lxc linux image flavour

hello,

the plan as decided in Portland was to go forward with openvz
if upstream provides us with a patch in time. as currently this
looks quite bad (latest available patch is for 2.6.27, there is
no sign of a patch for 2.6.32, nor any schedule like it happened
to be for Lenny).

I thus propose to enable an lxc (linux containers) [1] flavour:
* Containers are sets of processes with private namespaces, which
  can look like separate boxes
* lxc is merged in linux-2.6 and continuously improved
  (the maintenance of it should be thus much lower then
   it was for openvz)
* lxc is fast and bench mark tested [2]
* the lxc userland is in sid and available for many archs
* libvirt support
* the 2.6.32 feature/fixes patch is tiny [3]
* RESOURCE_COUNTERS and CGROUP_MEM_RES_CTLR enabled
  (has overhead that is not acceptable, for general purpose images)

On the negative side it doesn't have yet checkpointing support
and not all net/ has netns support yet.


I'll wait until 1st of February and until contrary notice
would add an lxc flavour to 2.6.32.

kind regards
maks

[1] http://www.ibm.com/developerworks/linux/library/l-lxc-containers/
    http://lwn.net/Articles/219794/
[2] http://lwn.net/Articles/179345/
[3] http://lxc.sourceforge.net/patches/2.6.32/2.6.32-rc6/share-af-unix-socket-sysctl.patch
    https://lists.linux-foundation.org/pipermail/containers/2010-January/022529.html
    https://lists.linux-foundation.org/pipermail/containers/2010-January/022600.html

On Jan 24, maximilian attems <max@...> wrote:

> the plan as decided in Portland was to go forward with openvz
> if upstream provides us with a patch in time. as currently this
> looks quite bad (latest available patch is for 2.6.27, there is
> no sign of a patch for 2.6.32, nor any schedule like it happened
> to be for Lenny).
I expect that it will be released after the first beta of RHEL 6.

> On the negative side it doesn't have yet checkpointing support
> and not all net/ has netns support yet.
It's not just that, AFAIK there is no match for many of the
user_beancounters features (especially the accounting part) and e.g.
lack of the equivalent of "vzctl enter" is a critical issue for my
applications.
While I am happy to see better support for lxc in Debian, it does not
look like an openvz replacement yet.

--
ciao,
Marco

On Sun, Jan 24, 2010 at 01:37:26PM +0100, maximilian attems wrote:
> I thus propose to enable an lxc (linux containers) [1] flavour:

Please describe the _kernel_ improvements over the normal images. Most
of it is already enabled in the default images and does not warrant for
an extra image.

> * lxc is merged in linux-2.6 and continuously improved
>   (the maintenance of it should be thus much lower then
>    it was for openvz)

lxc is the userspace part.

> * RESOURCE_COUNTERS and CGROUP_MEM_RES_CTLR enabled
>   (has overhead that is not acceptable, for general purpose images)

The description reads like it is possible to enable/disable the overhead
on boot time. Please elaborate.

Bastian

--
The sight of death frightens them [Earthers].
                -- Kras the Klingon, "Friday's Child", stardate 3497.2


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Note that I am a big OpenVZ. I also like Linux-VServer a lot and use
both for years now. Both projects have contributed to LXC a lot and I
want to hereby thank all folks involved in the process of pushing that
stuff into mainline!

However, I, as many other companies/folks, have a problem since there
are
 - no recent patches for OpenVZ available (thus no kernels in Debian)
 - no official announcements on future directions from the OpenVZ folks
   made

I am therefore looking for a sustainable and long-term predictable
lightweight virtualization/isolation solution to replace OpenVZ. LXC, we
think, is the way to go forward. Stuff in mainline is stuff in mainline
is stuff in mainline ... no argument possible against that.


 Marco> I expect that it will be released after the first beta of RHEL
 Marco> 6

Yes, I have been told that too by OpenVZ's main developer, Kir
Kolyshkin. However, it is fact that (as of now) RHEL6 is scheduled for
the first half of 2010. A year ago, it was scheduled for summer 2009 and
so on. Nobody really knows when it will be released and thus when
Parallels will release another OpenVZ patch for some recent kernel.

It just happens that Debian can not go forward with any plans with
regards to OpenVZ in squeeze since they do not know themselves. LXC is
available right now and in mainline, so that is another story
altogether.



 Marco> It's not just that, AFAIK there is no match for many of the
 Marco> user_beancounters features (especially the accounting part)

True that, here is why I think that is not critical at this point:
 - most folks run Linux-VServer, OpenVZ, LXC etc. on boxes they own plus
   they control themselves so that is not really an issue
 - those environments in need for limits/beancounters (disk quota etc.)
   may probably have to wait another six months or so until it will be
   available in LXC. Till then it is quite possible to run on 2.6.26
   with OpenVZ and then migrate things to LXC. We have excellent
   migration scripts already [0]



 Marco> Lack of the equivalent of "vzctl enter" is a critical issue for
 Marco> my applications.

I do not remember the exact command now but from what I remember
hearing/reading last week, that feature will be available shortly.




[0] http://sysadmin-cookbook.rot13.org/#lxc


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

 Bastian> Please describe the _kernel_ improvements over the normal
 Bastian> images. Most of it is already enabled in the default images
 Bastian> and does not warrant for an extra image.

As you can see from http://sunoano.pastebin.com/m4b5380dc , line 29,
Cgroup memory controller is not. This setting is mandatory if you want
to control the available memory per containers and the like. IMO most
folks would want that, if just to make sure their local sandbox does not
go wild for some reason, thus eating up all memory.



