Canonical's own container technology - LXD, easier to use and far more secure than Docker
Ubuntu is the Linux distribution on which FWG runs its firewall application. Canonical is the organisation that creates that distribution and they have developed an excellent, lightweight, easy to use, secure and very robust container technology called LXD. LXD is a complete system container (more like a VM) whereas Docker is an application container.
In light of the existence of LXD the use of Docker as the container technology of choice certainly raises the question: "why would a highly security focused company not choose to use a superior containerisation technology that is native to the Linux distribution they run their products on?"
It really is a head scratcher that Firewalla have chosen to support Docker as the technology to containerise third party applications and virtual appliances. Especially with no mention of Canonical's LXD as even as a more secure alternative.
Would Firewalla be prepared to also provide a How To on the use of LXD?
-
I'm about to purchase a FWG and will LACP three of the 1G interfaces to a Ubiquiti USW-16-POE switch running wired connections and a few access points. The FWG will run as a router-on-a-stick and control all layer 3 routing and firewall operations.
Ubiquiti's Networking application will run virtually on FWG and I will probably upgrade the RAM from 4GB to 8GB just because it makes sense to throw RAM at virtualisation.
Running Ubiquiti's Networking application virtually on FWG, to manage Ubiquiti's pure layer 2 infrastructure that has none of Ubiquiti's Protect, Access or Voice services, seems like a really elegant solution - except for the fact that the default containerisation is Docker.
-
The primary warning that Firewalla issues for those who choose to virtualise one or more appliances on the host OS of the FWG is that Docker introduces a significant vulnerability — that those containerised appliances run in the same security context as the host OS: as root.
It is important to note that both Docker and LXD are containerisation technologies which puts them in the same footprint ballpark. However, the design of LXD means that it is far more capable in that it can run multiple applications inside a virtualised environment that runs in an overall security context more akin to a VM — where the container itself does not run as root and is significantly isolated from the host OS.
In the case of Firewalla — a security appliance — LXD level isolation of third party containerised applications/appliances is highly desirable. If a poll is conducted it will reveal only one thing — that people don't know about LXD.
It would be awesome to both learn about a secure alternative to Docker and have the option to read and apply an official Firewalla How To that explains how to containerise with LXD.
-
As @andy mentioned, LXD and Dockers are operating at different layers. Meaning, you can run Docker inside LXD if you want, and if you want something light, dockers is good.
More on this https://ubuntu.com/blog/lxd-vs-docker
"When talking about containers, a common confusion for potential users of LXD is that LXD is an alternative to Docker or Kubernetes. However, LXD and Docker are not competing container technologies, and they tend to serve completely different purposes."
-
Yes, Canonical's marketing presents LXD as a complementary container technology that can nest many Docker instances, because LXD is so capable — but in essence LXD can be implemented as a complete replacement of Docker in many situations. Especially when security is a heightened concern.
-
I run a couple of LXD containers on a small $10 Digital Ocean Droplet which has half the memory of an off-the-shelf FWG and it is a lightweight footprint.
Given the option to run LXD over Docker I will always choose LXD. Other reasons to choose Docker would be to host development environments locally where the shared security context is not an issue.
If a tiny Alpine Linux installation is not a desirable option for an LXD image Ubuntu Core is a reasonably lightweight alternative. Doubling the firewalla's OEM memory installation of 4GB, to 8GB, makes LXD an even easier choice for those who might be concerned about resource usage.
I'd like to work with Firewalla on validating an LXD installation and helping define the procedure, and documentation if that helps.
-
This is seriously interesting. I must admit I know little about LXD at the moment but will investigate now that I have seen this post.
I have already bumped my FWG to 8Gb RAM and have subscribed to the MSP portal. All though I run docker containers within the FWG - NGIX reverse proxy and UniFi controller (love this), I am more interested in increasing the default IOC feed from the default either standalone or MSP enabled.
Where exactly are the polls?
Nick Walton - I have bookmarked your links. Not related to Taylor Walton at SOCFortress are you??Thanks for the post.
-
Yeah, as a complete container technology with mature network and routing stack LXD is really interesting:
https://documentation.ubuntu.com/lxd/en/latest/explanation/networks/I'm not related to Taylor Walton.
-
Please sign in to leave a comment.
Comments
10 comments