Please Contain Me: Practical LXC on the Desktop

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

on a study welcome everyone to another tutorial at LCA next conference Australia Sydney 2018 we are here today with Florian Haas foreign is an expert in distributed storage high availability performance and open source cloud era in the conference Florian also gave a talk on an open EDX which is a platform you can check that out and check it out he's also founder of what is the company thank you well the the company I found it called test EXO and that has been acquired as of last October so I'm now part of City Network yeah using open OpenStack open EDX Ceph yeah lexy everything and today we're here to get all about EDX eat thank you okay thank you for that on this day specifically I would like to offer my individual acknowledgement of the gadigal of the eora nation who are the traditional custodians of this land and are from my respects to the elders both past and present I would also like to acknowledge Linux Australia the custodians of LCA if you will and pay my respects to all the conference organizers and volunteers past and present who year after year managed to put together a truly one-of-a-kind conference that I and many others love coming back to and you're all a part of that community and I would like to thank you for that privilege as well I knew Florian I work for a city network as my shirt implies we love OpenStack we run public OpenStack cloud that spans eight global regions we run a bunch of private and managed clouds and that's what I mostly talked about at conferences including my talk from earlier this week at the open education Minicon for that also touched upon OpenStack and as it happens we use LHC the topic of this talk quite a lot in our OpenStack deployments but what I'm talk about here in this tutorial is a completely different use case and that is containers on the desktop and that it basically it dovetails really nicely with with the keynote from from Jessie earlier this morning all the things that she said about you know this is crazy to do running Skype containerized on the desktop that's not crazy at all I do that all the time I think that's perfect so those are some of the things that that we're going to cover here a question for the AV folks are we okay with the feedback here because it do you're a little bit of a noise you're working it out okay cool all right so so with that said I do want to point out something straight off the bat which is I do want to mention that nothing that I talked about here in this tutorial is the only way there are several ways to run a containerized desktop you will notice that the the method that I present here for example is wildly different from the one that Justice just described in the keynote this morning I just found the one that I am describing here to be useful for me and I hope it's useful for you as well I've been using it on a daily basis the setup that I'm describing here for something like I don't know a year and a half or two years now in fact this lights that you're looking at come out of a containerized web server that's running on my laptop right now so this is just presented to you and I hope that it's useful to you but with absolutely no angle of this is the only way that you can do this and I encourage you to do your own experimentation and perhaps come up with a way that suits you better so with that Syd what's a container for those of you who sat in keynote this morning this should actually be no news to you from the perspective of the Linux kernel right like in terms of kernel object what is a container in terms of like in the context of being a kernel object anyone want to have a go what's that well hang on like from the kernel standpoint what's a container to a question from the kernel standpoint a container doesn't exist right from the kernel standpoint there is no such thing as a kernel level object that we could call a container containers are purely a user space concept that make use and make it easy make use of and make it easy to use a bunch of native Linux kernel features so the thing that we call a container to the Linux kernel is really nothing but a process a process using one or more namespaces and making use of C groups and optionally it could also use a Linux security module like SELinux or armor or any other but from the perspective of the kernel a container is really nothing special it's just the process that happens to be using a handful of advanced kernel features and because those kernel features are relatively advanced and a little bit arcane it's really nice to be able to have a what we call a container runtime which is basically a management facility that makes using all of these kernel level interfaces a little easier and as you've heard in the keynote this morning there are multiple such container runtimes available I'm gonna be talking about like C there is another one that docker there's rocket there's a few others right and just so you know no I'm not going to revisit the container Wars at all I am going to explain to you why I chose Lexie for what I'm doing here and I'm suggesting that you might want to consider that as well but it's definitely not the only container runtime that is out there as far as namespaces are concerned a a concept that isn't really novel in the kernel anymore although we keep adding namespaces all the time so while the concept of namespaces is not exactly new anymore I think it's about 10-ish years old at this point we we always we were not always but we occasionally start keep adding namespace concepts to the kernel the first one was the mountain namespace so that's basically you know chroot on steroids we added we subsequently added a user name space so the so that a something that runs in this namespace can have its own set of UIDs and gids we added a IPC namespace so that we can isolate how individual processes talk to each other over inter-process communications like s hm we have net word whoops you just killed me here yeah yeah no that's fine that's alright we can this is that this is a nice thing about having sort of two tutorial we're not quite pressed on time not as badly isn't a regular talk can you hear me yeah good perfect a network namespace is pretty important so that's basically a means of giving an individual process its its own IP addresses but also its own firewall rules connection tracking table and that rules and so on and we have a handful of other namespaces and then we can use C groups in order to give processes in this case containers specific shall we say restrictions on resource usage right so but like I said what's important to understand it's important to take away here is that from the from the purpose from the perspective of the Linux kernel a container as such doesn't really exist it's just a process that uses a handful of pretty handy kernel features now with that said we have to make a very important distinction and that is along the lines of what the kind of process is that the container runtime actually launches and here we the based on that we distinguish between system versus application containers raise your hand if you if you've heard of this distinction before system and application containers if you okay cool the difference between those is really what is the process that the container runtime starts for us if that process is something that would normally be and be considered an init process so conventionally that system D but it could also be upstart it could be system v in it it could be open RC whichever if that's what it is that the container runtime starts for us then we're talking about a system container so basically this thing works just like you know your regular server or workstation or a desktop or a laptop in that you have a process that manages all other processes and sets up things like for example network connectivity by spawning a DHCP client and a handful of other things so basically the moment that your container run time starts and in it we're talking about a system container the moment your container run time starts something completely different such as for example your docker run time starting an apache binary that's when we