[lxc-users] Crucial LXD, Bind Mounts & Gluster Question

Zach Lanich zach at zachlanich.com
Sun Aug 14 01:50:52 UTC 2016 

Hey guys, I have a crucial decision I have to make about a platform I’m building, and I really need your help to make this decision in regards to security. Here’s what I’m trying to accomplish:

Platform: Highly Available Wordpress hosting using Galera, GlusterFS & LXD (don’t worry about the SQL part)
- One container per customer on a VM (or ded server)
- (preferably) One 3 node GlusterFS Cluster for the Wordpress files of all customers’ containers
- GlusterFS volume divided into subdirectories (one per customer), with ACLs to control permissions (see *)
- Gluster Volume subdirectories Bind Mounted into their respective containers (i.e. /data/gluster/user1 -> container:/data/gluster)
- LXC User/Group mappings to make the ACLs work

My concerns:
- (*) Although the containers are isolated (all but the shared kernel), and that in itself is probably secure enough to feel ok about it, introducing a shared Gluster volume into the mix and depending on ACLs makes me a bit nervous. I’d like your opinions on what the norm is in the world (the PaaSs, etc) and if you guys think this is a terrible idea. If you think this is not a good way of handling my needs, PLEASE help me find a better solution.

My hangups:
- I know PaaSs have found incredibly efficient ways to provide containerized apps with high availability, and I tend to highly doubt they’re throwing up 3+ GlusterFS VMs for every single app they deploy. This to me seems like an impossibly cost-ineffective approach. Correct me if I’m wrong. That being said, I’m not 100% sure how they’re doing it.

Odd thoughts & alternative solutions that have crossed my mind:
- To avoid using a shared single Gluster Volume and ACLs altogether, while also avoiding too much infrastructure cost, I’ve thought of possible putting up a 3 VM Gluster cluster, each with matching LXD Containers on them with Gluster server daemons running in those containers. I could use those containers & networking to simulate having multiple 3 node Gluster Clusters, each being dedicated to a respective containerized app on the App Server. This to me seems like it would be an unnecessarily complex and annoying to maintain solution, so please help me here.

I hugely appreciate anyones help and this is a huge passion project of mine and I’ve dedicated an absurd number of hours reading to try and figure this out.

Best Regards,

Zach Lanich
Business Owner, Entrepreneur, Creative
Owner/CTO
weCreate LLC
www.WeCreate.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160813/66882e8a/attachment.html>

More information about the lxc-users mailing list