没有chroot的LXC [英] LXC without chroot

问题描述

有什么方法可以使用LXC通过进程组进行资源管理，而无需创建容器?我正在研究一种在沙箱内运行任意代码的服务，对此我只对硬件资源管理感兴趣.我不要生根发芽；我只希望这些进程组可以访问主文件系统.

Is there any way to use LXC for resource management using process groups without creating containers? I am working on a service that runs arbitrary code inside a sandbox, for which I am only interested in hardware resource management. I don't want any chrooting; I just want these process groups to have access to the main file system.

有人告诉我lxc重量轻，但是我看到的所有示例都为每个lxc进程创建了一个新容器(即具有完整OS的目录).我真的没有看到它比其他任何VM解决方案都轻得多.

I was told that lxc is light weight, but all the examples that I see create a new container (I.e. a dir with a full OS) for every lxc process. I don't really see how this is much lighter than any other VM solution.

那么有什么方法可以将LXC用于控制和管理多个过程组，而不必为每个过程组创建单独的容器?

So is there any way that LXC can be used to control and manage multiple process groups, without creating separate containers for each and every one of them?

推荐答案

LXC不是整体系统.它是一组内核功能，可用于以各种不同方式隔离进程，还有一个用户空间工具，可将所有这些功能一起使用以创建完整的容器.但是，没有LXC，仍然可以单独使用各个功能.而且，LXC不需要chroot，即使给它一个chroot，也可以将主机系统中的目录绑定安装到容器中，从而在主机和容器之间共享那些特定的目录树.

LXC isn't a monolithic system. It's a collection of kernel features that can be used to isolate processes in various different ways, and a userspace tool to use all of these features together to create full-fledged containers. But the individual features are still usable on their own, without LXC. Furthermore, LXC does not require a chroot, and even when you give it a chroot, you can bind-mount directories from the host system into the container, sharing those particular directory trees between the host and the container.

例如，LXC使用cgroup来设置容器的资源限制.但是，它们完全可以用于设置进程组的资源限制，而无需使用LXC工具.您可以直接操纵/sys/fd/cgroup/memory或/sys/fs/cgroup/cpuacct，将进程放入cgroup中，这些组限制了它们允许使用的内存或CPU数量.或者，如果您在使用systemd的系统上，则可以使用MemoryLimit=200M或给定服务的.service文件中的类似内容控制一组进程的内存限制.

For instance, cgroups are used by LXC to set resource limits on containers. But they can be used to set resource limits on groups of processes without using the LXC tools at all. You can manipulate /sys/fd/cgroup/memory or /sys/fs/cgroup/cpuacct directly, to put process into cgroups that limit the amount of memory or CPU they are allowed to use. Or if you're on a system using systemd, you can control the memory limits for a group of processes using MemoryLimit=200M or the like in the .service file for a given service.

如果要使用LXC进行轻量级资源管理，则可以在有或没有chroot的情况下进行.启动LXC容器时，可以选择要隔离的资源.因此，您可以创建一个仅包含虚拟网络而没有其他内容的容器；或仅具有内存限制但与主机共享其他所有内容的容器.唯一可以隔离的是在容器的配置文件中指定的内容.例如，lxc附带了几个示例容器定义，它们仅隔离网络.它们与主机共享一个根分区以及几乎所有其他内容.除了没有网络接口之外，运行与主机系统相同的容器的方法如下:

If you want to use LXC to do lightweight resource management, you can do that with or without a chroot. When starting an LXC container, you can choose which resources you want to isolate; so you could create a container with only a virtualized network, and nothing else; or a container with only memory limits, but sharing everything else with the host. The only things that will be isolated are those specified in the configuration file for your container. For example, lxc ships with several example container definitions that only isolate the network; they share a root partition and almost everything else with the host. Here's how to run a container identical to the host system except it has no network interface:

 sudo lxc-execute -n foo -f /usr/share/doc/lxc/examples/lxc-no-netns.conf /bin/bash

如果要与主机共享某些文件，而不与其他文件共享，则有两种选择:您可以使用共享的根目录，并在容器中挂载您希望与之不同的文件；或者您可以使用chroot，但将要共享的文件挂载到容器中.

If you want some files to be shared with the host, but not others, you have two choices; you could use a shared root directory, and mount over the files that you want to be different in the container; or you could use a chroot, but mount the files that you do want to share in the container.

例如，这是一个与主机共享除/home以外的所有内容的容器的配置；而是将/home/me/fake-home绑定安装在容器中的/home上:

For example, here's the configuration for a container that shares everything with the host except for /home; it instead bind-mounts /home/me/fake-home over /home within the container:

lxc.mount.entry = /home/me/fake-home /home none rw,bind 0 0

或者，如果您想拥有一个完全不同的根目录，但仍然共享某些目录，例如/usr，则可以将几个目录绑定到一个目录中，并将其用作文件系统的根目录.

Or if you want to have a completely different root, but still share some directories like /usr, you can bind mount a few directories into a directory, and use that as the root of the filesystem.

因此，您有很多选择，并且可以根据需要选择隔离一个组件，一个以上组件或LXC支持的组件.

So you have lots of options, and can choose to isolate just one component, more than one, or as many as LXC supports, depending on your needs.

这篇关于没有chroot的LXC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！