[Lxc-users] Container size minialisation

Derek Simkowiak derek at simkowiak.net
Mon Dec 12 22:52:39 UTC 2011


 > /I'm trying to compose a system, where lxc containers behave like 
virtual hosts for a web server./

     It is possible to use shared, read-only mounts between the host and 
containers.  However, you will need to carefully consider your security 
requirements and maintenance procedures.

     If you are using shared mounts, then upgrading software on one 
container will update files in the other containers.  That could be a 
problem, because software updates usually include a post-install script 
that is executed at the end of an upgrade (like a postinst file in the 
.deb package).  These scripts may restart a service, update a 
configuration file in /etc/, or even prompt the user for some input.

     So what will happen when you update the LAMP files on your shared 
mount, but your LXC containers don't do a corresponding server restart, 
or config migration?  Things will probably break at some point.

     Also, there are several security risks to consider.  A shared 
/home/ directory would also (implicitly) share everyone's 
.ssh/authorized_keys files (which will grant OpenSSH access to all your 
containers).  You would also need to be sure that all SSL and SSH host 
certs are independently managed.  Using a single certificate for many 
hosts is not secure.  Apache and OpenSSH keep their certs under /etc/, 
but Tomcat does not iirc.

     Also, UIDs and GIDs are shared on the filesystem, so a root user in 
any container would be able to alter any file in any other container 
(unless it's a read-only mount from an external fstab file, and the 
"sys_admin" capability is dropped in your lxc.conf).  What's worse, if 
you have different /etc/passwd or /etc/group files in the containers, 
then group id "121" might be the group "admin" in one container, but 
something else entirely in another container.  The shared filesystem 
only stores the integer group ID, not the actual group membership or 
resulting sudo permissions.

     Because of these complications, I have decided to give each LXC 
container its own, full filesystem.  Unfortunately that "wastes" a few 
hundred megs of disk space for each container, because the files are 
mostly redundant in /usr/, /var/, etc.  However, disk space is very 
cheap, and the value of having a standalone container is more than worth 
it to me.


 > /Has anyone any experience with this technique?/

     I include a sample configuration for a shared filesystem with my 
container creation script.  It is disabled by default, but you can read 
through the configuration to get an idea.  You can download it from here:

http://derek.simkowiak.net/lxc-ubuntu-x/


Thanks,
Derek Simkowiak

On 12/12/2011 09:47 AM, István Király - LaKing wrote:
> Hi folks.
>
> I'm trying to compose a system, where lxc containers behave like virtual hosts for a web server.
>
> As next step I would like to minimize container size. My question is, what the best, most elegant and fail proof  technique for that?
>
> At this moment I'm thinking of a "master container" and "slave containers" where the /usr folder for example in the slave containers is a mount from the master container. That gives a significant size drop already, from 400 to 40 megabytes.
>
> I would like to keep the containers really minimal. 4 megabyte should be small enough.
>
> Lets say only some important files in /etc ....
>
> Has anyone any experience with this technique?
>   
> Thank you for sharing.
>
> greetings,
> István Király
>
>
> LaKing at D250.hu
>
> D250 Laboratories
> www.D250.hu
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20111212/78d33a1a/attachment.html>


More information about the lxc-users mailing list