Canonical's own container technology - LXD, easier to use and far more secure than Docker

Comments

10 comments

  • Avatar
    Nick Walton

    I'm about to purchase a FWG and will LACP three of the 1G interfaces to a Ubiquiti USW-16-POE switch running wired connections and a few access points. The FWG will run as a router-on-a-stick and control all layer 3 routing and firewall operations.

    Ubiquiti's Networking application will run virtually on FWG and I will probably upgrade the RAM from 4GB to 8GB just because it makes sense to throw RAM at virtualisation.

    Running Ubiquiti's Networking application virtually on FWG, to manage Ubiquiti's pure layer 2 infrastructure that has none of Ubiquiti's Protect, Access or Voice services, seems like a really elegant solution - except for the fact that the default containerisation is Docker.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    First, it is difficult to compare LXD vs Dockers ... 

    Let me poll the community next week and see what they are interested in. 

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I thought that docker was for application containers and LXD was more for system containers. Not sure that they are the same or am I missing something.

    0
    Comment actions Permalink
  • Avatar
    Nick Walton

    The primary warning that Firewalla issues for those who choose to virtualise one or more appliances on the host OS of the FWG is that Docker introduces a significant vulnerability — that those containerised appliances run in the same security context as the host OS: as root.

    It is important to note that both Docker and LXD are containerisation technologies which puts them in the same footprint ballpark. However, the design of LXD means that it is far more capable in that it can run multiple applications inside a virtualised environment that runs in an overall security context more akin to a VM — where the container itself does not run as root and is significantly isolated from the host OS.

    In the case of Firewalla — a security appliance — LXD level isolation of third party containerised applications/appliances is highly desirable. If a poll is conducted it will reveal only one thing — that people don't know about LXD.

    It would be awesome to both learn about a secure alternative to Docker and have the option to read and apply an official Firewalla How To that explains how to containerise with LXD.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    As @andy mentioned, LXD and Dockers are operating at different layers. Meaning, you can run Docker inside LXD if you want, and if you want something light, dockers is good. 

    More on this https://ubuntu.com/blog/lxd-vs-docker

    "When talking about containers, a common confusion for potential users of LXD is that LXD is an alternative to Docker or Kubernetes. However, LXD and Docker are not competing container technologies, and they tend to serve completely different purposes."

     

    0
    Comment actions Permalink
  • Avatar
    Nick Walton

    Yes, Canonical's marketing presents LXD as a complementary container technology that can nest many Docker instances, because LXD is so capable — but in essence LXD can be implemented as a complete replacement of Docker in many situations. Especially when security is a heightened concern.

    0
    Comment actions Permalink
  • Avatar
    Nick Walton

    I run a couple of LXD containers on a small $10 Digital Ocean Droplet which has half the memory of an off-the-shelf FWG and it is a lightweight footprint.

    Given the option to run LXD over Docker I will always choose LXD. Other reasons to choose Docker would be to host development environments locally where the shared security context is not an issue.

    If a tiny Alpine Linux installation is not a desirable option for an LXD image Ubuntu Core is a reasonably lightweight alternative. Doubling the firewalla's OEM memory installation of 4GB, to 8GB, makes LXD an even easier choice for those who might be concerned about resource usage.

    I'd like to work with Firewalla on validating an LXD installation and helping define the procedure, and documentation if that helps.

    0
    Comment actions Permalink
  • Avatar
    Braedach

    This is seriously interesting.  I must admit I know little about LXD at the moment but will investigate now that I have seen this post.

    I have already bumped my FWG to 8Gb RAM and have subscribed to the MSP portal.  All though I run docker containers within the FWG - NGIX reverse proxy and UniFi controller (love this), I am more interested in increasing the default IOC feed from the default either standalone or MSP enabled.

    Where exactly are the polls?

    Nick Walton - I have bookmarked your links.  Not related to Taylor Walton at SOCFortress are you??

    Thanks for the post.

     

    1
    Comment actions Permalink
  • Avatar
    Nick Walton

    Yeah, as a complete container technology with mature network and routing stack LXD is really interesting:
    https://documentation.ubuntu.com/lxd/en/latest/explanation/networks/

    I'm not related to Taylor Walton.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Poll started here https://www.reddit.com/r/firewalla/comments/15xd7ka/lxd_vs_docker_containers/

    0
    Comment actions Permalink

Please sign in to leave a comment.