Anyone running lxd in a VMWare VM? Tell me about it.
Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Anyone running lxd in a VMWare VM? Tell me about it.
I am considering largely-replacing a slew of VMWare VMs with (probably) just one, running an equivalent number of 'lxc' containers under Ubuntu and 'lxd'.
Is anyone out there doing that? Any thoughts? War stories? Experiences?
Just a question: why put the containers in a VM instead of on bare metal? Do you think that you will get a better isolation that way?
These will run in a cloud environment which basically offers two alternatives: VMWare, or OpenStack (using Linux's own virtual machine monitor on the inside). "Bare metal" is not an option that is available to this project.
There should be no practical difference when you run LXD in a VMWare VM, assuming you are running a stock Ubuntu kernel which has all the necessary configuration that LXD needs.
Obviously make sure you use ZFS on a big fast device (like SSD), not on a loop file.
The bandwidth between two VMs inside Azure even with a 40 gigabit network adapter on each VM, is only around 4Gbps; but with Azure's FPGA accelerated networking, that goes up to 25Gbps with 5 to 10x less latency (depending on your application).. Containers are more efficient than whole-system virtualization and is why companies are adopting them (it also attracts young talent as they like to work with the bleeding edge). The cost of this new approach however is that admins need to learn new security and management skills and tools..
Last edited by justmy2cents; 06-09-2017 at 04:12 PM.
The last one is particularly important as Linus brought it up himself in one of his recent talks..
Code:
* Containers enable companies to package up and isolate applications with all the nessesary files for each to run. This makes it easy to move containerized apps
to different environments while retaining their full functionality. Containers are nothing more than Linux processes with a restricted view of the machine
they're running on. With containers a single kernel runs multiple seperate, walled-off userlands (ring 3 stuff). There's no emulation, no seperate memory
spaces, or virtual disks. A single kernel just juggles multiple processes in one memory space, as it was designed to do. To the kernel their just ordinary
programs.. This is all good, however there's only one kernel so you can only run Linux containers on Linux, and if an app in a container needs an OS update,
then everyone gets it, as there's only one OS to perfrom that update (and the whole machine must be rebooted).
* You can write a barebones container with just a few lines of Go..
* Lxd offers most of the functionality of Xen or KVM-style Linux-on-Linux virtualization but with greater efficiency.
* Lxds share nothing but the kernel so they can contain different LINUX distros than that of the host; with the caveat that those distros must work with kernel
of the host's version of Ubuntu.. It uses btrfs or zfs to provide snapshotting and copy-on-write. Block devices on the host such as disk drives,
network connections, almost anything can be dedicated to particular containers. You can limit the alotted resources and even dynamically change as needed
(i.e. CPU cores. RAM, etc). You can also pin containers to partiulcar cores...
* Software Containers differ from sandboxes in that they assume everything within it is considered dangerous. Many containers today are built around an app and
isolate attacks from spreading to other parts of the OS. There are also container-based configurations such as chroot jails..
* The host's /proc holds information about all the containerized processes. This includes environment variables, which are also stored in the /proc pseudo-filesystem,
meaning that your host machine has access to the environment for all your running containers. This potentially has security consequences if you're passing
secrets like certificates or database passwords into your containers through environment variables. Also containers have no mechanism for detecing the need
for updates, or for automatically updating, and can, therefore, be a source of vulnerabilties in themselves. But universial packages (such as Flatpak or Snap) can
can add another level of security by installing in containers that isolate them from the rest of the system..
* Containers are more efficent than whole-system virtualization and is why companies are adopting them. The cost of this new approach is that admins need to
learn new security and management skills and tools.
* Some serious threats of containers can include DDOS at the application level, and use of insecure apps to flood the network and affect other
containers
* "LXD is a pure container system that looks as much as possible like a full hyperviser, without actually being one"
* Containers by themselves are not secure and is why namespaces should also be used
Last edited by justmy2cents; 06-12-2017 at 10:28 AM.
This is simply a quotation of readily-available information. I'm looking for experiences.
Incidentally, the fact that /proc includes environment variables for anyone has always been seen as a security issue in Linux. Environment variables are too-often used in, for example, PHP store-software packages, to communicate things which ought not be communicated, specifically passwords. (Which are often GRANT ALL PRIVILEGES passwords set up by lazy programmers.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.