|  | ================================ | 
|  | All-In-One Single LXC Container | 
|  | ================================ | 
|  |  | 
|  | This guide walks you through the process of deploying OpenStack using devstack | 
|  | in an LXC container instead of a VM. | 
|  |  | 
|  | The primary benefits to running devstack inside a container instead of a VM is | 
|  | faster performance and lower memory overhead while still providing a suitable | 
|  | level of isolation. This can be particularly useful when you want to simulate | 
|  | running OpenStack on multiple nodes. | 
|  |  | 
|  | .. Warning:: Containers do not provide the same level of isolation as a virtual | 
|  | machine. | 
|  |  | 
|  | .. Note:: Not all OpenStack features support running inside of a container. See | 
|  | `Limitations`_ section below for details. :doc:`OpenStack in a VM <single-vm>` | 
|  | is recommended for beginners. | 
|  |  | 
|  | Prerequisites | 
|  | ============== | 
|  |  | 
|  | This guide is written for Ubuntu 14.04 but should be adaptable for any modern | 
|  | Linux distribution. | 
|  |  | 
|  | Install the LXC package:: | 
|  |  | 
|  | sudo apt-get install lxc | 
|  |  | 
|  | You can verify support for containerization features in your currently running | 
|  | kernel using the ``lxc-checkconfig`` command. | 
|  |  | 
|  | Container Setup | 
|  | =============== | 
|  |  | 
|  | Configuration | 
|  | --------------- | 
|  |  | 
|  | For a successful run of ``stack.sh`` and to permit use of KVM to run the VMs you | 
|  | launch inside your container, we need to use the following additional | 
|  | configuration options. Place the following in a file called | 
|  | ``devstack-lxc.conf``:: | 
|  |  | 
|  | # Permit access to /dev/loop* | 
|  | lxc.cgroup.devices.allow = b 7:* rwm | 
|  |  | 
|  | # Setup access to /dev/net/tun and /dev/kvm | 
|  | lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0 | 
|  | lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 | 
|  |  | 
|  | # Networking | 
|  | lxc.network.type = veth | 
|  | lxc.network.flags = up | 
|  | lxc.network.link = lxcbr0 | 
|  |  | 
|  |  | 
|  | Create Container | 
|  | ------------------- | 
|  |  | 
|  | The configuration and rootfs for LXC containers are created using the | 
|  | ``lxc-create`` command. | 
|  |  | 
|  | We will name our container ``devstack`` and use the ``ubuntu`` template which | 
|  | will use ``debootstrap`` to build a Ubuntu rootfs. It will default to the same | 
|  | release and architecture as the host system. We also install the additional | 
|  | packages ``bsdmainutils`` and ``git`` as we'll need them to run devstack:: | 
|  |  | 
|  | sudo lxc-create -n devstack -t ubuntu -f devstack-lxc.conf -- --packages=bsdmainutils,git | 
|  |  | 
|  | The first time it builds the rootfs will take a few minutes to download, unpack, | 
|  | and configure all the necessary packages for a minimal installation of Ubuntu. | 
|  | LXC will cache this and subsequent containers will only take seconds to create. | 
|  |  | 
|  | .. Note:: To speed up the initial rootfs creation, you can specify a mirror to | 
|  | download the Ubuntu packages from by appending ``--mirror=`` and then the URL | 
|  | of a Ubuntu mirror. To see other other template options, you can run | 
|  | ``lxc-create -t ubuntu -h``. | 
|  |  | 
|  | Start Container | 
|  | ---------------- | 
|  |  | 
|  | To start the container, run:: | 
|  |  | 
|  | sudo lxc-start -n devstack | 
|  |  | 
|  | A moment later you should be presented with the login prompt for your container. | 
|  | You can login using the username ``ubuntu`` and password ``ubuntu``. | 
|  |  | 
|  | You can also ssh into your container. On your host, run | 
|  | ``sudo lxc-info -n devstack`` to get the IP address (e.g. | 
|  | ``ssh ubuntu@$(sudo lxc-info -n p2 | awk '/IP/ { print $2 }')``). | 
|  |  | 
|  | Run Devstack | 
|  | ------------- | 
|  |  | 
|  | You should now be logged into your container and almost ready to run devstack. | 
|  | The commands in this section should all be run inside your container. | 
|  |  | 
|  | .. Tip:: You can greatly reduce the runtime of your initial devstack setup by | 
|  | ensuring you have your apt sources.list configured to use a fast mirror. | 
|  | Check and update ``/etc/apt/sources.list`` if necessary and then run | 
|  | ``apt-get update``. | 
|  |  | 
|  | #. Download DevStack | 
|  |  | 
|  | :: | 
|  |  | 
|  | git clone https://git.openstack.org/openstack-dev/devstack | 
|  |  | 
|  | #. Configure | 
|  |  | 
|  | Refer to :ref:`minimal-configuration` if you wish to configure the behaviour | 
|  | of devstack. | 
|  |  | 
|  | #. Start the install | 
|  |  | 
|  | :: | 
|  |  | 
|  | cd devstack | 
|  | ./stack.sh | 
|  |  | 
|  | Cleanup | 
|  | ------- | 
|  |  | 
|  | To stop the container:: | 
|  |  | 
|  | lxc-stop -n devstack | 
|  |  | 
|  | To delete the container:: | 
|  |  | 
|  | lxc-destroy -n devstack | 
|  |  | 
|  | Limitations | 
|  | ============ | 
|  |  | 
|  | Not all OpenStack features may function correctly or at all when ran from within | 
|  | a container. | 
|  |  | 
|  | Cinder | 
|  | ------- | 
|  |  | 
|  | Unable to create LVM backed volume | 
|  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 
|  |  | 
|  | In our configuration, we have not whitelisted access to device-mapper or LVM | 
|  | devices. Doing so will permit your container to have access and control of LVM | 
|  | on the host system. To enable, add the following to your | 
|  | ``devstack-lxc.conf`` before running ``lxc-create``:: | 
|  |  | 
|  | lxc.cgroup.devices.allow = c 10:236 rwm | 
|  | lxc.cgroup.devices.allow = b 252:* rwm | 
|  |  | 
|  | Additionally you'll need to set ``udev_rules = 0`` in the ``activation`` | 
|  | section of ``/etc/lvm/lvm.conf`` unless you mount devtmpfs in your container. | 
|  |  | 
|  | Unable to attach volume to instance | 
|  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 
|  |  | 
|  | It is not possible to attach cinder volumes to nova instances due to parts of | 
|  | the Linux iSCSI implementation not being network namespace aware. This can be | 
|  | worked around by using network pass-through instead of a separate network | 
|  | namespace but such a setup significantly reduces the isolation of the | 
|  | container (e.g. a ``halt`` command issued in the container will cause the host | 
|  | system to shutdown). |