[Libvir] A sample program to create a Linux Container

Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space. To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail. Any questions or comments are welcome. Thanks! -- Best Regards, Dave Leskovec IBM Linux Technology Center Open Virtualization /* * Copyright IBM Corp. 2008 * * lxc_exec.c: example on creating a linux container * * Authors: * David L. Leskovec <dlesko at linux.vnet.ibm.com> * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ /* System includes */ #include <errno.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <sys/mount.h> #include <sys/types.h> #include <unistd.h> /* Supporting includes */ /* Component includes */ /* Defines */ /* These will eventually be defined in clone.h */ #define CLONE_NEWPID 0x20000000 #define CLONE_NEWNS 0x00020000 /* Global Variables */ /* Types and structs */ /* Functions */ static void exec_child() { FILE *cdfp; int rc; cdfp = fopen("/tmp/child.log", "w"); if (cdfp == NULL) { /* Log to syslog */ exit(1); } /* mount /proc */ rc = mount("lxcproc", "/proc", "proc", 0, NULL); if(0 != rc) { fprintf(cdfp, "mount failed with rc = %d and errno = %d\n", rc, errno); fflush(cdfp); exit(1); } else { fprintf(cdfp, "mount successful\n"); fflush(cdfp); } system("ps -aef > /tmp/container_ps.out"); /* sleep a bit just so we don't exit right away */ sleep(10); fclose(cdfp); } int main(int argc, char *argv[]) { FILE *dfp; int cpid; void *childstack, *stack; int flags; int stacksize = getpagesize() * 4; dfp = fopen("/tmp/parent.log", "w"); if(dfp == NULL) { perror("parent.log"); exit(1); } /* allocate a stack for the container */ stack = malloc(stacksize); if(!stack) { fprintf(dfp, "malloc() failed, %s\n", strerror(errno)); fflush(dfp); exit(1); } /* point to "top" of stack */ childstack = stack + stacksize; /* call clone to create the container */ flags = CLONE_NEWPID|CLONE_NEWNS; fprintf(dfp, "Parent: Clone() flags %lx, pagesize %d...\n", flags, getpagesize()); fflush(dfp); cpid = clone(exec_child, childstack, flags, (void *)argv); printf("cpid: %d\n", cpid); if(cpid < 0) { fprintf(dfp, "Parent: clone() failed, %s\n", strerror(errno)); fflush(dfp); exit(1); } fprintf(dfp, "Parent sleeping, 20 seconds\n"); fflush(dfp); sleep(20); return 0; }

On Thu, Jan 24, 2008 at 04:06:17PM -0800, Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
What upstream kernel version is rquired for this ? Is it in 2.6.24 ? Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Daniel P. Berrange wrote:
On Thu, Jan 24, 2008 at 04:06:17PM -0800, Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
What upstream kernel version is rquired for this ? Is it in 2.6.24 ?
Regards, Dan.
2.6.24-rc1 -- Best Regards, Dave Leskovec IBM Linux Technology Center Open Virtualization

Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
Any questions or comments are welcome. Thanks!
You want to use at least CLONE_NEWIPC and CLONE_NEWUSER too. CLONE_NEWUTS is probably desired as well, so you can have different hostnames, and CLONE_NEWNET for networking (though that's probably not going to be usable until after 2.6.25, at least). -- Daniel Hokka Zakrisson

Daniel Hokka Zakrisson wrote:
Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
Any questions or comments are welcome. Thanks!
You want to use at least CLONE_NEWIPC and CLONE_NEWUSER too. CLONE_NEWUTS is probably desired as well, so you can have different hostnames, and CLONE_NEWNET for networking (though that's probably not going to be usable until after 2.6.25, at least).
Thanks! I added CLONE_NEWIPC and CLONE_NEWUTS. Adding CLONE_NEWUSER caused clone() to fail. I'm looking into that. I'll post in the near future regarding CLONE_NEWNET, network support for containers, and the XML format. -- Best Regards, Dave Leskovec IBM Linux Technology Center Open Virtualization

On Fri, Jan 25, 2008 at 11:30:35AM -0800, Dave Leskovec wrote:
Daniel Hokka Zakrisson wrote:
Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
Any questions or comments are welcome. Thanks!
You want to use at least CLONE_NEWIPC and CLONE_NEWUSER too. CLONE_NEWUTS is probably desired as well, so you can have different hostnames, and CLONE_NEWNET for networking (though that's probably not going to be usable until after 2.6.25, at least).
Thanks! I added CLONE_NEWIPC and CLONE_NEWUTS. Adding CLONE_NEWUSER caused clone() to fail. I'm looking into that.
I'll post in the near future regarding CLONE_NEWNET, network support for containers, and the XML format.
BTW, I meant to say - don't let the XML format discussions delay writing of the actual driver code. From previous postings we've clearly got a good common understanding of the scope of the data needed in the XML, it is just agreeing on fine details of element names & attribute names. THis can easily be tweaked during course of development as things become clearer, since its only changing XPath expressions really. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Dave Leskovec wrote:
Daniel Hokka Zakrisson wrote:
Dave Leskovec wrote:
Attached is a simple program that uses the clone() function to create a container. This is not intended as a patch - just an example of what creating a Linux Container looks like. Something along these lines will be used by the Linux Container driver to start the domain. The code run within this container is really simple. It just mounts the /proc file system and then dumps the ps output to a file showing that the container is in separate process space.
To run this you will need to have PID namespaces support enabled. Turn on CONFIG_PID_NS when compiling the kernel. You must run the program as root or the clone() call will fail.
Any questions or comments are welcome. Thanks!
You want to use at least CLONE_NEWIPC and CLONE_NEWUSER too. CLONE_NEWUTS is probably desired as well, so you can have different hostnames, and CLONE_NEWNET for networking (though that's probably not going to be usable until after 2.6.25, at least).
Thanks! I added CLONE_NEWIPC and CLONE_NEWUTS. Adding CLONE_NEWUSER caused clone() to fail. I'm looking into that.
Make sure you have CONFIG_USER_NS=y
I'll post in the near future regarding CLONE_NEWNET, network support for containers, and the XML format.
-- Daniel Hokka Zakrisson

Daniel Hokka Zakrisson wrote:
Dave Leskovec wrote:
Thanks! I added CLONE_NEWIPC and CLONE_NEWUTS. Adding CLONE_NEWUSER caused clone() to fail. I'm looking into that.
Make sure you have CONFIG_USER_NS=y
That was a little weird. I verified that I had that flag set. I did tweak a couple other things because my system was acting odd - stalling every so often when pdflush was running. Recompiled and installed and it seems to be working now. Thanks! -- Best Regards, Dave Leskovec IBM Linux Technology Center Open Virtualization
participants (3)
-
Daniel Hokka Zakrisson
-
Daniel P. Berrange
-
Dave Leskovec