CloudServerNContainersFinetune

Summary

Make the use of containers for service segregation on par with KVM in terms of functionality and transparancy.

Release Note

Containers functionality has been greatly improved.

Rationale

User stories

Joe is a system administrator who wants to start a temporary image to run postfix. To save on resources he runs it using a container. He wants to be able to update the image without fear of updates un-doing hacks needed for containers.

Jane is a system administrator who wants to be able to mix containers with KVM VMs through libvirt. She wants libvirt to auto-start containers, and virt-manager to cleanly shut down the containers.

Assumptions

Design

Implementation

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

UDS Natty discussion

== Make LXC ready for production ==

Conclusions:
 * Some kernel patches (setns, ipvs, ns-cgroup-removal) are heading upstream
   * kernel team may backport those into natty
   * ns cgroup is being deprecated - should be turned off
     * MUST be associated with taking the clone-children control file patch to replace ns cgroup functionality
 * For more forward-looking and experimental lxc patches,
   * Create a kernel based on natty hosted on kernel.ubuntu.com
   * Create a ppa with both custom kernel and lxc package to exploit it
   * Examples of functionality:
     * user namespace
     * containerized syslog
     * tinyproc (see below)
 * Investigate solutions for /proc and /sys containerization
   * One attractive solution was to separate proc from container-safe tinyproc
     * could be a mount option
       * a CAP_HOST_PROC capability is required for mounting full proc
       * tinyproc does not provide /proc/sysrq-trigger, for instance
 * Networking:
   * We should let libvirt handle creation of bridge
   * Someone should investigate getting netcf working in debian+ubuntu
     * To play nice with networkmanager
 * Container auto-start on boot
   * Let libvirt handle it
 * Meeting schedule for Friday to investigate a libvirt binding for liblxc
   * Summary from that meeting:
     * Action for natty to make a debootstrapped image work on host and in container
     * Action for Soren to look at libvirt-lxc console bug
       * (Serge to file a bug)
     * Action to create a new libvirt-container driver, based on openvz driver, which execs lxc.sf.net programs.
       * Ping libvirt community for reaction
       * Updating the existing driver to match lxc.sf.net functionality is too much duplicated work.
     * Long term, we would like to have the container driver call out to lxc.sf.net library - much more work
 * Upstart script for lxc
   * We should see if we can let libvirt handle it all
 * Action: find someone willing to work on a script on top of lxc for easing container creation
 * Action: find someone to push top/ps/netstat/etc containerization patches upstream
 * Action: pursue solutions to container reboot and poweroff
 * Action: Create trees based on Natty kernel tree, hosted on kernel.ubuntu.com, for more experimental container features to push upstream.
 * Action: Serge to follow up on user-namespace-over-dbus patch (sent to lkml in May)


CategorySpec

CloudServerNContainersFinetune (last edited 2010-11-08 23:56:41 by serge-hallyn)