirtd (@)44 OpenStack Summit 2018