[Lxc-users] LXC a feature complete replacement of OpenVZ?

Thu May 13 21:22:50 UTC 2010

On 05/13/2010 06:17 PM, Christian Haintz wrote:
> Hi,
>
> At first LXC seams to be a great work from what we have read already.
>
> There are still a few open questions for us (we are currently running
> dozens of OpenVZ Hardwarenodes).
>
> 1) OpenVZ in the long-term seams to be a dead end. Will LXC be a
> feature complete replacement for OpenVZ in the 1.0 Version?

Theorically speaking, LXC is not planned to be a replacement to OpenVZ. 
When a specific functionality is missing, it is added. Sometimes that 
needs a kernel development implying an attempt to mainline inclusion.

When the users of LXC want a new functionality, they send a patchset or 
ask if it possible to implement it. Often, the modifications need a 
kernel modification at that takes sometime to reach the upstream kernel 
(eg. sysfs per namespace).

Practically speaking, LXC evolves following the needs (eg. entering a 
container) of the users and that may lead to a replacement of OpenVZ.

The version 1.0 is planned to be a stable version, with documentation 
and frozen API.

> As of the current version
> 2) is there IPTable support, any sort of control like the OpenVZ
> IPTable config.

The iptables support in the container is depending on the kernel version 
you are using. AFAICS, iptables per namespace is implemented now.

> 3) Is there support for tun/tap device

The drivers are ready to be used in the container but not sysfs and that 
unfortunately prevent to create a tun/tap in a container.

sysfs per namespace is on the way to be merged upstream.

> 4) is there support for correct memory info and disk space info (are
> df and top are showing the container ressources or the resources of
> the hardwarenode)

No and that will not be supported by the kernel but it is possible to do 
that with fuse. I did a prototype here:

http://lxc.sourceforge.net/download/procfs/procfs.tar.gz

But I gave up with it because I have too much things to do with lxc and 
not enough free time. Anyone is welcome to improve it ;)

> 5) is there something compared to the fine grained controll about
> memory resources like vmguarpages/privmpages/oomguarpages in LXC?

I don't know these controls you are talking about but LXC is plugged 
with the cgroups. One of the subsystem of the cgroup is the memory 
controller allowing to assign an amount of physical memory and swap 
space to the container. There are some mechanism for notification as 
well. There are some other resource controller like io (new), freezer, 
cpuset, net_cls and device whitelist (googling one of these name + lwn 
may help).

> 6) is LXC production ready?

yes and no :)

If you plan to run several webserver (not a full system) or non-root 
applications, then yes IMHO it is ready for production.

If you plan to run a full system and you have very aggressive users 
inside with root privilege then it may not be ready yet. If you setup a 
full system and you plan to have only the administrator of the host to 
be the administrator of the containers, and the users inside the 
container are never root, then IMHO it ready if you accept for example 
to have the iptables logs to go to the host system.

Really, it depends of what you want to do ...

I don't know OpenVZ very well, but AFAIK it is focused on system 
container while LXC can setup different level of isolation allowing to 
run an application sharing a filesystem or a network for example, as 
well as running a full system. But this flexibility is a drawback too 
because the administrator of the container needs a bit of knowledge on 
the system administration and the container technology.

> Thanks in Advance, and we are looking forward to switch to Linux
> Containers when all Questions are answered with yes :-)

Hope that helped.

Thanks
   -- Daniel