Vmware 1 1

VmWare-LXD 1:1 #

In the Kata Containers technology it’s used an Hardware Virtualization to supply an additional isolation with a lightweight VM and individual kernels.

In a similar way the use case describe here try to use a single Linux VM over VmWare where install a standalone LXD instance and then through lxd-compose deploy one or more services using a Physical vNic that is managed by LXD and added from the VM to the Container deployed.

LXD Compose Vmware Stack

In this scenario to supply the classic HA services it’s needed follow exactly the steps that normally are follow on delivery HA service directly over VMs. This means deploy multiple VMs with the same services (for example two nodes for Nginx Server) and eventually using VIPs.

As visible in the image every VM is configured with two differents vNICs.

A management vNic/Iface that is only available over the Host/VM and it’s used to communicate with LXD HTTPS API (normally over the 8443 port) and/or for SSH access (VM packages upgrades, maintenance, etc.). It’s a good idea to reach this interface only over a private VPN.

A service vNic/iface that is used over the container to supply services configured in the container.

To ensure a more clean setup of the host a best practices is to rename the network’s interface with a name more oriented with the target infrastructure. In the example, it’s used the name srv0 defined in the LXD profile assigned to the container to deploy. The same could be done for the management interface with a name like man0.

To rename the network interfaces it’s needed create an udev rule based on the MAC addresses assigned from VmWare to the VM. For example, editing the file /etc/udev/rules.d/70-persistent-net.rules:

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="XX:XX:XX:XX:XX:XX", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="man0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="XX:XX:XX:XX:XX:YY", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="srv0"

and then without the needed of reboot the VM just to execute:

$> # Ensure that the selected interface are down
$> ip link set eth0 down
$> ip link set eth1 down
$> udevadm control -R && udevadm trigger --action=add -v -s net

When the VMs are all configured with LXD reachable over HTTPS the lxd-compose tool will reach every nodes through the different remotes. The file lxd-conf/config.yml will be configured in this way:

default-remote: local
    addr: https://images.linuxcontainers.org
    protocol: simplestreams
    public: true
    addr: https://macaronios.mirror.garr.it/images/lxd-images
    protocol: simplestreams
    public: true
    addr: https://mysimplestreams.server.local/lxd-images
    protocol: simplestreams
    public: true
    addr: unix://
    public: false
    addr: unix:///var/snap/lxd/common/lxd/unix.socket
    public: false
    addr: https://vm1.infra:8443
    auth_type: tls
    project: default
    protocol: lxd
    public: false
    addr: https://vm2.infra:8443
    auth_type: tls
    project: default
    protocol: lxd
    public: false
aliases: {}

The remote vm1 and vm2 are the remotes of the VMs where deploy the target services.

As described in the schema over the LXD instances is configured a LXD profile that map the VM vNIC srv0 of the VM to the container with the same name. The nictype is physical is the type implemented by LXD to support this feature.

Using native bridge or OpenVswitch bridge attached to a VmWare vNic is something that requires a specific setup over VmWare because the vSwitch uses MAC caching and MAC filter that often doesn’t permit to have something that work correctly. For this reason and because not always the people that implement and deploy the services are the same that control the VmWare the uses of the physical interface over the container is the best solution to follow because it’s transparent to VmWare. The MAC address assigned to the container is the same mapped over VmWare. An alternative is to use the port map between the LXD containers and the VM vNIC but it’s another use case describe later.

In the example, it’s been used only one network interface to supply services but there aren’t limitations on this. Could be configured multiple vNics at VmWare level that are assigned to the containers, for example to supply an SSH service through a management interface directly in the container.

For this solution it’s a good idea to prepare a VmWare VM Template that is used to create new VMs to attach to the service when it’s needed to scale or just upgrade the OS and reduce the offline time with an upgrade over a VM not attached to the running services.

Dynamic nodes with the LXD Compose render engine #

Before describe how could be possible using the render engine to define the lxd-compose specifications to manage the service setup I want remember to the reader that a specific connection with an LXD instance could be defined only at group level. It’s possible that multiple groups could be connected to the same LXD instance but it’s not true that the same group could be used to control multiple LXD instance at the same time (excludes the use case with LXD Cluster not covered by this scenario). Based on this concept a defined group is mapped to a specific VM and on using this scenario a solution that works pretty well it’s the use of the render engine to specify the list of the remotes (or LXD instance) to reach for a specific service following the pattern described hereinafter.

The render file will supply the list of the remotes assigned for a specific service, for example the NGinx servers that exposes the HTTP resources. The render file is defined directly over the .lxd-compose.yml or --render-values|--render-default options.

