LibCT: one lib to rule them all -- Andrey Vagin
1 like1,043 views
LibCT is a C library that allows building containerized applications by configuring namespaces and cgroups to provide isolation. It aims to simplify the complex low-level container APIs and support different container types like Linux containers, OpenVZ, Solaris Zones, and BSD jails. LibCT hides low-level API changes and provides bindings for other languages. It also serves as an alternative to Libcontainer which is written in Go. The presentation covered the history of Linux containers, namespaces, cgroups, LibCT's API, examples of use, and future integration plans.
LibCT: one lib to rule them all -- Andrey Vagin
- 1. LibCT One Lib to Rule Them All LibCT One Lib to Rule Them All Andrey Vagin Odin, Software Engineer ContainerCon, 2015
- 2. AgendaAgenda • History • Namespaces and CGroups • LibCT • And Libcontainer • Current state and future plans 2
- 3. History of Linux ContainersHistory of Linux Containers • 2002 Virtuozzo • 2005 OpenVZ • Linux-VServer • 2006 Namespaces and Cgroups • 2008 LXC (Linux Containers) • 2010 Application Containers ... 3
- 4. History of Application ContainersHistory of Application Containers • Systemd-nspawn – Spawn a namespace container for debugging, testing and building • Docker – LXC – Libcontainer • Rocket – systemd-nspawn 4
- 5. NamespacesNamespaces ● Mount (2.4.19 2002) – Mount points ● Network – Network devices, stacks, ports, etc. ● PID – processes ● IPC – System V IPC, POSIX message queues ● UTS – Hostname and NIS domain name ● User (3.8 - 2013) – security-related identi<ers and attributes
- 6. Other features of namespacesOther features of namespaces ● User namespaces allow to use namespace for unprivileged users ● Namespaces can be created once and used many times ● Fast entering into existing namespaces ● Ability to isolate tasks in context of one user 6
- 7. Usage scenariosUsage scenarios ● Mount namespace – to construct a new root which contains only accessible paths (security) – Multitenancy ● Network namespace – to grant full access to network devices (Network Function Virtualization, Virtual Private Networks, etc) – to build complex network topology – to use iptables, tra>c shaping, etc ● PID namespaces – to isolate independent group of processes (security)
- 8. Control GroupsControl Groups ● Cpu,cpuset,cpuacct ● Memory, hugetlb ● Blkio ● Devices ● net_cls, net_prio ● Freezer ● perf_event
- 9. The LibCT libraryThe LibCT library ● Allows to build containerized applications – con<gure namespaces and cgroups – unprivileged containers ● In C and binding for other languages ● Cross-platform
- 10. Reasons for creating LibCTReasons for creating LibCT ● Complexity of low-level API ● Support of all kinds of containers – Linux Containers – OpenVZ – Solaris Zones – BSD jails ● Hide low-level API changes 10
- 11. Libcontainer and LibCTLibcontainer and LibCT ● In Go / In C ● Both support back-ends ● Only Go / binding for other languages ● Easy for developing / works faster ● No fork() / … Libcontainer → runc
- 12. LibCT APILibCT API 12 Session - create() - load() Container - namespaces - cgroups Process - kill(), wait() ProcessDesc - Uid, Git, Groups
- 13. ExampleExample s = libct_session_open_local(); /* configure container */ ct = libct_container_create(s, "test"); libct_container_set_nsmask(ct, CLONE_NEWPID | CLONE_NEWUSER | CLONE_NEWNS)); libct_userns_add_uid_map(ct, 0, getuid(), 1); libct_userns_add_gid_map(ct, 0, getgid(), 1); libct_fs_add_mount(ct, "tmpfs", "/tmp", 0, "tmpfs", NULL)) /* configure process descriptor */ p = libct_process_desc_create(s); libct_process_desc_set_caps(p, 0, CAPS_ALL); /* Executing process*/ pr = libct_container_spawn_cb(ct, p, set_ct_alive, ct_alive); libct_process_wait(pr, &status); libct_container_destroy(ct); libct_session_close(s); 13
- 14. Future plansFuture plans ● Integration with applications ● Noti<cations ● Task-less containers ● Checkpoint/Restore (CRIU)
- 15. Thank You! Andrey Vagin <avagin@openvz.org> https://github.com/avagin/libct Andrey Vagin <avagin@openvz.org> https://github.com/avagin/libct