[Lxc-users] Startup scripts [Was: Re: security question]
Gordon Henderson
gordon at drogon.net
Sun Aug 21 17:01:02 UTC 2011
On Sat, 20 Aug 2011, John wrote:
> Hi, very interested in this. I've been using LXC for a while but only to
> segregate functions on my own servers. I am well aware of how delicate
> the LXC setup is when considering security. For example, unless I
> customise the init scripts a container can bring down the host.
FWIW:
I've been using the file-rc boot script mechanisms rather than the sysv-rc
system for LXC containers. That might seem like a step backwards, but
actually, it's fine and gives you much finer (& easier IMO) control over
what gets started and stopped when a container is booted. You still get
the usual /etc/init.d with scripts in it, but rather than a lot of
/etc/rc.X directorys, just one file; /etc/runlevel.conf with hooks into
the scripts and what runlevels to execute them in.
It doesn't address any issues though, but when you know what's getting
started and in what order, it makes management easier... For me, anyway.
E.g. I was being plagued recently with really weird keyboard issues when a
Debian Squeeze container was starting - it was the
/etc/init.d/keyboard-setup script running - stopped that, and all was
fine.
And really - all I need to run when booting a container is syslog, sshd,
apache, maybe cron and one or 2 others. Unless I'm doing anything fancy
with networking. No point running other stuff that the host needs to do
like ntp, urandom, checkroot, the various mounts and so on.
Gordon
More information about the lxc-users
mailing list