talked about an application container and in an application container obviously it is a requirement that everything that the application needs in order to for example be able to access disks and talk over the network etc etc all of that them has to be set up by the container runtime with a system container the container runtime doesn't need to care about that that much because there's an init that does this and in an application container the container runtime needs to do that Lexi is an example of a container runtime that is primarily built for system containers and that is how we're going to use it it is primarily built for system containers which means that yes you still can run application containers in them it's just not something that people do very often for other container runtimes like doctrine rocket the opposite is true those are primarily built for application containers and if you bend over backwards a little bit you can also use those for system containers but basically normally if you are selecting your container runtime based on what you're trying to do with it then if you wanted to use system containers you would typically select like C if you wanted to build application containers you would use another container runtime like docker or rocket by the way I neglected to mention something very important when I first started this talk this is a tutorial so please feel invited to shoot out your questions any time right just go ahead Oh what is LS m/l s/m our Linux security modules and these are this is basically the the the security enforcement framework that the kernel provides and that user space applications can then use examples for these the two most popular ones are selinux that's quite popular sort of on the Red Hat and CentOS and Fedora side of the universe and the other one which is very very popular is a parmer and what those do is they constrain certain processes such that they're only allowed to access specific resources such as specific files or specific device notes and so forth in in a file system that's primarily what they do they do a bunch of other things as well but that's sort of the primary use case so that's that's what an Ellis M stands for a Linux security module okay back to the to the distinction of like various container types so we've had system vs. application containers and and a few of you had heard about that distinction before raise your hand if you've heard the between the distinction between privileged and unprivileged containers okay that's a few more great because that was mentioned in the keynote this morning so what's privileged versus on privileged containers a privileged container is a is it container so recall that's just a process that runs in a few namespaces that happens to run in the context of route in the host ok so we've got something that actually runs as route in the host with all the security implications that comes with that unprivileged containers run as a regular non route user in the host including just your regular old user account now that is a little bit more complex it's also more secure because what an unprivileged container does is what we call you Eden get mapping so the way that works is you have a certain UID on your host system in my case that's 1,000 and the container the Lexy container that I spin up as my user or under the context of my user even though it is completely unprivileged in the host pretends to be route within the container ok and the way that what that works is that basically we are mapping you IDs and gids from within the container to those in the hosts and the way that is conventionally done is by basically shifting the you IDs and gids by a hundred thousand ok so we're we're we're spinning up we're allowing the user to create a bunch of sub you IDs and sub kids as they're called and they start with with 100,000 that map's to root in the container so UID 0 in the container and then everything else we just add a hundred thousand to get to the to the real to the real UID or the real kid so far so simple privilege containers run as root use no user mapping unprivileged containers run as non-root and do use user mapping here's where it gets complicated you may see something about unprivileged containers running as privileged users does that sound confusing it confuses the hell out of me it is something it is it is terminology that the Lex D developers likes T is is basically a hypervisor not a hypervisor manager a management facility on top of Lexy and they came up with this grand idea of okay we're just going to the we're the only thing that we're gonna allow henceforth is that every container runs as root but some of them still use UID and get mapping okay that's confusing I just want to point it out and acknowledge that it's confusing we're not gonna care about it any further for the rest of this tutorial because number one we're not going to be using lex d and number two all of the containers that i'm gonna show you how to run or that i'm going to be demoing here they are all unprivileged and they do use Yui and get mapping as you would generally expect do we have another well the laptop has what do you mean - Mike yeah I can totally mute the mic yeah okay let me let me know if that's better okay are we roughly on the same page about like what's the container in the first place what's a what's a system container what's an application container what's a priviledge container what's an unprivileged container there's that roundabout make sense perfect okay so then we're coming to the very important question of why would you want to do this like why would you want to run a containerized desktop or why would you be running things in containers on your desktop and I'll give you my reasons for why I'm doing this reason number one I want to keep my root filesystem lean I'd like to have as few packages installed in my root filesystem as I possibly can now granted that is still quite a few this laptop as it stands here right now that's nobuta 1604 system which literally only contains in packages the stuff that I use on a daily basis that still amounts to about 2,000 Debian packages that are installed there you know there's a bunch of library packages in there and so forth but it's still a fairly substantial number but it would be far more if I weren't using containers all of those packages of course need to be updated and patched which I tend to do quite religiously and the fewer there are the faster my daily updates get simple also what is not installed can't launch a background service and so that means I that is that is a potential you know vulnerability or issue that I'm not opening myself up to and also a service that doesn't run doesn't consume cycles and dusters and use power and there's a bunch of of interesting advantages of that so that's one thing I'd like to keep my root filesystem lean I want to run multiple parallel versions of a lot of packages I frequently need to install multiple packaged versions of some software on my laptop and my personal prime example is I tend to work a lot with OpenStack so OpenStack client libraries it's relatively routine for me to use two to three sets of OpenStack clients for different OpenStack versions in parallel for testing one would for example be the Ubuntu packages for the latest release and one with the packages for the release prior and then maybe one with the packages to ship in the default install the distro and maybe even where I install Python packages would pick install or something like that but the important thing is that I want to be able to run and simulate multiple different versions of packaged software that I want to be able to install in parallel on my system thirdly I want to spin up and throw away things easily I'd like to be able to when I've stuffed something up in for example my OpenStack client environment I just like to be able to throw all of that away and actually know that yes none of it is left and I would then like to Reese pin it relatively quickly you know obviously forward only talking about stuff like Debian packages getting rid of something if you installed is relatively reliable with apt you remove dash dash purge but there's a bunch of other stuff you know there