$ cat .lxd-compose.yml
  lxd_confdir: ./lxd-conf

render_default_file: ./render/default.yaml
render_values_file:  ./render/prod.yaml

- ./envs/

in this case are defined both default render and the values render.

The prod.yaml file could be configured in this way:

release: "22.10"
  - connection: "vm1"
    name: "nginx1"
  - connection: "vm2"
    name: "nginx2"

And these could be the options defined in the default.yaml:

ephemeral: false
privileged_containers: false

The connections vm1 and vm2 are the remotes described before and defined in the config.yml file.

This could be an example of the LXD Compose specs where is defined the setup of the Nginx server.

# Description: Setup the Nginx Production Service

version: "1"
- common/storages/default.yml

- common/profiles/default.yml
- common/profiles/net-phy-srv.yml
- common/profiles/logs-disk.yml
- common/profiles/autostart.yml

  - name: "nginx-services"
    description: |
            Setup Nginx services.

      - myenv/vars/common.yml
# Include the variable file that contains
# the network configurations options.
{{ range $k, $v := .Values.nginx_nodes }}
      - myenv/vars/{{ $v.name }}-net.yml
{{ end }}

{{ $groups := .Values.nginx_nodes }}
{{ $ephemeral := .Values.ephemeral }}
{{ range $k, $v := .Values.nginx_nodes }}

      - name: "{{ $v.name }}-group"
        description: "Setup Nginx Frontend Node {{ $v.name }}"
        connection: "{{ $v.connection }}"
          - default
          - net-phy-srv
          - logs-disk
        {{- if $privileged_containers }}
          - privileged
        {{ end }}
          - autostart

        ephemeral: {{ $ephemeral }}

          - common/hooks/systemd-net-static.yml
          - common/hooks/systemd-dns.yml
          - common/hooks/hosts.yml

          - name: {{ $v.name }}
            image_source: "nginx/{{ $.Values.release }}"
            image_remote_server: "myserver"

              - event: post-node-sync
                  - config
                  - >-
                    systemctl daemon-reload &&
                    systemctl enable nginx &&
                    systemctl restart nginx                    

            # Generate the nginx configuration file based on template
            # and project variables.
              - source: nginx/templates/nginx.tmpl
                dst: /tmp/lxd-compose/myinfra/{{ $v.name }}/nginx.conf

              - source: /tmp/lxd-compose/myinfra/{{ $v.name }}/nginx.conf
                dst: /etc/nginx/
{{ end }}

Some helpful commands to analyze the specs are these:

$> lxd-compose project list
|     PROJECT NAME  |                               DESCRIPTION                               | # GROUPS |
| nginx-services    | Setup Nginx Services                                                    |        2 |

$> lxd-compose group list nginx-services
|   GROUP NAME   |             DESCRIPTION              | # NODES |
| nginx1-group   | Setup Nginx Frontend Node nginx1     |       1 |
| nginx2-group   | Setup Nginx Frontend Node nginx2     |       1 |

Deploy the service #

The first time the all containers are down it’s possible just deploy all nodes with the apply command:

$> lxd-compose apply nginx-services

When you want upgrade a production service it’s a good practice replace one node a time in this way:

$> # Destroy the node nginx1.
$> lxd-compose destroy nginx-services --enable-group nginx1-group

$> # Deploy the new container related to the new release 22.10.01.
$> # The variable release could be passed in input or updated directly on default.yaml
$> lxd-compose apply nginx-services --enable-group nginx1-group --render-env "release=22.10.01"

The same could be done in for the second node when the first is up and running.

If you have a slow bandwitdh between the LXD images server could be helpful download the images over the VMs before execute the upgrade with the fetch command:

$> lxd-compose fetch nginx-services

This command will download the LXD images over the configured LXD instances of the selected project without destroy and/or create containers.

In the example it’s used the image LXD with alias nginx/<release>. This image is created and exposed over HTTPS in a separated step. If this is not available it’s possible to use the images available over Macaroni Simplestreams Server or Canonical Server and just install packages in the post-node-creation phase to prepare the container with all needed software.

If it’s needed add a new node/VM you need just editing the file prod.yaml and the config.yml to add the new node.

$> cat lxd-conf/config.yml
    addr: https://vm3.infra:8443
    auth_type: tls
    project: default
    protocol: lxd
    public: false
$> cat render/prod.yml
release: "22.10"
  - connection: "vm1"
    name: "nginx1"
  - connection: "vm2"
    name: "nginx2"
  - connection: "vm3"
    name: "nginx3"

Again, if it’s needed update the configuration files of all Nginx servers this could be executed sequentially from lxd-compose with the same apply command.

