[lxc-devel] LXC as an alternative to linux-vserver

Daniel Lezcano daniel.lezcano at free.fr
Sun Nov 4 22:03:19 UTC 2012 

On 11/03/2012 10:10 PM, Patrick LeBoutillier wrote:
> Hi all,

Hi Patrick,

>
> We have been using linux-vserver for years (we actually created the
> project before eventually passing on maintainership), but after years
> of kernel patching and unending API and syscall changes, we are looking
> to move towards a more mainstream approach, ideally fully integrated into
> the stock linux kernel.
>
> Some research has lead me to LXC as perhaps a viable replacement
> solution, but before going further I would like to get a better
> grasp on some of key aspects of the project.
>
> Here goes:
>
>
> - One of the things we use a lot with linux-vserver is an "enter"
>   functionality: from a shell in the host, use the "enter" command
>   to get a shell inside a container. This is a variant of the "exec"
>   feature, which allows the execution of an arbitrary command inside
>   a container from a shell on the host.
>
>   A lot of our internal processes are based on this feature. The vast
>   majority of our containers do not run SSH servers and are accessed
>   interactively (or not) from the host.
>
>   Is this functionality (or something equivalent) supported by LXC?

The feature is partially in the kernel for sure. The equivalent syscall,
'setns' is already merged upstream.
I don't know how works linux-vserver but with LXC relies on the
namespaces for the subsystem.

The 'attach' is partially merged, we can make a process to access some
resources of the container but the mount and the pid namespaces are
missing right now leading to a partial 'enter' command which does not
makes sense.

The patches are for these are a out-dated but available at
git.kernel.org and in the download section of lxc.sourceforge.net.

What is missing is spare time to refresh and merge them upstream.

>
> - As far as networking is concerned, we simply use IP aliases (eth0:1)
>   to allocate IP addresses for the containers. This offers very basic
>   network isolation (the container is limited to using specific aliases)
>   but it suits our needs.
>
>   With LXC, is this simple technique usable or does one have to
>   necessarily setup bridges and/or tunnels?

The network isolation acts at the layer 2. But hopefully there are a lot
of configuration options and combinations making possible to have a
simple approach like linux-vserver without extra overhead which is
probably one of your concern.

One example is the 'macvlan' option without loss of network offloading
capabilities.

Hope that helps

  -- Daniel

More information about the lxc-devel mailing list