[Lxc-users] Startup scripts [Was: Re: security question]

Gordon Henderson gordon at drogon.net
Sun Aug 21 17:01:02 UTC 2011


On Sat, 20 Aug 2011, John wrote:

> Hi, very interested in this. I've been using LXC for a while but only to
> segregate functions on my own servers. I am well aware of how delicate
> the LXC setup is when considering security. For example, unless I
> customise the init scripts a container can bring down the host.

FWIW:

I've been using the file-rc boot script mechanisms rather than the sysv-rc 
system for LXC containers. That might seem like a step backwards, but 
actually, it's fine and gives you much finer (& easier IMO) control over 
what gets started and stopped when a container is booted. You still get 
the usual /etc/init.d with scripts in it, but rather than a lot of 
/etc/rc.X directorys, just one file; /etc/runlevel.conf with hooks into 
the scripts and what runlevels to execute them in.

It doesn't address any issues though, but when you know what's getting 
started and in what order, it makes management easier... For me, anyway. 
E.g. I was being plagued recently with really weird keyboard issues when a 
Debian Squeeze container was starting - it was the 
/etc/init.d/keyboard-setup script running - stopped that, and all was 
fine.

And really - all I need to run when booting a container is syslog, sshd, 
apache, maybe cron and one or 2 others. Unless I'm doing anything fancy 
with networking. No point running other stuff that the host needs to do 
like ntp, urandom, checkroot, the various mounts and so on.

Gordon




More information about the lxc-users mailing list