[lxc-users] Advice for running LXC on a Debian host

Fajar A. Nugraha list at fajar.net
Sat Mar 14 05:55:53 UTC 2015 

On Fri, Mar 13, 2015 at 8:34 PM, Rory Campbell-Lange
<rory at campbell-lange.net> wrote:
> Dear LXC List
>
> I'm looking for advice on running LXC on Debian.
>
> I did quite a lot of work on trialling lxc about two years ago but then
> left it there because of a lack of time and some troublesome issues with
> Debian stable at the time.

Short suggestion: don't.

It's MUCH easier to use ubuntu LTS + lxc (either from bundled version,
or from daily ppa to get latest lxc version) as the host. You'd likely
get problems with debian's bundled version, as reported on this list
recently (search the archives). And building your own lxc version (or
rebuilding ubuntu's source) might not be as straightforward as it
seems.

You could then run whatever you want on the containers, including debian.

>
> We are considering using LXC again for a spare server to take over a
> couple of small production server images where the hardware is reaching
> end-of-life. Also we wish to be able to quickly setup clones/variants of
> our web application stack (postgresql + php/python + apache) for testing
> purposes.
>
> The machine we have available has 6GB of RAM, a system (hw raid 1) 200G
> drive and a storage drive (hw raid 5) of 1TB. The board is a TYAN
> Tempest with 8 x Intel E5420 @ 2.50GHz. We have been trialling btrfs for
> some years now and are happy to take the risks of running the storage
> drive on btrfs.
>

I'd suggest zfs, but if you're comfortable with btrfs, then lxc has
support for it as well (e.g. container snapshot/clone)


> Presently the Debian LXC wiki page at https://wiki.debian.org/LXC states
> "LXC may not provide sufficient isolation at this time".

Part of the lxc isolation/security in ubuntu is provided thru
apparmor, which AFAIK is not enabled by default on debian.

The other part is thru the use of unprivileged containers (where
container's root uid is just another non-root uid in the host).

>
> I would be grateful for comments about whether a version of Debian is
> suitable for these intended uses, what Debian distro version is
> recommended (if any), what kernel version to run and recommendations
> about using btrfs.


I'd go with ubuntu 14.04, lxc-1.1 from daily ppa, and add zfsonlinux.

If you still want to use debian anyway, then probably debian stable
plus lxc-1.1 built manually from source.
Use whatever kernel version that you've tested to work well with for
btrfs (I lost track of which versions, but there were some newer
kernels which caused btrfs regression).
Then, if you care about security, find out how you can enable apparmor
and integrate it with your lxc buid.

-- 
Fajar

More information about the lxc-users mailing list