there are things like Python packages installed from pi PI or or NPM modules or what-have-you right I just like to be able to put that in a can and when I no longer need it I'd like to throw it away and get a new can essentially fourthly and this is something that that Jesse mentioned in the keynote this morning as well I'd like to keep my root filesystem clean of anything that is not free and open-source software which on the one hand I inherently don't trust number two they usually have relatively crappy packaging policies right so things like Skype running Skype in a container is something and I completely do not consider outrageous that is something I do as well my company tends to use or tends to prefer zoom for a video conferencing and that's another non free client and I'd like to have that in a container as well I go so far as to not allow non free fonts on my on my file system but only in a container so if someone actually wants me to in to use like Arial which is something that a boon to I can install via the MS TTFN core font installer or whatever it's called I actually create a separate container with those fonts in it and Libre Office and then I run the Liebherr office that needs those fonts from within the container hooking in with that hooking in with the with the proprietary license software like Skype or zoom or whatever which like I said I inherently trust less than open-source software I also want to be able to do selective device pass-through so I'd like to be able to decide which one of my webcam devices Skype or zoom should actually see right I wanna and I want to selectively put that in and now with containers I can do that relatively nicely another thing that was mentioned in the keynote today a container is basically get a fake proc and dev and sis tree so they don't see that information from the host unless I explicitly enable that and then I can pass in for example just one of my webcam devices and make only that available to a specific container just as a disclaimer I am certainly not saying that that solves all of that software security problems right it just strikes me as a better idea to have this compartmentalization than not to have it is all right it just contributes to that and then finally on the why question why am i doing this with Lexi and why am I not doing it with a different container runtime or management facility like well I'm not doing it with Lexi you I'm not doing it docker why am i why am I not using a virtualization like KVM etc just to to to point those out like Steve like I said to the best of my knowledge doesn't expose the option of having the container process run as non-root in the host and I'd like to have that docker is really not built for system containers and skewed toward serves the application container category I of course could run applications daugher eyes and that is something that developers application developers tend to like a lot but that's frequently not what my testing scenario is I'm not an application developer I'm a system integrator so I need to know how an application behaves within a specific environment if that specific environment happens to be shall we say CentOS or Ubuntu or whatever what I really want to test this application in is a - or santos or whatever container KVM is simply too heavy wait for for what I need to do right I don't need full hardware emulation and I want sharing parts of my hosts file system to be relatively simple and easy and also none of the work that I do is typically kernel related so the fact that a container only gives me one kernel to work with and not a choice of kernels is immaterial to me so that's why I really don't need something like like a VM and when I do when I have that testing need while we happen to run a public OpenStack cloud and I can just make basically in OpenStack API call and boom I have a VM so that's why I don't need that on my laptop okay so that much force or the theory in the motivation and what have you now for those of you who want to follow along with the next steps that I'm going through all of the information that is contained in this tutorial is on github if you go to get up calm FFG Hasse there is a repository called LCA 2018 - alexey and there is a readme in there that is is more or less a sort of a command cheat sheet and everything else all the other resources that are in here that are mentioned in here are there as well as you could as you could glean from the talk or tutorial description in the schedule the assumption here is that you do have Lexy installed on your system and the what I'm showing here the examples that I'm showing you do assume that you're running on a bun - on everything else the general concepts that I'm explaining to you should also work is your mileage may vary and later on we're also going to get to some slightly more advanced use where we are using ansible so if you want to follow along for the whole thing then you might want to install on a bun to the Alexi package which installs a bunch of dependencies and the and the ants of a package and ideally you should make sure that you're installing ansible 2.4 which is the latest and simple release and that is available from the ansible PPA so at a PTO repository PPA colon ansible slash ansible right like I said this was in the in the in the description so if you already have that great if you do not should take no more than a couple of minutes to set that stuff up and I will now give you about two minutes or so too for those of you who do want to clone this to do that before I continue with my first example yes power oh I do not know does power work off farther here it works do you want to move over here maybe these work there's also there's one more seat left down there whatever wherever you feel most comfortable give me a thumbs up if you're good to go all right yes please okay so the question was for those of you who open up the QR code earlier and and are following the slides by the way sorry I should have mentioned that I I do that routinely for people with with vision issues for people who more easily follow along on their own laptop or on a tablet or anything so if you open the URL that I gave earlier to follow my slides along those will advance in sync with how I advance my slides here and that is a feature it's called multiplex of reveal.js and if you're interested in how that works I have a repo on github in my repository it's just called presentation template and that is sort of a showcase of like all of the stuff that I use and what have you and that's apparently relatively simple and easy to use because if you were in team sarongs talk yesterday he used that too and he got going with it in a couple of days so apparently that's okay that's reasonably useful and if you have any other questions on that please see me after I'll be more than happy to geek out about that and reveal.js is generally fantastic I find it an absolutely wonderful way to do - to author presentations and do slides and present from them okay has everyone copy down the URL that wanted - I think so right no one's screaming good okay we're gonna start out with a really really simple example I mentioned earlier one of the things that I'd like to do is I'd like to keep my root filesystem relatively uncluttered of like various libraries and runtimes and so forth and one such example that I really don't need in my host is a full Ruby runtime I don't do any development in Ruby I don't use any tools basically that use Ruby and that really the only Ruby application that I use a lot is sass right because that's how I write my style sheets so what I do is I keep Ruby sass and the entire Ruby runtime constrained to a container and I only spin it up when I need it and that's when I update things and what-have-you and otherwise it's just not there so what I want to do is I want to create a container and that container should include just enough for me running Ruby sass that's all okay so let's cut to the chase let's see what we do here is that reasonably visible for everyone sitting at the at the various tables okay cool so and the that information basically on how to do the next steps that is all here in the in the readme right in the readme of