[Lxc-users] Zombie container

Tue Feb 15 20:47:26 UTC 2011

On 2/14/2011 6:50 PM, Trent W. Buck wrote:
> Daniel Lezcano<daniel.lezcano at free.fr>  writes:
>
>> As a quick fix, I suggest you look what application created the new
>> namespace. Launch your container and then look at
>> /cgroup/blackbird/1234/tasks and look for the command line associated
>> with the pid in this file. I suspect vsftpd could be the culprit. If
>> this is the case, there is an option to disable the namespace
>> creation.
>
> Or, of course, pick a different application :-)
>
> If it is vsftpd, I *strongly* recommend switching to SFTP (part of SSH)
> for writes, and HTTP for reads.  http://mywiki.wooledge.org/FtpMustDie

Well, of course, but what's that got to do with LXC or the namespace 
trick that vsftpd happens to use?

Your observations, which everyone already knows, show that the ftp 
protocol is problematic. Granted but so what?

The discussion here is how to get all commonly used tools working within 
containers, using lxc, that are currently used outside of containers, 
not what tools to use.

3 things:

1) The vstftpd problem is not a problem with the ftp protocol. Apache or 
any other service or app that meets your religious or aesthetic approval 
might have the same or similar problem at any time. Here we are only 
interested in containerizing anything that currently is done on 
traditional servers. For better or for worse, FTP is widely used on 
trandtional servers, and specifically vsftpd is. And so the discussion 
is about how to use vsftpd within a container, not whether to use ftp.

2) As if everyone has any choice in the matter anyway, since most use of 
any communication protocol, such as ftp, involve two different parties, 
not yourself at both ends. Even if you were so gauche as to try to 
dictate internal IT policies and procedures and technologies to your own 
customers and vendors, you still don't get to dictate to 2nd or more 
removed customers and vendors of your own customers and vendors. So when 
_big honking global bank/manufacturer/retailer/shipper/etc_ says they 
will ftp to you or you to them, you just *&^*7 do it.

Oh you can offer the alternatives, and occasionally you get lucky, but 
that doesn't remove the need to make ftp work. Same goes for every other 
commonly used technology that you don't happen to personally like.

3) What makes http so special only for reading and sftp so special only 
for writing? Depending on my security needs and other factors I 
routinely use http for writing and/or sftp for reading. I also use rsync 
(native, not via ssh or rsh) for both reading and writing in many 
situations where most people use ftp or sftp or http. Conversely I never 
use nfs and only use samba extremely rarely, but I'm sure these 
technologies are perfectly justifiable and required for other people in 
other situations. Choice of tool is completely dependent on the job at 
hand and it's utterly silly to try to say what should and should not be 
used except within the context of a specific job, and then the answer 
only applies to that one specific job in that one specific context.

-- 
bkw