Isolating an applications using LXC – Linux Containers
Download as DOCX, PDF0 likes525 views
configuring and running an application inside the container. Dockers are built on top of LXC. In Dockers case, its advantage is that its open-source engine can be used to pack, ship, and run any application as a lightweight, portable, self-sufficient LXC container that runs virtually anywhere. It’s a packaging system for applications.
Ad
More Related Content
What's hot (20)
Similar to Isolating an applications using LXC – Linux Containers (20)
Ad
Recently uploaded (20)
Ad
Isolating an applications using LXC – Linux Containers
- 1. Isolating an applications using LXC – Linux Containers Linux Containers have got huge attention lately due to high demand and business shifting towards cloud computing and virtualization. Linux Containers are the process level based virtualization which uses the same operating system kernel. The main advantage of LXC is the lightweight when compared to the traditional Hardware based virtualization (KVM) and Xen. The Idea of containers was implemented by Solaris Zones as well as BSD jails quite a few years ago. However, they required custom kernels, which was often a major setback. LXC uses these kernel features: Kernel namespaces (ipc, uts, mount, pid, network, and user) AppArmor and SELinux profiles Seccomp policies Chroots (using pivot_root) Kernel capabilities Control groups (cgroups). Namespaces: Namespaces provide the first, and most straightforward, form of isolation: processes running within a container cannot see, and even less affect, processes running in another container, or in the host system. Control Groups: cgroups are the key components in the Linux Containers. They take care of resource allocation of memory, CPU, disk I/O. LXC shares the equal amount of memory or CPU resources across multiple containers. This plays a major role where Nesting of Linux Containers are implemented. Installing containers: Containers can be installed as other applications. The table below specifies the way of installing, configuring and running application in containers. ~>Installing Container apt-get install lxc Create an "Ubuntu" based container named cn-01. This will download set of files form internet for the first time. There are some predefined container templateto create as Alpine Linux, Alt Linux, Arch Linux, busybox, CentOS, Cirros, Debian, Fedora, OpenMandriva, OpenSUSE, Oracle, Plamo, sshd, Ubuntu Cloud and Ubuntu. lxc-create -t ubuntu -n cn-01 ~>check the contaibers config as: lxc-checkconfig
- 2. Isolating an applications using LXC – Linux Containers ~> Start the container (in the background) lxc-start -n cn-01 -d ~>Check the container status as below to get the status and IP address of the container: lxc-ls --fancy ~>Enter the container in one of those ways## Attach to the container's console (ctrl-a + q to detach) lxc-console -n p1 ~>SSH into it ssh ubuntu@<ip from lxc-info> ~>Stop the container in one of those ways poweroff ~>Stop it cleanly from the outside lxc-stop -n cn-01 ~>Kill it from the outside lxc-stop -n cn-01 -k Installing application inside Container -1: As an example we shall install apache2 web server inside the container which can be accessed in the host machine. sudo apt-get install apache2 Checking LXC configs
- 3. Isolating an applications using LXC – Linux Containers Getting into LXC console: sdf sdf ffsdfsdf SSH login into container: Installing Apache in the container:
- 4. Isolating an applications using LXC – Linux Containers Once the Apache has been configured and up and running it can be viewable via host browser as below
- 5. Isolating an applications using LXC – Linux Containers The container info can be retrieved using the below command as such. Container Configuration: Services such as Network, resource allocation (memory, CPU etc) can be configured in “/var/lib/lxc/<container-name>config” Hooks: Hooks are the useful and convenient way to run custom scripts inside the containers. There are different types of hooks which can be invoked. lxc.hook.pre-start (calledbefore any initialization is done) lxc.hook.pre-mount (calledafter creating the mount namespace but before mounting anything) lxc.hook.mount (called after the mounts but before pivot_root) lxc.hook.autodev (identical to mount but only called if using autodev)
- 6. Isolating an applications using LXC – Linux Containers lxc.hook.start (called in the container right before /sbin/init) lxc.hook.post-stop (run after the container has been shutdown) lxc.hook.clone (calledwhen cloning a container into a new one) Additionally each network section may also define two additional hooks: lxc.network.script.up (calledin the network namespace after the interface was created) lxc.network.script.down (called in the network namespace before destroying the interface) Example for creating a pre-start hook script. lxc.hook.pre-start = /var/lib/lxc/<container-name>/pre-start.sh The container can be deleted or destroyed once the container purpose has solved. lxc-shutdown -n cn-01 Once the container gets shutdown and it is ready to be destroyed once the necessary data has been backed up, lxc-destory -n cn-01. Installing application inside Container -2: As an example, we can install Kali Linux and Metasploit inside a container and we can use kali Linux via web browser using OpenBox and NoVNC. I have tried this example via kali Linux. Please find the steps involved in this to install and configure Docker under kali Linux. apt-get update apt-get -y install docker.io ln -sf /usr/bin/docker.io /usr/local/bin/docker Finally, and optionally, let’s configure Docker to start when the server boots: update-rc.d docker.io defaults service docker start Once the docker service is up and running, we can use pull docker meta images (smaller footprint) as below. docker pull kalilinux/kali-linux-docker Once the initial set up of the kali Linux within Docker gets completed, we can start installing
- 7. Isolating an applications using LXC – Linux Containers Metasploit inside the docker. docker run -t -i -p 6080:6080 kalilinux/kali-linux-docker /bin/bash You will be welcomed within kali linux inside the docker with a command prompt. You can further start installing Metasploit package as below. apt-get install metasploit Building Your Own Kali Linux Docker Image If you want to build your own Kali images rather than use our pre-made ones, we’ve made it easy with the following script hosted on Kali Linux Docker on Github. These images are best built on a Linux system or any other OS that can debootstrap. #!/bin/bash # Install dependencies (debbootstrap) sudo apt-get install debootstrap # Fetch the latest Kali debootstrap script from git curl "http://git.kali.org/gitweb/?p=packages/debootstrap.git;a=blob_plain;f=scripts/kali;hb=HEA D" > kali-debootstrap && sudo debootstrap kali ./kali-root http://http.kali.org/kali ./kali-debootstrap && # Import the Kali image into Docker sudo tar -C kali-root -c . | sudo docker import - kalilinux/kali && sudo rm -rf ./kali-root && # Test the Kali Docker Image docker run -t -i kalilinux/kali cat /etc/debian_version && echo "Build OK" || echo "Build failed!" Configuring Openbox and noVNC: Openbox and noVNC can be downloaded from below paths and configure accordingly. noVNC: https://github.com/kanaka/noVNC Openbox: http://openbox.org/wiki/Main_Page Conclusion: We have covered the basics of the Container concepts from installing, configuring and running an application inside the container. Dockers are built on top of LXC. In Dockers case, its advantage is that its open-source engine can be used to pack, ship, and run any application as a lightweight, portable, self-sufficient LXC container that runs virtually anywhere. It’s a packaging system for applications.