that of that directory I'm sorry of that repository and we're gonna get started did it in with this obviously has already been done on my system but for you that will still be important you're going to have to do two things basically after you after you installed your Lexy to make these unprivileged containers work which is one you have to tell Lexy that a specific user is allowed to create container network interfaces and you have to tell your host your kernel specifically that a specific user is allowed to use UID and get mapping right all right so let's see so here's my readme so the first thing that you want to do is you want to you want your Etsy Lexi Lexi user net to look like this okay so the the syntax for that is username white space type white space a breach name and the number of interfaces that you're allowed to spin up okay and my user name is Florian the type should be VF the bridge is called Lexy bridge zero on a standard this is in a boon to 1604 system but it should also that should be the case on a 1704 box or even a 1710 box as well and I'm just allowing myself a hundred a hundred interfaces and there's a little script in here in the readme for you if you want to do that so that looks like this right you do a sudo T - a - Etsy Lexi likes user net and then enter your user name vs likes bridge 100 and then that's that okay by the way I do understand it is the the the last day and the last afternoon of the conference I know many of you are probably quite tired it is perfectly okay if you just want to listen you can totally do that you don't have to follow along with every exercise either all of the information is available on github everything that E is related to this tutorial is up on github and it is all CC by-sa licensed and it will be available well until whenever I actually shut my github account down okay so for all intents and purposes that's pretty much a definite at least during my lifetime okay the same the same thing is true for if you happen to get stuck here at some point just if I if I can make a recommendation just kick back relax listen and come back to it when your when your it back at home or in office or anything like that okay first thing likes using it and the next thing is we want to well actually no we don't need to do that yet then we'll get to that in a second well actually let's do it now it's probably better to do it right now I'm just gonna VI this it's always good to do presentations from VI alright let's see this one right here right I use ur sub UID and sub kidnapping there is a file in your file system that's called our two files actually they're called Etsy sub new ID or an Etsy sub kid and they're you define what sub UID and what sub data range you allow for specific users and what that syntax means is for your username create 65535 possible you wouldn't keep mappings that are all shifted by 100,000 so that means that whatever for example UID 3,200 in your container becomes 100 3200 in your host that's just how that goes and that is considered as sub kid and sub UID before sorry yeah so the syntax the syntax use earn whoa the syntax username a hundred thousand 65535 means that the user is allowed to map a total of six thousand five hundred thirty-five UIDs and gids that are all shifted by one hundred thousand from the from the container to the host and there is also a nice little script for that if you want to do that like this pseudo whoops sorry you're not that wait we've got a problem with the screen here a little bit hang on do that read me again or were we right here see if this works for F in it C sub you Eddie's up good sub UID sub kid do pseudo ta da ref and then yes please let me see that really quickly so the question was what do you do if your users already in there when you got here what if another users already in there what uses the uses the same range well then either you you use like a different range and then you basically just like when I get to the next steps or you temporarily change it right it's basically up to you know now two users can't occupy the same range there we go okay now first thing we're gonna do and I'm gonna get back into my readme here first thing we're gonna do is we are going to create and you're gonna see this here in this line and I do encourage you to like look in in your own environment rather than like follow me along here on the on the on the projected screen because that get tends to get cut off we're going to create our first our first container and we're gonna call that Z Neil sass because it's gonna be based on a boon to Z Niall I've been to 1604 the Lexy create command low and behold it creates a new Lexi container we have to give it a name that is in yellow sass we have to set a template that's what the dash T stands for if you're curious there is a directory that's called user share Lexi templates if I remember correctly where all these templates are they're basically just scripts that pull and pull down either an image or or bootstrap a container for you from packages in this case we're using the ubuntu cloud image so that is basically a tarball that we're pulling down from cloud images Ubuntu comm and we have to provide a couple of command line utilities or command line arguments are each command line arguments for the template itself and that's why you have the after the Lexi create NZ Neil sass to Ubuntu cloud you have to - - because then what follows are the arguments that you pass to the template script right and the template script that Ubuntu Cloud Templin script we have to tell we want to install from the release xenial and we want to install from the tarball at cloud images when TOCOM slash xenial current xenos or a cloud image behold etcetera etcetera okay so thankfully we're like behind really really fat pipe serie so downloading this image shouldn't take forever for you for me it's gonna be even faster because on my system it's already been downloaded before and so it's been cached right so Lexy create is smart enough like when it pulls down a template like that it puts it in a local cache and if you want to spin up another container from that same template then off you go with the cache copy so what I'm gonna do now is I'm just gonna take this the stuff that is that is right in there the Aleksey create command and we're going to fire that off oops that was the wrong one come on do that again so that's that like that's super quick because it's already cashed right so does the W get normally and then pulls that down and then attracts the container filesystem and that's it right here's our container yes please tell me what kind of error you have and then I can tell you if I can fix it right now or later on I will be more than happy to look into that later if that's okay with you okay all right so that happens when you so what you saw there is is actually missing package and let me look the name up for you so hang on one second to go to something else here I think it's Pam see GFS but let me let me look you real quick getting ahead of myself here but that is okay okay check if you have the Lexi you it map and lip mcgf s tools as lip MC GFS packages installed and if any of those are not installed then you're gonna have to install them and log out and log back in hello they're right there they're right on the screen right now Lexi you wit map and lip Pam see GFS taken packages that's that's okay so you you just have a list here of those over those packages in that llamo what you want to do is you want to do an apt install of Lexi that should already be there but you also you also do an apt get install a view it map lip MC GFS and squash avails squash investools so if you just installed those packages you do need to log off once and then log back in because otherwise Pam doesn't pick up those settings so let's do this so if all else fails for you then if even if the unprivileged containers don't work for you the privileged one still should okay in which case you're and I'll be happy to accommodate that in the rest of the tutorial in which case your config files will go somewhere else then with the unprivileged ones but I'll be happy to mention that right so if the thing that gets you going for now the fastest is actually