Network and Filesystem Isolation with LXC and virtenv

For my memory comparison of light Linux desktops I needed a tool that would allow me to install on my computer about 20 window managers/desktop environments. After looking at several common virtualization packages, I ended up using Linux containers and virtenv for the job.

LXC and virtenv

Probably the best way to describe virtenv is as a graphic interface for Linux containers utilities developed and distributed by LXC project. Linux containers is the virtualization technology build into Linux kernel, available in any kernel after 2.6.32.

The virtual machines (VM) are driven without any overhead by the kernel already running on the computer. You don’t need to run a different kernel in the virtual machine, run only the processes you need, without even going trough the regular SysV or Linux init. This all means that memory is used very conservatively. For example, on a 1GB RAM computer you can run easily 10 SSH/DHCP servers, or 10 different xorg/X11 servers with LXDE window managers on top.

virtenv program is build using Qt4, and it is very simple to use. Download it as source code and compile it, or downlaod a .deb file for Ubuntu and install it as

$ sudo apt-get install xserver-xephyr bridge-utils lxc jwm
$ sudo dpkg -i virtrenv_0.8_1.deb

Once installed, you would start it from command line as virtenv, or from System Tools menu.

Filesystem isolation

virtenv mounts copy-on-write the current filesystem installed on the host computer. By default /home directory is not imported in the container. Any modification to the filesystem in the container will stay in the container, the host filesystem remains untouched.

This feature is useful to isolate potentially malicious processes from the host system, install (apt-get) and try new software packages, chroot system for running servers etc.

Network isolation

In my memory comparison exercise, virtenv provided me with filesystem and xorg/X11 server isolation. All this was based on LXC facilities in the existing Linux kernel. LXC has also support for networking stack isolation. I will describe in the rest of the article a setup with one virtual machine connected by an isolated network (br0) to the host computer.

netiso

First things first, we need to create and configure br0 bridge device:

$ sudo brctl addbr br0
$ sudo ifconfig br0 10.0.0.1/24
$ ifconfig br0
br0       Link encap:Ethernet  HWaddr fa:cc:c0:01:44:a2  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::f8cc:c0ff:fe01:44a2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:238 (238.0 B)

Then, I start virtenv and create a new virtual machine vm1.

Creating a new virtual machine

Creating a new virtual machine


I configure it for no graphic xserver support, bridge networking and I assign it an IP address of 10.0.0.10/24.

Configuring the virtual machine

Configuring the virtual machine

Once configured, the virtual machine is started automatically by virtenv. The VM has its own xterm acting as a console. I can now ping from this virtual machine the host interface at 10.0.0.1.

Virtual machine console

Virtual machine console

This is all that is to it, nothing more! This kind of network isolation is very useful for software development, testing, trying out new software etc. You can even stream youtube videos in a such a virtual machine with xserver support enabled.

Conclusion

I find it funny how cloud providers sell virtual machines using VM RAM size for pricing. For them, more memory means more money. Such a virtual machine has its own kernel, a full Linux support system (cron, logger etc.) and all the necessary init routines. 512MB or 1024MB is something usual for a VM.

LXC is approaching the same problem from a different angle. There is only one kernel running the host and also the virtual machines. You can build really small virtual machines this way. Some people are also calling them application containers:

Virtual machine RAM Memory
ISC DHCP server, OpenSSH server, rsyslogd 20MB
Apache2 server, OpenSSH server, rsyslogd 22MB
xserver, LXDE window manager 44MB
xserver, KDE Plasma desktop environment 209MB
About these ads

2 thoughts on “Network and Filesystem Isolation with LXC and virtenv

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s