| 1 |
On Wed, Dec 31, 2014 at 1:31 PM, Sid S <r030t1@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Containers and such definitely sound interesting; I had been avoiding |
| 4 |
> Linux VMs for the longest time due to the overhead. The alternatives |
| 5 |
> sound rather light so I might reconsider. |
| 6 |
> |
| 7 |
|
| 8 |
There are a couple of ways to go with them. The heavy approach is |
| 9 |
something like Docker which basically wraps it all up in config |
| 10 |
management and such. The lighter way is to just create chroots and |
| 11 |
the launch them with something like nspawn (I'm sure there are |
| 12 |
non-systemd equivalents). Then you have two options inside the |
| 13 |
container. One is to just directly spawn the process of interest (ie |
| 14 |
have a init script that launches apache inside a container - not |
| 15 |
unlike running a chrooted daemon) - this is VERY lightweight though |
| 16 |
you do have the extra shared objects in memory since you're not using |
| 17 |
system libs. The other is to run a service manager inside the |
| 18 |
container (systemd definitely supports this, and I hear that openrc |
| 19 |
works now as well though you'd have to check the details on that and |
| 20 |
what versions work) - this is obviously going to be a bit heavier, but |
| 21 |
it lets you do things like run sshd inside the container, multiple |
| 22 |
daemons, cron, etc. If you're running under systemd you can also do |
| 23 |
tricks like having systemd manage the network sockets and launch |
| 24 |
non-priv'd daemons on demand (a la inetd) which get passed sockets but |
| 25 |
don't have access to any network interfaces otherwise (so, no outgoing |
| 26 |
connections). |
| 27 |
|
| 28 |
Either way your container can be anything compatible with your kernel. |
| 29 |
You could run a Gentoo host with a Debian container, and so on. The |
| 30 |
idea would be to pick the distro most suited to your problem. Maybe |
| 31 |
for one of your daemons you want to have a lot of control over |
| 32 |
dependencies so you run Gentoo. Maybe for another the vendor |
| 33 |
officially supports Debian and it gets rapid updates there, so you run |
| 34 |
Debian. |
| 35 |
|
| 36 |
The main thing you lose is some of the security of VMs, though if you |
| 37 |
just run your daemon in a container and you run it non-root then |
| 38 |
you're pretty darn secure (you'd need a very bad local priv escalation |
| 39 |
to get out). It certainly is more secure than just running your |
| 40 |
daemon on the host directly. |
| 41 |
|
| 42 |
-- |
| 43 |
Rich |
Archives