On Wed, Dec 31, 2014 at 1:31 PM, Sid S <r03...@gmail.com> wrote: > > Containers and such definitely sound interesting; I had been avoiding > Linux VMs for the longest time due to the overhead. The alternatives > sound rather light so I might reconsider. >
There are a couple of ways to go with them. The heavy approach is something like Docker which basically wraps it all up in config management and such. The lighter way is to just create chroots and the launch them with something like nspawn (I'm sure there are non-systemd equivalents). Then you have two options inside the container. One is to just directly spawn the process of interest (ie have a init script that launches apache inside a container - not unlike running a chrooted daemon) - this is VERY lightweight though you do have the extra shared objects in memory since you're not using system libs. The other is to run a service manager inside the container (systemd definitely supports this, and I hear that openrc works now as well though you'd have to check the details on that and what versions work) - this is obviously going to be a bit heavier, but it lets you do things like run sshd inside the container, multiple daemons, cron, etc. If you're running under systemd you can also do tricks like having systemd manage the network sockets and launch non-priv'd daemons on demand (a la inetd) which get passed sockets but don't have access to any network interfaces otherwise (so, no outgoing connections). Either way your container can be anything compatible with your kernel. You could run a Gentoo host with a Debian container, and so on. The idea would be to pick the distro most suited to your problem. Maybe for one of your daemons you want to have a lot of control over dependencies so you run Gentoo. Maybe for another the vendor officially supports Debian and it gets rapid updates there, so you run Debian. The main thing you lose is some of the security of VMs, though if you just run your daemon in a container and you run it non-root then you're pretty darn secure (you'd need a very bad local priv escalation to get out). It certainly is more secure than just running your daemon on the host directly. -- Rich
