On Wed, Dec 31, 2014 at 1:31 PM, Sid S <r03...@gmail.com> wrote:
>
> Containers and such definitely sound interesting; I had been avoiding
> Linux VMs for the longest time due to the overhead. The alternatives
> sound rather light so I might reconsider.
>

There are a couple of ways to go with them.  The heavy approach is
something like Docker which basically wraps it all up in config
management and such.  The lighter way is to just create chroots and
the launch them with something like nspawn (I'm sure there are
non-systemd equivalents).  Then you have two options inside the
container.  One is to just directly spawn the process of interest (ie
have a init script that launches apache inside a container - not
unlike running a chrooted daemon) - this is VERY lightweight though
you do have the extra shared objects in memory since you're not using
system libs.  The other is to run a service manager inside the
container (systemd definitely supports this, and I hear that openrc
works now as well though you'd have to check the details on that and
what versions work) - this is obviously going to be a bit heavier, but
it lets you do things like run sshd inside the container, multiple
daemons, cron, etc.  If you're running under systemd you can also do
tricks like having systemd manage the network sockets and launch
non-priv'd daemons on demand (a la inetd) which get passed sockets but
don't have access to any network interfaces otherwise (so, no outgoing
connections).

Either way your container can be anything compatible with your kernel.
You could run a Gentoo host with a Debian container, and so on.  The
idea would be to pick the distro most suited to your problem.  Maybe
for one of your daemons you want to have a lot of control over
dependencies so you run Gentoo.  Maybe for another the vendor
officially supports Debian and it gets rapid updates there, so you run
Debian.

The main thing you lose is some of the security of VMs, though if you
just run your daemon in a container and you run it non-root then
you're pretty darn secure (you'd need a very bad local priv escalation
to get out).  It certainly is more secure than just running your
daemon on the host directly.

-- 
Rich

Reply via email to