 Bastian> Lxc is the userspace part.

You are right but then I think maximilian certainly referred to the
kernelspace part of LXC here. At least that is my reading ... context
matters :)




 Bastian> The description reads like it is possible to enable/disable
 Bastian> the overhead on boot time. Please elaborate.

Nope, it has to be enabled at build-time. http://lxc.teegra.net




--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sun, 2010-01-24 at 15:17 +0100, Marco d'Itri wrote:
> On Jan 24, maximilian attems <max@...> wrote:
>
> > the plan as decided in Portland was to go forward with openvz
> > if upstream provides us with a patch in time. as currently this
> > looks quite bad (latest available patch is for 2.6.27, there is
> > no sign of a patch for 2.6.32, nor any schedule like it happened
> > to be for Lenny).
> I expect that it will be released after the first beta of RHEL 6.
[...]

I believe there already has been a beta, just not a public one.  RH
seems to be very secretive about this release.

Ben.

--
Ben Hutchings
Any smoothly functioning technology is indistinguishable from a rigged demo.

On Sun, Jan 24, 2010 at 03:17:14PM +0100, Marco d'Itri wrote:
> lack of the equivalent of "vzctl enter" is a critical issue for my
> applications.

looks feasable thanks to libvirt:
virsh --connect lxc:/// console v1
http://libvirt.org/drvlxc.html


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sun, Jan 24, 2010 at 03:17:14PM +0100, Marco d'Itri wrote:
> On Jan 24, maximilian attems <max@...> wrote:
>
> > the plan as decided in Portland was to go forward with openvz
> > if upstream provides us with a patch in time. as currently this
> > looks quite bad (latest available patch is for 2.6.27, there is
> > no sign of a patch for 2.6.32, nor any schedule like it happened
> > to be for Lenny).
> I expect that it will be released after the first beta of RHEL 6.

point to an official statement of an openvz dev.
currently it looks like they are waiting too long to be in the squeeze
boat also kernel version should match.


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Marco d'Itri wrote:
> On Jan 24, maximilian attems <max@...> wrote:
[]
>> On the negative side it doesn't have yet checkpointing support
>> and not all net/ has netns support yet.
> It's not just that, AFAIK there is no match for many of the
> user_beancounters features (especially the accounting part) and e.g.
> lack of the equivalent of "vzctl enter" is a critical issue for my
> applications.

Accounting is done in cgroups.  Not as flexible as in openvz, but it
works.

As of `vzctl enter', there's something very similar, but it requires
to have getty (or similar) running on ttyN in guest.  Probably not
what you want.

> While I am happy to see better support for lxc in Debian, it does not
> look like an openvz replacement yet.

It doesn't, indeed.  Both has their own bad and good sides.  The
main "good" about lxc is that it's in the standard kernel, and
kernel components are ready (maybe modulo some features like
freezing/migration).  Openvz, linux-vserver, other things - all
require quite intrusive patches, which complicating support tasks
alot.

/mjt


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sun, 24 Jan 2010, Suno Ano wrote:

>  Bastian> Please describe the _kernel_ improvements over the normal
>  Bastian> images. Most of it is already enabled in the default images
>  Bastian> and does not warrant for an extra image.
>
> As you can see from http://sunoano.pastebin.com/m4b5380dc , line 29,
> Cgroup memory controller is not. This setting is mandatory if you want
> to control the available memory per containers and the like. IMO most
> folks would want that, if just to make sure their local sandbox does not
> go wild for some reason, thus eating up all memory.

if we want to ennable it for the default image, we need a benchmark
test of obvious stuff like fork()/exit to check that it didn't degrade.

if results are in the noise of the relevant benchmark we can shipp
it indeed in linux-2.6 without the need of a special featureset.


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sun, Jan 24, 2010 at 06:19:02PM +0100, Suno Ano wrote:
> As you can see from http://sunoano.pastebin.com/m4b5380dc , line 29,
> Cgroup memory controller is not. This setting is mandatory if you want
> to control the available memory per containers and the like.

It is not mandantory for the system.

>  Bastian> The description reads like it is possible to enable/disable
>  Bastian> the overhead on boot time. Please elaborate.
> Nope, it has to be enabled at build-time. http://lxc.teegra.net

Please show this on the source.

Bastian

--
Yes, it is written.  Good shall always destroy evil.
                -- Sirah the Yang, "The Omega Glory", stardate unknown


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi all

I can now announce an "half official" statement from Kir
(who is the project manager of openvz) that they are now
dedicated to make a openvz. This is what he states:

-------------
Hi Ola, guys,

Thanks for the info. We have discussed this at length and
the resolution is we are all for it. This means we will try
hard to do a rebase as soon as possible, and I hope we
will succeed.

If (or whenever you will) know the exact deadline date
(or any close approximation), please let us know, this is
important.

Also, can you please point us to the location of the git
repository of what will become the linux kernel for the
next debian release? I checked git.debian.org but
where there are too many kernels to look at.
If it is not in git then when it is?

Regards,
  Kir.
--------------

So it looks like we are going to have openvz available in squeeze.

Best regards,

// Ola

On Mon, Jan 25, 2010 at 12:46:42AM +0100, maximilian attems wrote:
--
 --------------------- Ola Lundqvist ---------------------------
/  opal@...                     Annebergsslingan 37      \
|  ola@...                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...