just pre fixing everything with sudo and actually run privileged containers then we can totally do that right that is and and we can we can get back to to the unprivileged ones later on and essentially it's entirely up to you whether you want to go through the the whether you want to jump through the hoops in order to make unprivileged containers work or whether you just want to do things for now does that work for you by the way if you su do it and run it okay cool I mean I can give you this for I can give you a little bit of a comparison here like what this does differently okay so for those of you who are now contemplating am I going to be running this unprivileged or privileged the difference is that follows I'm sorry is as follows if you run if you create an unprivileged container so one that runs as your own user then this kind of stuff is going to live in dot local in your home directory / share / like C okay and that's where your unprivileged containers go as you can see I run a few on my desktop right if you are running privileged containers so containers that run as root those will go to Varley blixxy which is not readable by a regular user and as you can see I have a couple of privileged containers running in my environment as well those are the two default paths if you're running a priviledge container those live in Varley Blake see if you are running an unprivileged container those live in your home directory under a dash a dot local share Lexy and if you create a container name xenial SAS that where you where you prefix the Lexy create with sudo what you would see is a is a path VAR lip like C / xenial SAS and that's that right and in my case that does happen to be in local share Lexy and here is a xenial SAS like this oops sorry not LS but CD here we go and that that contains a file name configure that's your container configuration and it contains the root of s so basically that is your container root and what you find in there if you CD into that you're gonna see just a regular old ubuntu installation and wherever you've spun up your your Lexy container whether you've spun it up as root in bar lib Lexi or whether you've spun it up in local share like see you can take a look at your config file I actually should show you one of my own privileged ones because I have a few default configurations here oops hang on a second you have to install that's cloud IMG - utils right okay all right so for those of you running into that weird little error on whatever the Ubuntu version is that you're running cloud image cloud image utils is the package that you installed to make work perfect okay cool cloud image utils fair enough all right here we go okay so as you can see the the thing that has been created here you get a root of s you get it you get a network configuration etc etc I'm not going to go into too many of the details of of these things here right now there are there's an awful lot of things that you can that you can configure in Lexy and with the next few containers that I'm going to show you we're going to scratch the surface of that a little bit but I'm not going to go into every detail of every configuration option for now we can simply attach we can start the container right seam you'll SAS like that we can attach to it this is an unprivileged container this is now running as my own user but if I drop into it if I do Alexi attach whoops I'm root and then I can do anything that I want in that thing just to demonstrate what the what the container separation does for us I could for example do a PS oops PS like that right and you see there's only a handful of processes that are actually running they're probably piped that through less so you'd since you can you can see it more easily on the on the screens here where things do get cut off a little bit so that is overall that is a handful of like this 23 total processes that are running in this container and obviously the host is running way more so that's just your demonstration there of the of the paid namespace you also see if you look at into this thing that we have a let's do this here really quickly right we do have a paid one there it's right at the very top so that that's what makes it a system container we have a regular espen in it as our paid one and that happens to be a system D and then everything else those are then children of our var system management demon and as you can see there is a cron running there a narcissists log and at D and SH D and so on yes please I'm sorry sagen no like what do you pull down the question was is there something like docker hub well you pull down from from from docker is an image an image for an entire application the the equivalent to that is is basically your your Lexy create command where you specify what template we're running from and then where your where BA with your with your command line options for the template script you tell it what actual image it is that you want to download is there repository for templates yes the well it's actually part of the distro it's part of the Lexy distro it ships with a bunch of templates it ships with a template for Ubuntu which would there be a template for Debian openSUSE fedora etc etc so yeah definitely that that does exist and of course you can write your own template script right you can write your own download skirt okay I want to move on here a little bit and like I said everything that is that is in here is is available online so let's do a few interesting things with this with this container of ours for example one of the things that I might want to do is I might want to share my hosts home directory or any other file system paths with the container so maybe what I like to have is a filesystem mount and in my case like I said frequently what I want to do is I actually want to share my home directory what that helps me do obviously is I can then like once that is in place I can I can drop into a container be myself so be my own user and then access my files in my home directory as if I were outside a container except that I have all these other binary zve ailable that are only in this container such as for example sass from Ruby now if I want to be able to do that then there's a few conditions that I need to meet besides the sass binary being available in the container and I don't have an interactive lab of sorts for this but I'll be more than happy to show you what that looks like what do we need to do then is we need to be we need to make sure that my username my personal username that happens to be Florian must map to a user and that is available in the container so in other words we have to be able to start a process under my own you eat and GUID my home directory must be available inside the container and not only must it be available but it must actually be writable in that container okay so let's see how we can do that I'm going to drop out of the container here and we're going to have a quick look at some details in the configuration how do I do this right and there are two things that are reasonable important here so one is the ID map and this is a neat little trick that you can play on Lexi this is interesting leads relatively under documented there's basically one obscure blog post that you can find that explains this and the syntax here is a little bit arcane let me explain that what what the ID map of what these ID map entries mean so it's not great but I guess you can see where the pointer is or where the cursor is you see an ID map entry in here and it has the relatively cryptic syntax of u 0 100 thousand 1000 what that means is that for user IDs and that's what the U stands for from 0 to starting from 0 map a total of 1000 you IDs such that they are shifted by 100,000 right let me say that again because it sounds weird and it's complicated starting with user ID 0 that is route map 1000 user IDs that is to say you IDs 0 to 999 shifting them by 100,000 so that means that what is UID 0 that is route in the guest becomes UID 100,000 in the host ok and allow that for a total of that 1,000 you IDs also allow the same thing for a hunt for the same number of kids that's the next one right that's this thing and then and then create a user mapping of a UID mapping