You are not logged in.
- Topics: Active | Unanswered
#1 2020-05-31 22:18:45
- Observer
- Member
- Registered: 2016-03-01
- Posts: 16
Picking the right container solution
Hi,
I'm searching a container solution for my home server which currently uses KVM for some heavy or special cases (like pfsense, or seafile). My idea is to use a container solution for some lighter cases and I tried docker because everybody talks about docker.
Yes, it worked but I'm not complete happy with it. The dockerfiles are nice for some easy cases but if I want a container with an application which only provides a interactive installer script with no way for an automatic install I can't write the necessary dockerfile.
So I got the tip with systemd-nspawn and LXC and I did some research. Both sounds nice. But as a complete newbie I can't estimate which solution more fits my needs for performance and security. I know the general "security problems" with containers (vs vms) but I prefer a solution which is more secure by design.
My problem is that I found only some rare information about this topics. And if I found some these are from 2017 or older. In my opinion, it does not make sense to base a decision on this old information. I could not find a direct comparison either. Often these are just simple feature comparisons, which are extremely superficial.
This is the reason why I try to get some help here. Maybe from people which tried both.
The main topics which I'm interested are:
- Performance
- Security
- NAT and bridge
From what I have seen so far, the two solutions seem to be equivalent in terms of their CLI. I could not cover topics such as security, stability or possible restrictions/limits in a meaningful way.
I am grateful for every contribution to this topic!
Offline
#2 2020-06-01 01:41:37
- qinohe
- Member
- From: Netherlands
- Registered: 2012-06-20
- Posts: 1,494
Re: Picking the right container solution
For FreeBSD VM's running OPNsense NAS etc I simply use virtual bridges, the security is done by a VM running Snort and the Sense after that, no special or extra security like MAC etc.
Containers are the OpenVZ type of container, they are all behind the above BSD VM's, so I could decide to run SE-linux on them but haven't taken that route(yet, or maybe never!)
For simple task like running Python apps or building documentation (RST) I use systemd-nspawn, which does the job very well even on low powered devices like Upboard(intel-z8350) and is definitely a very useful way to run some simple setups that don't need a container or even a complete VM.
If your setup is/going to be a home-lab in an already NATted situation you may need to setup a DMZ for services running for the outside, but otherwise I'd say don't worry too much about security, though it boils down to what exactly try to accomplish, there is a lot of documentation about these topics on the net and a lot of it is based on personal preferences. use common sense and you'll be fine mostly...
Performance is what you make of it, if your bare machine has a certain amount of 'power' ( CPU memory SSD or NVME etc....) than you shouldn't build above it's specs if that makes sense, because than you'll notice lag or sluggish behavior..
That's about it, have fun;)
edit: teh reason I just tell you what I did is because it's difficult to tell you exactly what to do or what to choose.
From your question it's hard to tell, at least implement normal security measures for bare machines on your VM's, as extra's you could implement selinux/apparmor and MAC(Mandatry Access Control} on BSD. For systemd-nspawn normal system security should be enough, again, common sense;) There's a lot of tools to help you get where you want to be.
You also asked about stability, I run VM's CT's and chroots for many many years on many different systems (BSD Linux Windows) and many types of virtualization like OpenVZ VMWare XEN Qemu Hyper etc. and almost never had problems with it, mostly just as rare as normal bare ware stability.
Last edited by qinohe (2020-06-01 16:00:40)
Offline