In the reported example for every container is assigned a static IP address that is defined in one vars file following this pattern that display the file nginx1-net.yml:

    - file: dns.conf
      content: |

    # - ip: <ip>
    #   domain: <domain1>,<domain2>
    - ip: ""
      domain: nginx-backend01
    - ip: ""
      domain: nginx-backend02

    - file: 01-srv0.network
      content: |
        # Disable binding of port ::58

The hooks used for the configuration are systemd-net-static.yml, systemd-dns.yml and hosts.yml.

Upgrade the OS of the VM #

Hereinafter a short description about what are the possibile steps to follow in Production to replace the VM and move an active container over a new VM where is been upgraded the OS.

Obviously, it’s possible upgrade the OS and the LXD instance without replacing the VM but we will try to share a way that could be used for rollback if something goes wrong.

So, the first step is to clone the existing VM or just create a new VM from a template. If the choice is cloning, just disable service network from VmWare before boostrap of the VM.

LXD Compose Vmware VM Upgrade S1

The new VM with a specific management interface could be upgraded meantime the service is up and running. Until the network interface srv0 is not assigned to the container is visible in the VM.

When the new VM is ready the steps to follow are describe in the image hereinafter:

LXD Compose Vmware VM Upgrade S2

In short, through the lxd-compose tool it’s needed destroy the existing container. Eventually, you can just create a backup of the container with the normal lxc tool or copy it before run the destroy command.

$> # Create the backup of the container for the rollback.
$> lxc copy vm1:nginx1 vm1:nginx-bkp1
$> # Or just stop the existing container.
$> lxc stop vm1:nginx1

If the container is stopped with lxc command the destroy command is not needed.

When the container is stopped or destroyed, the service IP address of the example will be reused in the deploy of the new container over the new VM. To maintain the same name of the container it’s only needed modify the prod.yml file to have vm1-new (or any other name choiced) that is the name of the remote of the new VM.

So, in the prod.yml the content become:

release: "22.10"
  - connection: "vm1-new"
    name: "nginx1"
  - connection: "vm2"
    name: "nginx2"
  - connection: "vm3"
    name: "nginx3"

After this change it’s only needed to execute the apply command that deploy the new container:

$> lxd-compose apply --enable-group nginx1-group

If something goes wrong and the user want rollback the previous container it’s needed: shutdown the new VM; if the container is been stopped and not destroyed, just rerun the apply command with the connection reconfigured to vm1.

If the container is been destroyed and it’s been used a production-ready LXD image the user could just redeploy the new container with the previous release.

Best Practices for Production environments #

As all know, today all Linux distribution are Rolling Release for different reasons: the world go ahead very fast, CVE and security issues that are identified every day requires fast updates, etc. This means that what is deployed at time T0 at the 99% is not installable ad the same way at time T1. So, for production services it’s better to prepare LXD images that will be used on delivery without execute OS upgraded on container creation.

The upgrades of the container OS must be apply in a testing environment where it’s possible verify that there aren’t regression with a new LXD images that when the QA are passed could be used to upgrade production environment.

The Simplestreams Builder could be used to prepare an HTTPS endpoint where expose LXD images used in the installation over the Simplestreams Protocol. The alternative is to use directly another LXD Instance as LXD images supplier.

For my experience it works well to try using an environment specification with a single project to define a group of VMs that supply a specific service. This will simplify the upgrade process with the use of one group for every LXD instance as described in the previous chapter. Users are free to find their correct way. Having multiple projects defined in the same environment file it works too like to have a static definition of the groups without using render engine.

Using the physical nictype doesn’t permit to see the network interfaces from the VM OS, so it’s important to supply on the created LXD images the right tools for throubleshooting and analyses (tcpdump, ethtool, etc.).

Using a VmWare VM already supply a good isolation but to improve the security levels using the unprivileged containers is the best choice.

In a production environment often it’s important to maintain the logs files of exposed services for subsequent analyzes. This could be handled through the mount of the VM path inside the container that is persistent between the upgrade of one container with another but not if the VM is replaced. But there are different ways to resolve this efficiently for example through an Rsyslog remote server or over Vmware using a secondary disk that is detached and attached to the new VM after the upgrade. In the presented example the profile used for this mission is logs-disk.

The use of additional API to setup and create a VM through the VmWare API it’s out of scope of this guide. This doesn’t mean that is not possible. lxd-compose permits to define hooks pre-project related to the node host that means the local shell where lxd-compose is executed. Inside that hook it’s possible execute a bash script or other that prepare the VmWare VM before execute the delivery of the container.