of the UID 1000 that happens to be my user florian and map it to the user 1000 in the guest I'm sorry in the container right in other words map everything but pass through user ID and kid 1000 right so everything else should be mapped but my own user ID should be the same and then there's one other thing that I need to do which is I have to tell it what my sorry is I have to say I want to also add a mount i want to create a mount entry I use Lexy mount entry for that and I want to mount home to home there's no leading slash in here that's intentional and I want to add two more options to that like this okay Aleksey amount entry home home and our bind I'm sorry yeah what yeah it's a fossil type it basically is is is a standard FS tap syntax without dumping pass right so okay so now if I have that if I have these ID maps that you see at the top and I have this mount entry I can quickly stop that container actually let me let me keep that up for you for a little bit all right for that mount entry by the way if you were using if you were using pseudo earlier just forget the ID maps and and just create the dis create the mount entry one because unprivileged containers don't do any idea mapping absolute privilege containers don't do any ID mapping the last two ID map rows so in the first two we we tell it to map everything from 0 to 999 and shift then we say map 1000 but only one item and then shift everything else beyond that so 1001 and following that get shifted again right so okay so now that I have that now that I've included that like seamount entry that's also in the readme so I can do a lick see stop of my xenial SAS and then I can be started there we go and if I now were to do unlike see attached to this thing SAS and now within this thing I go to my home then there's a bunch of directories in there that actually come from my home the host so the user Florian then actually finds a home Florian directory that's in there the other stuff that you see there by the way is equipped FS and you totally should be using encrypted fests for your for your home directory okay cool so that allows us to do that sort of thing now I want to show you a few other things that are possible with Alexi configuration like this and I'm going to go I'm going to just show them to you because really you shouldn't be doing these things manually and I have a better way of doing things to show you afterward but I'm going to still show you these these configuration options so one of the things that you might want to do is because oh well I should maybe prove to you that here within this thing I can now do an apt install Ruby sass and the other thing is called Ruby inotify I think I note I know in the Ruby notifying is what it's called hang on have you started the Aleksey user net daemon that would start on system boot but if you've just installed Lexie then that wouldn't have been started yet oops here we go so that's a bunch of stuff right I only want to install Ruby SAS and Ruby notify but there is a whole load of stuff that comes with it and that's the primary reason why I really want to run this thing in a container rather than have like installing it and then when I no longer need to throw all of these things away and then hope that apt-get order removed does the right thing for me right I'd much rather just be able to just toss the container and start over but if I do this this thing all gets installed right and that's literally just to compile sass into CSS all right that's just so I can do sass - - watch that's all right so those are a bunch of things that come in there right and no I do not know why for Ruby sass I actually need to install Wayland I'd prefer not to no it's time it then like once this is done it does what it what it's what it's supposed to do and that's that okay so I'm not gonna watch this complete here but I can I can show you later on that yes in fact we can totally then start sass and and we're happy but now let's start thinking about a few more interesting things because ultimately you know Ruby sass that's just a command-line application that's not a whole lot of that's not very very interesting that we're doing yes if I said well if I spin up another machine and I install packages in it then yes of course that's gonna take the time of installing the packages and yes you can do something smart which I do here on my laptop on my laptop routinely which is I run a apt cache RNG on the host and then all of my containers are configured to use that as their apt proxy and then so the package installed was a lot quicker that way however we can do something that speeds up the creation of fully installed containers even further but let me get to that in a second so the next thing that I want to talk about is X applications right we'd like to turn it up at least sort of a small notch we'd like to run an X application in a container now so that's not that difficult at all with with X org which is what I use here this is a pun to 1604 this approach works for Wayland as well as long as Wayland runs the X compatibility server that's called X Wayland as for a native Wayland I'm sure there is a way to make this work to I just haven't looked into it yet if there's a way land developer that happens to be here and would like to read me know to read me into that I'll be more than happy to listen now of course we can't we could make an X application available in a container by simply running an SSH server inside the container and then SSH X into it right and then do X forwarding but that's kind of boring and I also I prefer a slightly more direct method of doing that so let me show you an example of a pre-installed system that I already have by the way here's our oops there's our sass right so let's do a sass - help right so okay we can finally do sass compilation great so let me show you another example and that is my xenial Firefox Java thing right this is just on my local box here and I want to show you how relatively easy it is to make an application an X application run inside a container so we do config and you will see that there are just the relevant entries are these two the ones at the very bottom right you simply bind mount temp dot x11 unix and dev dri into this thing one thing that that Lexy allows us to do it allows us to quote-unquote mount individual files into the container so you don't only get to bind mount directories but you can pass individual files directly into there and we do that with dev DRI and we do that with the temp x11 UNIX directory and when I do that that's like literally those are the only changes that I need to make in order to to run an annex application and let's see if I now start this thing here there's my xenial firefox java and now i'm gonna do like see attach firefox java by the way the reason why i'm doing this i think is relatively obvious a java runtime is another one of those runtimes that i don't necessarily need nor want in my host file system right so that's one thing I don't really want a whole JRE and all the libraries that it comes with in my in my host file system and there is another reason which is I really want to constrain access to my devices because there are things like that commonly run as like Java web service application that you then fire up with like ice-t plugin or Java WS or whatever that for example you know connect to the management console of a server and they are able to like manage virtual media and they have access to my USB and that sort of thing freaks me out if it's a completely like closed source thing that I can't look into so I'd rather have this thing in a container where I can keep tabs on it so I've just attached through this thing I'm gonna become Florian here really quickly do like that and then I'm gonna start Firefox and nope that's the wrong one out if that where is it there it is alright so there's my Firefox that's running it right there and that is now running within a container but it has access to my hosts X server right so that's why I can simply run it in in a in a video you know in a in a window here in a separate window here and I want to open up hang on I want to open up a specific page here well we got that here there we go okay so I wanted to