i watched a few presentations about LXC/LXD and i was very excited and interested about the project.
To get a little bit of practice and more familiar with it, i would like to migrate all the services of my cloud server to another server where every essential service should be isolated in its own container.
Let me get into a little bit more detail what i have in mind here:
I have deployed various services (bare-metal) on a single host at the moment .(e.g seafile, bitwarden)
Many of those services rely on a webserver or maybe an sql database.
I would like to isolate those services in seperate containers, so for example:
Container 1 = Bitwarden
Container 2 = Seafile
…
If i follow the example above i would likely end up installing multiple instances of a webserver or an sql database, so that every “core app” is pretty much completly isolated from its environment (much like you would do in a single virtual machine) This approach seems a little bit redundant and not very efficient, so the other idea would be to put nginx and sql in a seperate container (for example c1-nginx , c2-sql) and let the “core app” containers communicate with c1-nginx and c2-sql.
If i have multiple instances of nginx running, how do i make sure that a request for bitwarden.mydomain.com goes to the right container whereas a request for seafile.mydomain.com goes to another? (i assume via a reverse-proxy?)
If i put nginx in a sperate container i probably don`t need to worry about that but then i need to make sure that my containers can communicate with each other.
I guess i am trying to figure out how to appraoch this “the right way” at the moment and i am grateful for any helpful advice.
Indeed you can launch a single container with your DB server, and then configure other containers to connect to this DB. If the container is called db, then the other container can connect to it at the hostname db.lxd. You configure those other services to use the db.lxd MySQL server.
If you have multiple websites/web services on a single server, then you indeed need a reverse proxy that will analyze incoming connections and direct appropriately to the suitable container. You have use HAProxy, nginx or other software for this work. My preference is nginx (as a reverse proxy) which is easier to use. If you want to get familiar before deploying, I suggest to try the guide at https://www.linode.com/docs/applications/containers/beginners-guide-to-lxd-reverse-proxy/
In general, if you have multiple Websites, then it is good and not redundant to split each of them into separate containers with individual installations of nginx as the web server. As a rule of thumb, each customer gets a new container with nginx for their website, and if they have more than one website, you may decide to put all of them into that same container.
thank you for your reply.
According to the guide @ linode.com i should have at least lxd v3.3 or later installed. Is this supposed to be 3.03 maybe, cause afaik even the latest stable snap version is just 3.2.2 and i have the LTS version that came preinstalled with LTS 18.04 which is v3.0.3
Any big changes from 3.0.3 to 3.2.2. I would rather stick with the LTS version.
The guide requires a recent version of LXD, and LXD 3.0.x is unfortunately not recent enough for what is exactly described there. The part that is missing from LXD 3.0.x is the feature of proxy_protocol=true in the LXD proxy devices. Without that, the logs in the containers will not be able to show the real source IPs of your visitors. If you do not need that (and will simplify your GDPR report ), then you can use LXD 3.0.x.
Do note that you can also setup iptables/nftables to direct the connections to proxy container (hence, not use the LXD proxy device), and then use the PROXY protocol to pass the source IP information to the container.
In summary, if you want to follow the guide and install LXD 3.22 (latest from snap), then you can create the LXD proxy device with just the commands
Thanks again simos.
I switched to the latest stable snap version of lxd but i ran into some issues with it. (my system wouldn`t reboot after going from the LTS deb version of lxd to the snap version as long as containers were running i had to wait for the lxd process to shutdown for 10 minutes. faik there is also a bug report for this)
Now i am back to 3.03 that comes with LTS bionic beaver .
So if i understood you correctly the only big difference for my use case between the snap version and the preinstalled one that comes with lts 18.04 is the proxy_protocol=true option you can configure in the lxd proxy device.
Ok, redirecting the traffic via iptables instead of using the lxd proxy method is not a problem, but what do you mean when you re saying and then use the proxy protocol to pass the source information to the container. Are we talking about proxy protocol in nginx? Cause as you pointed out there is no proxy_protocol option when i stick with the lxd verion that comes with LTS 18.04.
If you were to use LXD with PROXY protocol support, this protocol would run between LXD and the container with the reverse proxy.
When you use IPtables to direct the traffic to the reverse proxy container, you need to configure the PROXY protocol between the reverse proxy and the web server of each container.
This issue of LXD from the snap package halting your computer until the timeout kicks in (10 minutes) should be affecting your desktop and not the cloud server, right?
Unfortunately no. For me it happens with Ubuntu Server LTS 18.10.
From my own tests this occurs as soon as i enable UFW (sudo enable ufw).
Disabling it gives me a normal reboot routine but with ufw enabled i get lots of block messages
before the timeout occurs.
First, Ubuntu 18.10 is not an LTS release. Please verify the version because 18.10 is a development version that has stopped being supported since last summer.
If you are using the stock UFW rules and it still affects the shutdown of the computer, then file a bug report. But make sure you test on an LTS version.
I apologize. That was a typo. I am on Ubuntu 18.04.4 LTS (Bionic Beaver) obviously.
I filled out a bug report already. I hope it provides useful information.
Again, thank you very much for taking the time, answering all my questions, its very much appreciated.
