[lxc-users] Am I misusing LXCs?

Simos Xenitellis simos.lists at googlemail.com
Thu Mar 30 21:09:19 UTC 2017


On Thu, Mar 30, 2017 at 11:20 PM, John Lewis <oflameo2 at gmail.com> wrote:
> It is traditional LXC because LXD wasn't out when I set it up
> originally.  I won't build the packages for LXD if I am not even using
> it properly.
>
> I direct incoming connections using iptables with both the the host and
> the virtual router.
>

An alternative that I use, is to have a reverse proxy like HAProxy,
to direct the connections to the correct containers.
HAProxy can be installed either on the server, or in a container itself.
In the first case there are no iptables rules, in the second there is
a single iptables rule.
An added benefit is that you can get HAProxy to work as a TLS termination proxy,
and get SSL/TLS (using Let's Encrypt) with no additional configuration
in the Web servers.

> I am extremely confident about moving my installation. I will use
> Ansible for the provisioning and the configuration. I will install all
> of the packages I need on a simple VPS. I can still use cgroups to
> control the resource usage of the processes. It will be moderately
> easier for me to secure because it is easy to see where everything is
> and what state everything is in.
>
> I backup the VPS with rsnapshot that is running on a host that I have
> physical access too and I rotate the backup drive to another location.
> The LXCs are disk images.
>
> Could you elaborate on separating data from services?
>

If you were to backup from your Web server container, you would
really need to backup some files from /etc/nginx/,
maybe some files from /etc/php/ and the directory /var/www/
It's probably more about separating your data from the "whole container image".

Some of the tasks that you are doing, could be simplified with LXD.
If you just read https://stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/
it should get you up to speed in no time.

I do not see much of a reason for you not to use containers.
It gets your job done, you are on top of it,
and you can use a single VPS instead of several.

Simos

> On Thu, 2017-03-30 at 23:07 +0300, Simos Xenitellis wrote:
>> Is that the traditional LXC or is it LXD/LXC containers?
>> I have a similar set-up (the latter, with LXD/LXC) and there is also a
>> vsftpd in the mix.
>>
>> I think your question is about best practices and whether your
>> installation adheres
>> to some best practices.
>> How do you direct incoming connections to each container? Do you use
>> iptables or something else?
>> If you where to migrate your installation to another VPS, how
>> confident would you be to do that?
>> How do you get backups? Do you take snapshots as backups?
>>
>> I think that if you reach a point where you separate your data from
>> the services, the management of the containers
>> will become much easier and you will feel more confident with the installation.
>>
>> Simos
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list