[lxc-users] Am I misusing LXCs?
Serge E. Hallyn
serge at hallyn.com
Fri Mar 31 00:40:27 UTC 2017
Personally I run each service/application in a separate container, in a
separate uid range, in a full distrubution (various Ubuntu flavors). All
automatically updated, as otherwise I'd certainly get in trouble. With
iptables routing incoming ports. So sounds like you're doing basically
the same thing I am.
In the past (years ago) I've just used separate uids, but that was when
disk was smaller, and it left more openings to privileged helpers of
applications taking over the system and other applications.
Quoting Scott Lopez (scottjl at gmail.com):
> Is it functioning for you? Yes? Then it isn't wrong. In *nix there are
> a dozen ways to skin a cat, and that's before you start scripting in
> your language of choice.
>
> Is it the most efficient use? Maybe not. Running a single application
> in a LXC container? Maybe you'd be better off with Docker or Rkt. Have
> multiple containers to run? Look at CoreOS. Worried about security?
> Then maybe separate everything into completely different VMs. Set up
> firewalls, vlans and proxies.
>
> So no, you're not misusing LXC. It may not be the best tool for your
> job, but your job is running. Be happy!
>
>
> On Thu, Mar 30, 2017 at 3:20 PM, John Lewis <oflameo2 at gmail.com> wrote:
> > It is traditional LXC because LXD wasn't out when I set it up
> > originally. I won't build the packages for LXD if I am not even using
> > it properly.
> >
> > I direct incoming connections using iptables with both the the host and
> > the virtual router.
> >
> > I am extremely confident about moving my installation. I will use
> > Ansible for the provisioning and the configuration. I will install all
> > of the packages I need on a simple VPS. I can still use cgroups to
> > control the resource usage of the processes. It will be moderately
> > easier for me to secure because it is easy to see where everything is
> > and what state everything is in.
> >
> > I backup the VPS with rsnapshot that is running on a host that I have
> > physical access too and I rotate the backup drive to another location.
> > The LXCs are disk images.
> >
> > Could you elaborate on separating data from services?
> >
> > On Thu, 2017-03-30 at 23:07 +0300, Simos Xenitellis wrote:
> >> Is that the traditional LXC or is it LXD/LXC containers?
> >> I have a similar set-up (the latter, with LXD/LXC) and there is also a
> >> vsftpd in the mix.
> >>
> >> I think your question is about best practices and whether your
> >> installation adheres
> >> to some best practices.
> >> How do you direct incoming connections to each container? Do you use
> >> iptables or something else?
> >> If you where to migrate your installation to another VPS, how
> >> confident would you be to do that?
> >> How do you get backups? Do you take snapshots as backups?
> >>
> >> I think that if you reach a point where you separate your data from
> >> the services, the management of the containers
> >> will become much easier and you will feel more confident with the installation.
> >>
> >> Simos
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list