Open Source

Create an OpenVZ container

OpenVZ is an OS-level virtualization system that allows you to virtualize Linux-on-Linux, but OpenVZ works on the principle of containers, not virtual machines. Vincent Danen explains how to create an OpenVZ container.

In a previous tip, we had looked at installing OpenVZ on CentOS. OpenVZ is an OS-level virtualization system that will allow you to virtualize Linux-on-Linux, which makes it essentially a glorified chroot system. You cannot run full virtual machines, like with VMware or KVM, but you can run other Linux distributions on top of a main OpenVZ-enabled Linux distribution, like CentOS. This allows you to "partition" systems in a secure manner without the overhead of virtualizing hardware. This is a great way for isolating public-facing services like HTTP or DNS, without exposing the full server.

OpenVZ works on the principle of containers, not virtual machines. Each container is a full Linux system, capable of running services, handling logins, and so on. To make use of OpenVZ, you need a container to run.

You can create your own container, or OS template from scratch, but a number of pre-built containers exist and are available for download. On the OpenVZ download site, you will find templates for CentOS, Debian, Fedora, SUSE, and Ubuntu. On this download page there is a contrib/ directory which contains more templates such as Gentoo, AltLinux, and Slackware.

To get started quickly, download one of these pre-created templates, which is the operating system contained in a compressed tar file.

Once you have downloaded the template, be sure that you are booted into an OpenVZ-capable kernel and the vz service is started. Then you can create your first container using the following commands. In this example, I'm using a CentOS 5.3 container; replace the container name as appropriate.

# mkdir /vz/template/cache
# cd /vz/template/cache
# mv ~/centos-5-x86_64-minimal-5.3-20090330.tar.gz .
# vzctl create 101 —ostemplate centos-5-x86_64-minimal-5.3-20090330
Creating container private area (centos-5-x86_64-minimal-5.3-20090330)
Performing postcreate actions
Container private area was created
# vzctl set 101 —ipadd —save
Saved parameters for CT 101
# vzctl set 101 —nameserver —save
Saved parameters for CT 101
# vzctl set 101 —hostname —save
Set hostname:
Saved parameters for CT 101
# vzctl start 101
Starting container ...
Container is mounted
Adding IP address(es):
Setting CPU units: 1000
Configure meminfo: 65536
File resolv.conf was modified
Container start in progress...
# vzctl exec 101 ps ax
    1 ?        Ss     0:00 init [3]
18298 ?        S<s    0:00 /sbin/udevd -d
19556 ?        Ss     0:00 syslogd -m 0
19579 ?        Ss     0:00 /usr/sbin/sshd
19596 ?        Ss     0:00 sendmail: accepting connections
19603 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
19614 ?        Ss     0:00 crond
19706 ?        Rs     0:00 ps ax
# vzctl enter 101
entered into CT 101

When all the steps above are completed, your OpenVZ container will be running. Above, I created a container based on the CentOS 5.3 template and assigned it a container ID (or CTID) of 101 (OpenVZ only currently uses CTID 0 but recommends reserving CTID's 0-100 for non-use). I then set the IP address of the container, and provided the container with the nameserver address, and then finally started the container.

When the container was running, I examined it externally using the vzctl tool with the exec command to provide me with the output of ps ax from within the container. Internally, you can see that init has a process ID (PID) of 1, but externally, you see it is different:

# ps ax|grep init|grep -v grep
    1 ?        Ss     0:01 init [3]
17152 ?        Ss     0:00 init [3]

Likewise, the PIDs of threads, as seen from the host are different from what are seen from inside the container. As a result, the process table will look slightly different from the host to the container — something to be mindful of.

And, finally, you can log into the container by using ssh to connect to the IP address, or you can use the host "backdoor" to enter the container without a password using the vzctl enter [CTID] command. With this, you can allow external individuals to be root of their own container without it impacting your system, nor do you need to know their root password. You can always get into the container using the host-level backdoor.

OpenVZ is extremely cool and extremely easy to work with. Installation is easy on the host, and installation of containers is easy as well. Next week, we will look at setting resource limits for the containers.

Get the PDF version of this tip.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks