Rich Freeman on 10 Nov 2014 19:20:43 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Restructuring home network and building a storage server

On Mon, Nov 10, 2014 at 9:22 PM, Eugene Smiley <> wrote:
> "Containers" using what software? I know I've read something recently, but
> it's not coming to mind.

Well, containers are just a fancy name for linux processes running in
a separate process and mount namespace (and in the case of VPNs you'll
probably want a separate network namespace as well).  Usually they're
chrooted as well.

Think of it like a chroot on steroids.  If you set up a separate
namespace and run ps, you won't see other processes, and your initial
process will be PID 1.  If you mount something, it won't be visible
from outside the namespace (so go ahead and run a backup on your
container from the host and you don't have to worry about backing up
/proc in the container).

There are a number of software packages that manage namespaces.
Docker is probably the biggest name out there right now.  My needs are
considerably lower so I just use systemd-nspawn which is more
lightweight as long as you're running systemd.  LXC is also an option,
but I'm not sure it really has any advantages these days beyond being
the first implementation (as far as I'm aware).

Basically all I do is set up a chroot as you normally would (don't
bother with a kernel - the host kernel is used).  Then I launch the
namespace and it boots up just like a VM would.  Or you can just run
one process (like bash) inside if you don't want a full-blown init
running inside.  If you use a network namespace then your container
can just run dhcp and get an address like any VM, or you can just run
on the host interface but you won't be able to use any ports already
in-use on the host, and it won't have its own iptables/etc.

Namespaces are more secure than chroot, but aren't really intended for
security and root in a namespace will almost certainly be able to get
out if it is determined to do so.  Non-root inside a namespace is
going to be much more secure than non-root outside of one.

You can play around with namespaces from the command line fairly
easily.  Look up any of the guides and you can easily start a root
bash in a separate namespace and play around with bind mounts and such
so that you can see how the filesystem inside the namespace looks
different from the filesystem outside.

Namespaces are also the reason why your distro probably has replaced
/etc/mtab with a symlink to /proc/self/mounts - the list of mounts is
potentially different for every process on a linux system now.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --