1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<chapter id="container-virtualization">
<title>Container Virtualization</title>
<section id="docker">
<title>Docker</title>
<para>Docker is an open-source project that automates the deployment of
applications inside software containers, by providing an additional layer
of abstraction and automation of operating-system-level virtualization on
Linux.</para>
<para>The software container mechanism uses resource isolation features
inside the Linux kernel, such as cgroups and kernel namespaces to allow
multiple containers to run within a single Linux instance, avoiding the
overhead of starting and maintaining virtual machines.</para>
<para>Containers are lightweight and include everything needed to run
themselves: code, runtime, system tools, system libraries and settings.
The main advantage provided by containers is that the encapsulated
software is isolated from its surroundings. For example, differences
between development and staging environments can be kept separate in order
to reduce conflicts between teams running different software on the same
infrastructure.</para>
<para>For a better understanding of what Docker is and how it works, the
official documentation provided on the Docker website should be consulted:
<ulink
url="https://docs.docker.com/">https://docs.docker.com/</ulink>.</para>
<section id="launch-docker-container">
<title>Launching a Docker container</title>
<para>Docker provides a hello-world container which checks whether your
system is running the daemon correctly. This container can be launched
by simply running:</para>
<programlisting>docker run hello-world</programlisting>
<para>If your installation is working correctly, the following message
should be outputted:<programlisting>Hello from Docker!</programlisting></para>
</section>
<section id="run-enfv-guest-image">
<title>Run an Enea NFV Access Platform guest image</title>
<para>Enea NFV Access Platform guest images can run inside Docker as any
other container can. Before starting an Enea NFV Access Platform guest
image, a root filesystem has to be imported in Docker:</para>
<programlisting>docker import enea-linux-virtualization-guest-qemux86-64.tar.gz el7guest</programlisting>
<para>To check that the Docker image has been imported successfully,
run:</para>
<programlisting>docker images</programlisting>
<para>Finally, start an Enea NFV Access Platform container with
<literal>bash</literal> running as the shell, by running:</para>
<programlisting>docker run -it el7guest /bin/bash</programlisting>
</section>
<section id="attach-ext-resources-docker-containers">
<title>Attach external resources to Docker containers</title>
<para>Any system resource present on the host machine can be attached or
accessed by a Docker container.</para>
<para>Typically, if a file or folder on the host machine needs to be
attached to a container, that container should be launched with the
<literal>-v</literal> parameter. For example, to attach the
<literal>roots</literal> home folder to a container, the command line
for Docker should have the following format:</para>
<programlisting>docker run -it -v /home/root:/home/host_root/ el7guest /bin/bash</programlisting>
<para>To check that folders have been properly passed from the host to
the container, create a file in the source folder on the host root
filesystem and check for its existence inside the containers destination
location.</para>
<section id="attach-vhost-descriptors">
<title>Attach vhost file descriptors</title>
<para>If OVS is running on the host and vhost file descriptors need to
be passed to the container, this can be done by either mapping the
folder where all the file descriptors are located or mapping the file
descriptor itself:</para>
<itemizedlist>
<listitem>
<para>Mapping the folder can be done as exemplified above:</para>
<programlisting>docker run -it --rm -v /var/run/openvswitch/:/var/run/openvswitch/ el7guest /bin/bash</programlisting>
</listitem>
<listitem>
<para>Mapping a file descriptor is done in a similar way, but the
<literal>-v</literal> flag needs to point directly to it:</para>
<programlisting>docker run -it --rm -v /var/run/openvswitch/vhost-user1 el7guest /bin/bash</programlisting>
</listitem>
</itemizedlist>
</section>
<section id="attach-hugepages-mount-folders">
<title>Attach hugepages mount folders</title>
<para>Hugepages mount folders can also be accessed by a container
similarly to how a plain folder is mapped, as shown in 1.3.</para>
<para>For example, if the host system has hugepages mounted in the
<literal>/mnt/huge</literal> location, a container can also access
hugepages by being launched with:</para>
<programlisting>docker run -it -v /mnt/huge el7guest /bin/bash</programlisting>
</section>
<section id="access-pci-bus">
<title>Access the PCI bus</title>
<para>If the host machine has multiple SRIOV instances created, a
container can access the instances by being given privileged access to
the host system. Unlike folders, PCI devices do not have to be mounted
explicitly in order to be accessed and will be available to the
container if the <literal>--privileged</literal> flag is passed to the
command line:</para>
<programlisting>docker run --privileged -it el7guest /bin/bash</programlisting>
</section>
</section>
</section>
</chapter>
|