open a specific website in here all right this runs in my Firefox in in a container and that brings me to the next thing that I now want to try right I want to be able to put sound out of my application that runs in Alex Eakin here because when I do this here now you're probably not hear anything right it just pops up it says eight to play audio you might need to load those pulseaudio libraries right and it just doesn't work right so let's see what we can do about actually making audio happen oh and let's kill that for a second this backup [Music] so the next thing we really want to do is we want to add some sound to this right so sometimes I do want sound coming out of my container like for example you know the the example with the with the with the sound page here is maybe a little bit construed but I do need it for you know running Skype and other things and there are a couple of ways to do that with pulseaudio which I'm running here I could for example I could have a pulse audio put it's listening socket in a non-standard location and then share that with the container via bite mount I Sena standard location because this doesn't work with run slash user slash UID which is where pulseaudio normally puts that because if I have system D running in the container then that creates its own version of that and mounts over it but what I can do is I can just start a pulse audio TCP socket on my host and then have my applications in the container connect to that instead right let me show you that so I'm gonna there we go I'm going out of this thing here I don't need to restart it at this point I'm just going to do this I'm gonna do a PA CTL load module module native protocol TCP which which loads the the TCP protocol socket into my pulse audio configuration and then I reattached to this thing and I'd become fluorine again and here I simply do an export pulse server equals 1003 one which is the IP of my host as the container sees it like this and then what I want to do is I want to go right back to the page where I just was sorry it was a Google search for this thing didn't mean to do that so there is that thing and now I need to come out of full-screen mode here again sorry this is all a little bit complicated doing a demo with two different browsers and no confidence monitor here we go so there is that thing right we're back and now let's see this is an opus audio file more specifically this is an OGG file containing audio encoded with the new opus audio codec the standard for the opus audio codec was recently formally finalized and approved by the internet Engineering Task Force very soothing I think the opus codec has been developed from a combination of skypes silk codec which it has used for voice over IP at low to moderate bit rates and sips high quality Celtic codec both are designed for low latency meaning computers can convert raw audio input to encoded audio for transmission very quickly and then decode it at the other end very quickly as well this is important for real-time voice chat and other interactive audio since even 300 milliseconds of latency can make holding a normal conversation almost impossible opus combines both human voice optimized silk style encoding from Skype and Celt mode encoding for music and other audio on-the-fly in a way that seems to give very I think that's enough but so now we learned something about the Opus audio codec as well like I said so this what that enables you to do is is with this with this combination of using the the TCP socket from post server and just passing in your your X Server you can run a fully X and audio capable application from within a container which I find reasonably useful because it then enables me to do one other thing oh come on there we go because it then enables me to do one other thing which is I can then also do a I can also do a selective pass through of USB devices notably my camera my webcam right and what I use that for like I said my company tends to prefer a proprietary video conferencing system namely zoom and what I then like to do is I like to run my zoom in a container it uses the same X settings that I just demonstrated for Firefox and the same sound settings that are demonstrated for Firefox and now the final thing that I need to do is I need to get my webcam into the container and the way I do that is this thing again there we go and there's my xenial zoom container like this and there is a config in here and here down here is another mount entry right and I have two webcams on my laptop the one that's on board that's death video zero and one that I that I plug in via USB that's the only one that I want to actually be able to use with zoom so I do this selective mount entry or I'm out dev video one into my container and that's that and that's the only thing that the container sees out of the host device tree out of the host dev tree and then I can be absolutely certain that the only thing that zoom sees is the webcam that I want it to see and then of course it also uses standard pulseaudio client libraries so what I just described for the audio output also works for the audio input so this thing sees my microphone and I can I can just use that and it works really dandy and when I'm done I don't need to worry about like some background process running in a zoom system tray icon or any crap like that I just kill the container and I know there's absolutely nothing from zoom that's running on my machine anymore now the question that came up from over here earlier is well if I have to like keep installing all these packages all the time isn't there a better way of doing things like can't I have my own little sort of baseline image and then go from there well we totally can and this is built into the Alexi usually in binary sorry but we can really really cleverly use butter if s for this thing we call this cloning so cloning or copying a container basically means creating a container not from a template but basically duplicating the root filesystem and the configuration of an existing container then just making a few changes to the configuration and so then going from there so for example what you might have is you might have a local image a local container that runs Ubuntu xenial that is configured to your liking and by configure to your liking I mean you might do some things like uninstall snapped the Lex T and open ice cozy because those installed by default in Ubuntu 1604 maybe you don't want that you kick that out right or maybe you want to drop say for example you're apt proxy configuration into there or something like that right and that's really cool the way that we can do that is lick see create and lick see copy have an option - a - capital B for backing store and if we set that to butter if s then this thing actually becomes a butter if s subvolume and when we then clone this thing it actually becomes a butter of s snapshot so let me demonstrate that for you really briefly here as well my containers do run on butter fest my VAR Lib Lexi runs on butter fest and my my goal share Lexie runs on butter FS those are symlinks into one butter FS filesystem so just to just to illustrate like how that works or how quickly that works is I can do this so I'm timing I'm creating a container named xenial test on a butter FS sub volume and I'm creating it from the template now recall that the this is actually already has a pre-populated cache so I don't need to download it I don't need to download the image from anywhere anymore and so setting up the entire container takes ten seconds now this is created from a template and now I want to clone this thing I use Lexi copy and I'm doing a time what let me get that to you here there we go right I do a time Lexi copy it also uses - B butter FS lowercase n means the source that I'm cloning from so I'm cloning from xenial test to a name xenial clone right creating everything from template without downloading anything from the internet on these machines took ten seconds cloning that thing takes point three okay so we have a fully functional container that that contains all of what it what was previously installed into a container named xenial test and it took you three tenths of a second to create it which is really