Type-C Hypervisors. @DustinKirkland Ubuntu Product & Strategy Canonical Ltd.

Type-C Hypervisors @DustinKirkland Ubuntu Product & Strategy Canonical Ltd.

Canonical is the company behind Ubuntu

2004 600+ FOUNDATION EMPLOYEES 30+ COUNTRIES London Beijing Boston Shanghai Taipei

What is a Type-C Hypervisor?

Let s go back to 1973-1974 Fourth ACM Symposium on Operating Systems Principles IBM Thomas J. Watson Research Center October 15-17, 1973 [published July 1974]

"IBM 360-67 At U Mich with Mike Alexander" by Dave Mills - Licensed under Public Domain via Commons

The Hypervisor Picture since 1974 This image is made available under the Creative Commons CC0 1.0 Universal Public Domain Dedication.

Modern Type-1 and Type-2 Hypervisors 1 2

Ubuntu introduces a Type-C Hypervisor LXD

Efficiency, Resource Control, & Equivalence

Recursion

Except containers do not trap and execute! x

Indeed, these principles do still apply!

Back to our 1974 diagram...

Let s update for containers OS OS OS HYPER VISOR OS HARD WARE TYPE C contained Each container OS shares the same kernel as the host OS

LXD is... Simple Clean command line interface, simple REST API and clear terminology Fast Containers, not virtualization, so as fast as bare metal Secure Safe by default, combines all available kernel security features Scalable From a single container on a developer s laptop to thousands of containers per host in a datacenter

LXD is not... Full virtualization LXD tries to offer as similar a user experience as that of a virtual machine but it doesn t itself virtualize anything, you always get access to the real hardware and the real native performance A fork of LXC LXD uses LXC s API to manage the containers behind the scene Another application container manager LXD only cares about full system containers and doesn t care about what runs inside the container

A Hypervisor for Containers nova-compute-lxd lxc (command line tool) your own client/script? LXD REST API LXC LXC LXC LXC LXC LXD LXD LXD LXD LXD Linux kernel Linux kernel Linux kernel Linux kernel Linux kernel Host A Host B Host C Host D Host...

The Container Lighter-visor Users and developers Prototype locally, quickly, and on the cheap DevOps Prepare a workload as a system container in staging and then move it to production --- as a container, virtual machine, or bare metal Clouds Manage containers in the same way you manage virtual machines

The Security Story User namespaces LXD defaults to running containers in a separate user namespace. Mandatory Access Control LXD integrates with AppArmor, SELinux and Seccomp to prevent containers from interacting with each other and the host. Resource restrictions LXD makes it easy to restrict the use of physical resources like CPU, memory and storage devices through the use of Control Cgroups. Secure network operations Using only modern TLS with safe ciphers.

The RESTful API containers snapshots images aliases profiles certificates 1.0 events utility/internal collections operations networks volumes read-only collections

Demo

# Let's create a system container lxc image list lxc launch ubuntu summit lxc list lxc info summit lxc config show summit

# Let s interact with the container s filesystem lxc file push ~/src/y-cruncher.out summit/ lxc file pull summit/var/log/syslog /tmp

# Let s test the efficiency property lxc exec summit -- chmod +x /y-cruncher.out lxc exec summit -- /y-cruncher.out

# Let s test the equivalency property lxc exec summit -- apt-get update lxc exec summit -- apt-get install -y sysbench lxc exec summit -- sysbench --test=cpu \ --cpu-max-prime=20000 run

# Let s test the resource control property lxc exec summit -- grep processor /proc/cpuinfo lxc exec summit -- free lxc config set summit limits.cpus 2 lxc config set summit limits.memory 1024000000 lxc stop summit && lxc start summit lxc exec summit -- grep processor /proc/cpuinfo lxc exec summit -- free

# Let s test the recursive property lxc config set alpha security.nesting true sudo service lxd restart lxc exec alpha -- bash echo deb http://ppa.launchpad.net/ubuntu-lxc/lxd-gitmaster/ubuntu trusty main >> /etc/apt/sources.list apt-get update && apt-get install -y --force-yes lxd vi /etc/subuid /etc/subgid service lxd restart lxd-images import ubuntu --alias ubuntu lxc launch ubuntu beta lxc config set beta security.nesting true service lxc restart lxc exec beta -- bash

# Let s update and snapshot it lxc exec summit -- apt-get update lxc exec summit -- apt-get dist-upgrade -y lxc snapshot summit upgraded # Let s cause some trouble lxc exec summit -- rm -rf /usr lxc exec summit bash # Let s repair the damage lxc restore summit upgraded

# What else can I do with lxc today? lxc --help Usage: lxc [subcommand] [options] Available commands: config - Manage configuration. copy - Copy containers within or in between lxd instances. delete - Delete containers or container snapshots. exec - Execute the specified command in a container. file - Manage files on a container. help - Presents details on how to use LXD. image - Manipulate container images info - List information on containers. launch - Launch a container from a particular image. list - Lists the available resources. move - Move containers within or in between lxd instances. profile - Manage configuration profiles. publish - Publish containers as images. remote - Manage remote LXD servers. restart - Changes one or more containers state to restart. restore - Reset the state of a resource back to a snapshot. snapshot - Create a read-only snapshot of a container. start - Changes one or more containers state to start. stop - Changes one or more containers state to stop. version - Prints the version number of LXD.

linuxcontainers.org/lxd github.com/lxc/lxd @DustinKirkland