[lxc-users] LXC Stability Question

Ranjib Dey dey.ranjib at gmail.com
Sun Jul 13 18:27:27 UTC 2014 

LXC is already stable and tested. But since most lxc features requires
modern kernel, till recently it was hard to setup newer lxc.

I have run zones and openvz in past, im using LXC at staging/testing
environments (this is more due to the fact that we are on older kernel in
production). Heroku, one of the most popular PaaS provider, runs lxc to
power ruby on rails and lot other stuff.  PaaS and any CI services (like
travis) that executes arbitrary code are perfectly suitable for containers.
But securing them was bit difficult , and generally tackled on the
app/tooling side (like run ruby with safe level, or dont expose containers
as VMs etc). With 3.11+ kernel you can run lxc as normal users, which will
further the tooling required. Also with ubuntu 14.04 , getting new lxc is
as simple as any other package.
Theoretically you can kill a host by a rouge container, (like if a
container is running in privileged mode, or without proper cgroup settings)
but that risk is exactly same as running any other process and your
mitigation strategy should be same. If you are exposing container as a vm
where end users will be given root access, you have to do the highest
amount of work, while if all you are doing is putting a known software
(like your own app code) inside a container and expose the service
(haproxy, nginx even raw iptables) it should relatively easy.

hope this help,
ranjib



On Sun, Jul 13, 2014 at 8:37 AM, Martín Cigorraga <martincigorraga at gmail.com
> wrote:

> Good day,
>
> Oracle... when not!
> I'm a newbie to LxC too, I've been running it on my home and office for
> about a 4 months now and I can only say it rocks.
> Of course one important thing - and may be the most important at all [0] -
> is that the kernels you run inside the containers SUPPORTS cgroups and the
> other technologies required by LxC.
> Said that, for the sake of usability I just switched to Doker+LxC a few
> days ago and I love it, for me Docker act as the perfect front-end to the
> excellent LxC.
>
> Cheers!
>
> [0] Knowledgeable people please step in to clarify this point!
>
>
> On Sat, Jul 12, 2014 at 2:41 PM, AT <unixlist-lxc at yahoo.com> wrote:
>
>> Hi everyone,
>>
>> I am VERY new to the LXC tools, though not to similar technologies such
>> as Solaris Zones, or FreeBSD jails.
>>
>> Being new to LXC, I have been reading up on various posts around the web:
>> some time back I read an Oracle blog stating that combining different
>> versions of Linux distributions, in different containers, can crash the
>> kernel, if one of the containers experiences a crash.  Linux-Containers
>> — Part 1: Overview (OTN Garage)
>> <https://blogs.oracle.com/OTNGarage/entry/linux_containers_part_1_overview>
>>
>> This posting is from 2013, but can anyone talk about stability of LXC in
>> general? I by no means want to start a war etc., but technologies such as
>> FreeBSD Jails or Solaris Zones are pretty well-understood, and have been in
>> use for many years in real production settings.  Generally, it is agreed
>> (at least in theory and I've never heard cases stating otherwise) that any
>> Jail or Zone which crashes will not bring down the host-OS.
>>
>>  Apologies in advance if I just need to be pointed to previous mailing
>> list discussions, any info appreciated.  I just joined the list a few days
>> ago, and this is my first post.
>>
>>
>>
>>
>> [image: image]
>> <https://blogs.oracle.com/OTNGarage/entry/linux_containers_part_1_overview>
>>
>>
>>
>>
>>
>> Linux-Containers — Part 1: Overview (OTN Garage)
>> <https://blogs.oracle.com/OTNGarage/entry/linux_containers_part_1_overview>
>> Blogs.Oracle.Com - OTN Garage
>> View on blogs.oracle.com
>> <https://blogs.oracle.com/OTNGarage/entry/linux_containers_part_1_overview>
>>  Preview by Yahoo
>>
>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
>
> --
> -Martin
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140713/ccc88df7/attachment.html>

More information about the lxc-users mailing list