really nice for when you just need to spin stuff up quickly and then throw it away okay so the question was why do we need why do we specifically need butter FS because butter FS is the is the only true you know free and open source file system at this time that fully supports subvolumes and snapshots the other option that you can use on Ubuntu 1604 is depending on how you're wired ZFS or ZFS I'm not very fond of that for a variety of reasons if you went to Dave chinners teaching an old dog new tricks talked earlier in the conference it is actually plausible that within shall we say one to two years we might have some volume and clone capability in XFS as well so at that point it will no longer be tied to specifically butter fest there are two more ways that you can do snapshots and fast clones with Lexie one is thin provisioned LVM snapshots and the other one is safe RBD if you're running your your Lexie containers off of safe clusters yes please so the question was how does that work without root privileges you are absolutely correct for a butterface you don't need them to create a sub volume you do while you do normally need root privileges to remove a sub volume but there is a mount option in an in butter fest that allows regular users to remove their own sub volumes and in Aleksey environment you would typically mount your your butter fest with that right but yes you're right for for example if you're dealing with LVM then you need roots and if you are dealing with SEF RBD and then you need a user that is able to read the authentication credentials that are needed to connect to the SEF cluster let me answer so the question was am i running a butterface route on my laptop you know I do not I run an exit I'm sorry and this machine I run in xe4 route on my laptop and then everything else is either exit face or butter face if we do this you'll see that there is I have a I have a thing that I call / sr v / Lexi and from there I have symlinks from Varla plexi and from my local home directory right so I just I have I use one butterface file system and I use it only for Lexi purposes and yeah that's not so that's it you know there's plenty of people who do use butterfish there are their machines ok and now it finally because I'm almost out of time here I did mention earlier that well we really don't want to do all of this stuff you know managing these containers and so forth all manually and I don't I don't manage my containers manually I do this from a set of ansible playbooks those ansible playbooks are also up on github if you look into my repository on github there is a there's a thing that's simply called ansible laptop an ansible laptop config example and you're absolutely welcome to look at that and I'll be more than happy to - you know about feedback and and patches and what-have-you but for now let me just show you what that does so let's go here and here is my instable laptop and we just created a xenial sass and we worked with the old Firefox Java right so I'm gonna throw that away knowing full well that I want it back very very soon right but let's suppose I just stuff something up in these containers and and I really I really don't I really don't want to mess with that anymore so how do I bring them back and I used this ansible playbook for that purpose with an an appropriate configuration like I said it's all up on github let me show you what that does let me just do this then actually let's see if we can do that so I run an ansible playbook I use it with an inventory file from a different directory laptop config inventory no I call that hosts and what I wanna do I only want to run that on my own machine I call that Eagle and oops that was the wrong one sorry let me start over so ansible playbook - I not that ansible laptop config oh I want to limit it to my ghost named Eagle and I have a tag that's named Lexi and the PlayBook name is local ammo for those of you not familiar with ansible playbook syntax that means that I'm reading my inventory that is to say my definition which host I want to run from a separate directory where it would also find its host VARs and group VARs variable that actually configure this thing I limited to my local host which happens to go by the host name of Eagle and - t alexei means run only the tasks in this in this in this playbook that are tagged Lexi and what that does is make sure that all mines my packages that are need are installed that the UID and get maps are correct that the user net thing is there and then it creates containers for me and it creates those containers from a basic clone that clone or the clone source is simply called xenial that's my basic my basic Ubuntu installation and then we create two clones from that namely xenial SAS and xenial Firefox Java which I previously just destroyed right and if I now do a lick see info I'll see that lo and behold it's back and now what I want to do is I want to configure those right I actually want to configure those that - I can do with ansible this may be relatively new to some of you there is a thing who's familiar with ansible dynamic inventories right ok so a dynamic inventory is basically a script that that produces a list of hosts that ansible can talk to and can also define what is the connection method that we're using to talk to this thing and there is a thing called Lexy inventory dot Pi which I'm ashamed to say is the only thing in this entire presentation that I actually wrote in terms of code everything else is just configuration that I wrote but here's this thing called lexy inventory dot pi ping all there we go tells us that a bunch of our there's a I didn't have to tell it like what the Alexi containers on the system are just talks to the local like see configuration and then those oh cool these are the these are the the various like sea containers that are defined here if I start them now what was that xenial SAS Gmail Firefox Java there we go I can do that ping again and there's two that come back with a pump all right so two machines that are that are now running and now I can use the very same playbook and that I just used so I want to do an instable playbook oops instable laptop config Lexie inventory dot pi and now I want to I don't want to limit it to its inventory dot pi there we go and I don't want to limit it to anything I just want to go local da mo loop so it knows all these other containers don't run but to do run and then we do a complete ansible configuration of this thing based on those individual host configurations as you can see we toss in you know D bus and Ruby and what-have-you this is gonna take a little while yes please yes of course it's just called ansible laptop config example it's also huh really let me check on that short link I'll do that straight away maybe I forgot to flip a switch there because that's the only thing that I literally just uploaded yes please No okay oh cool I'll look into that awesome thank you perfect self plugs are good there we go there's a firefox a few fonts that we need there and then that's the end of that all right so thank you for the pointer about the about the configuring Pro we'll throw that up shortly and I am unfortunately at a time but I will say this all of this material is available to you under a creative commons attribution/share-alike license CC by-sa for 0 you are perfectly free to share reuse and modify this presentation as you see fit anything that is useful to you please go and use it and I have a final QR code again for you which is all of the stuff that I present it here and there readme and so forth that is all on github and you are absolutely welcome to use that let me fix that one other thing with that other github repo promptly and with that I thank you very much for your time do enjoy the conference closing everybody get home safely happy Australia Day and hope to see you again at LCA as soon as possible thank you very much for coming have a great afternoon [Applause]

Info

Channel: LinuxConfAu 2018 - Sydney, Australia

Views: 2,612

Rating: 4.6129031 out of 5

Keywords: lca, lca2018, #linux.conf.au#linux#foss#opensource, FlorianHaas

Id: 3nUbMREnnns

Channel Id: undefined

Length: 95min 35sec (5735 seconds)

Published: Wed Jan 31 2018