You are not logged in.

#1 2020-02-22 16:25:38

Cilyan
Member
From: Toulouse (FR)
Registered: 2006-08-27
Posts: 95
Website

Nginx: chroot or systemd-nspawn?

Hello Archers,

I just installed a NUC8i3BEH (small form factor i3 Quad thread PC) to replace my old Cubietruck (SoC ARM), which main purpose is to host a personal web server.

In my old setup, I followed the wiki to install nginx in a chroot and that worked well for most part. I've also heard about systemd-nspawn meanwhile and I was wondering if it was worth testing that technology. I understand that chroot and the like to secure a personal server might be a bit overkill, but to me it's also to keep my knownledge to best practice, while getting something that is useful. (Tradeoff between a bare unprotected nginx and an OpenStack behind haproxy and firewall... wink )

This is what I have in my head, onto which I would love to get your point of view.

  • CPU overhead: I'm not sure of the overhead difference between chroot and nspawn. Will I need a complete system in the container, or a lightweight system like it is built by the wiki example will be enough. I'm no too much concerned about memory and disk space size, I boosted the system way above requirements that time...

  • Updating: One thing that was complicated in the chroot was keeping nginx up to date. My process was install nginx using pacman to the host, use the perl script to move it to chroot, manual adjustments to make it work and not erase all configuration, restart chroot and delete nginw from host. Will it be easier in a container?

  • Pacman on chroot: But maybe that instead of copying the files to the chroot, I could direct pacman to install inside the chroot? That way, container or chroot, it will be easy to maintain.

  • Security: Is it easier to escape a chroot or a container?

  • Let's Encrypt: was also painful, because it would not produce the files at the right place and so needed manual copy to the chroot. Will it be easier in the container?

  • PHP/Python/MySQL: I now understand well how that works for a chroot, even when keeping uWSGI, MySQL and php-fmp outside of the chroot, and possibly in their own chroot, using Unix sockets. Will it be also easy to setup a connection between the nginx container and other services outside of the container, possibly in their own containers?

  • Btrfs snapshots: instead of my previous Ext4. nspawn seem to be able to take advantage of this, specially spawn on ephemeral subvolume, but I guess I can do pretty much the same with chroot, just not as automatically.

Well... I'm thinking about all that and more. If you can tell me your point of view on pros and cons of both technics, that would be nice and help me make my mind.

Cheers

Last edited by Cilyan (2020-02-23 15:09:47)

Offline

Board footer

Powered by FluxBB