1 |
On Wed, Dec 31, 2014 at 1:31 PM, Sid S <r030t1@×××××.com> wrote: |
2 |
> |
3 |
> Containers and such definitely sound interesting; I had been avoiding |
4 |
> Linux VMs for the longest time due to the overhead. The alternatives |
5 |
> sound rather light so I might reconsider. |
6 |
> |
7 |
|
8 |
There are a couple of ways to go with them. The heavy approach is |
9 |
something like Docker which basically wraps it all up in config |
10 |
management and such. The lighter way is to just create chroots and |
11 |
the launch them with something like nspawn (I'm sure there are |
12 |
non-systemd equivalents). Then you have two options inside the |
13 |
container. One is to just directly spawn the process of interest (ie |
14 |
have a init script that launches apache inside a container - not |
15 |
unlike running a chrooted daemon) - this is VERY lightweight though |
16 |
you do have the extra shared objects in memory since you're not using |
17 |
system libs. The other is to run a service manager inside the |
18 |
container (systemd definitely supports this, and I hear that openrc |
19 |
works now as well though you'd have to check the details on that and |
20 |
what versions work) - this is obviously going to be a bit heavier, but |
21 |
it lets you do things like run sshd inside the container, multiple |
22 |
daemons, cron, etc. If you're running under systemd you can also do |
23 |
tricks like having systemd manage the network sockets and launch |
24 |
non-priv'd daemons on demand (a la inetd) which get passed sockets but |
25 |
don't have access to any network interfaces otherwise (so, no outgoing |
26 |
connections). |
27 |
|
28 |
Either way your container can be anything compatible with your kernel. |
29 |
You could run a Gentoo host with a Debian container, and so on. The |
30 |
idea would be to pick the distro most suited to your problem. Maybe |
31 |
for one of your daemons you want to have a lot of control over |
32 |
dependencies so you run Gentoo. Maybe for another the vendor |
33 |
officially supports Debian and it gets rapid updates there, so you run |
34 |
Debian. |
35 |
|
36 |
The main thing you lose is some of the security of VMs, though if you |
37 |
just run your daemon in a container and you run it non-root then |
38 |
you're pretty darn secure (you'd need a very bad local priv escalation |
39 |
to get out). It certainly is more secure than just running your |
40 |
daemon on the host directly. |
41 |
|
42 |
-- |
43 |
Rich |