Why i like LXC

(This post was mainly written as feedback to Jupiter Broadcastings show: UserError )

I will not go in to depth about containers. Simply put they are small contained apps/linuxdistroes running on top of your existing kernel. In short this means you have little to no performance loss vs virtualisation.

You can read more about containers and how they work here:
https://linuxcontainers.org/

So what use-cases do we have for containers?

A container you can bring with you to “any” Linux distro. Maybe your system is less stable then you’d like, maybe you distrohop a lot, or maybe you just want something persistent. Everything I want to be “stable” and “consistent” I put in a container. Let me give you an example: A mediaserver. You dont want your wife to get angry because you accidentally broke something on your system and now she cant watch her series / movies. If you have this running in a container it will stay isolated from your system and unless you brake your kernel or network, still be the same. I also have a separate mediaserver container for the kids. Other examples is Nextcloud, OpenVPN, LAMP-stacks with different configurations etc. The list for good reasons to containerise your “servers” is long. But perhaps the best is the ability for a quick restore/backup. A container can easily be backed up and just as easily be restored. Their small size makes perfect candidates for servers.

You can also test configurations and clone containers so if you need a LAMPstack, its secconds away.

Which container system should I use?

It depends on your use case! I would say if you want to isolate a single app you should look at Docker/Snap/Appimage etc. If you want to “containerise” your business you should look at LXD. But if you want to start experimenting an use containers privately, and start now, LXC is the easiest way to start. I say that because LXC has an easy configuration and toolkit. LXD can be a bit intimidating and in my opinion is moving very fast at the moment. Lets just say its a steep learning curve which you don’t really need for private use. I also like the fact that i have a whole system at my disposal and if I miss something i don’t need another docker etc.

Get started:

LXC Crash Course

Here is an example of a mediaserver set up.

The mediaserver is running inside an LXC container (which is about 1GB). I wont go through the individual services/daemons and their function in this post, but I’m sure google will provide you with the answers.

For my containers to access/store data I use NFS mounts from the NAS on my home network.

/etc/fstab (host):

 10.0.1.100:/Backup /media/Backup                nfs auto 0 0
 10.0.1.100:/Multimedia /media/Multimedia        nfs auto 0 0
 10.0.1.100:/RawVideo /media/RawVideo            nfs auto 0 0
 10.0.1.100:/Nextcloud /media/Nextcloud          nfs auto 0 0

a container config example:

Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Common configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf

# Container specific configuration
lxc.start.auto = 1

#limiting RAM:
#Use a byte converter if you are unsure. 512mb under
#lxc.cgroup.memory.limit_in_bytes = 53687091

#limiting CPU Usage:
#Cpu 0-7 for 8cores, comma separated.
#lxc.cgroup.cpuset.cpus = 4,5,6,7
lxc.rootfs = /var/lib/lxc/mediaserver/rootfs
lxc.rootfs.backend = dir
lxc.utsname = mediaserver
lxc.arch = amd64

# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:32:98:6z:17

#adding mounts

#this first one is to avoid unnecessary writes to my SSD so i "move" the download/processing dir to a HDD
lxc.mount.entry = /media/1TB/media-processing/downloads /var/lib/lxc/mediaserver/rootfs/home/ubuntu/downloads none bind 0 0
lxc.mount.entry = /media/Multimedia /var/lib/lxc/mediaserver/rootfs/media/Multimedia none bind 0 0
lxc.mount.entry = /media/1TB /var/lib/lxc/mediaserver/rootfs/media/1TB none bind 0 0

I created this container 2 years ago when I was using ubuntu and it lives on in Antergos (arch). I have also made a bridge on my host allowing my guests (containers ) to be on the same subnet as my host (and NAS). This way other devices like my phone / TV etc have acces to the media.

For further info:

Network Bridge crash course

I have a simple bash script that takes backups of all my LXC’s through cron (or systemd , your choice) and pushes it back to my NAS. I have restored my backups many times on different host systems so I have no problem recommending this setup.

Finally, the simple backup script:

#!/bin/bash
TIME=`date +%d-%m-%Y`
for name in  mediaserver container2 container3 container4; do
lxc-stop -n ${name}
cd /var/lib/lxc/${name}/
tar --numeric-owner -czvf $TIME-${name}-backup.tar.gz ./*
mv *.tar.gz /media/Backup/lxc-backup/
lxc-start -n ${name}
done

Restore:

cd /var/lib/lxc
mkdir containername
cd containername
tar --numeric-owner -xzvf backup.tar.gz
lxc-start containername

Is there a security risk?

YES! There are two kinds of LXC containers. Privileged and unprivileged. The difference is: an unprivileged container is started by a user on your host and if the container is compromised the hacker will not have more access then the host user who is running the container. A privileged container is run as root, and if its compromised your hacker will have root permissions on the container host. But: an unprivileged container has a lot of restrictions which you can read more about on: https://linuxcontainers.org/ All I can say is treat your container as it was your host system security wise. Then again if you are at home, safe and sound behind a router/firewall…

 

Leave a Comment!