App-LXC-Container
6 results

 view release on metacpan or  search on metacpan

lib/App/LXC/Container.pm  view on Meta::CPAN 

using them though.  Other distributions need some more work, but are welcome
nonetheless.

App::LXC::Container provides a toolbox to configure, create and run one or
more applications inside of simple and secure LXC (L<Linux
containers|https://linuxcontainers.org/lxc/>) application containers.  Those
containers have minimal overhead compared to the underlying Linux system.
See below for a discrimination against tools like
L<Docker|https://www.docker.com/>, L<Snap|https://snapcraft.io/> /
L<Flatpak|https://flatpak.org/> or full-blown L<virtual
machines|http://www.linux-kvm.org/>.

Minimal overhead includes main memory, disk storage, run-time and to a
certain extend administration.  Its main purpose is to run one or more
simple applications (e.g. a browser or a stand-alone third party
application) in a more secure environment, especially on desktop systems.

Note that this toolbox uses L<UI::Various> to be able to run with or without
Graphical User Interface.  If you want to use the GUI, you need to install
L<Tk> yourself as it's only an optional dependency.

Also note that both L<LXC|https://linuxcontainers.org/lxc/introduction/> and
L<LXCFS|https://linuxcontainers.org/lxcfs/introduction/> must be installed.

=head1 DESCRIPTION

The goal of App::LXC::Container is to allow applications installed on the
machine to be run inside of LXC application containers.  LXC needs almost no
overhead while still providing good additional security compared to running
the applications directly on the machine.  Its main disadvantages compared
to the four alternatives aforementioned in the abstract are:

=over

=item -

It must use the same kernel as the underlying machine.

=item -

It must use the same program and library versions.

=item -

Some components (e.g. the display server) are not as secure as with
the alternatives.

=item -

The concept is not useful if you need to run and scale an application
across several machines.

=back

These disadvantages are compensated by several advantages:

=over

=item +

All applications are automatically updated together with the Linux
distribution of the machine.

=item +

The applications do not need additional disk space (except for the
configuration files as well as some directories, bind-mounts and symbolic
links - we're writing about 250-2500 additional inodes and 500-2500 kB of
disk space).

=item +

The applications do not use additional main memory when compared to
running outside of the LXC container (except for the overhead of a few
scripts and LXC itself).

=back

App::LXC::Container is a toolbox basically providing three commands:

=head2 lxc-app-setup

is the script used to configure an LXC application container.  Depending on
the environment it uses a graphical or non-graphical user interface for the
configuration.  When run for the first time it also asks for the location of
the toolbox's configuration directory and creates a symbolic link to it in
the user's home directory.

=head2 lxc-app-update

is the script used to update the LXC configuration file of one container
from one or more simpler configuration files created by C<lxc-app-setup>.
The name of the LXC container is the name of the last of the names of the
simpler configuration files.  The script must be run after major updates of
one of the programs (packages) used within the application container or the
Linux distribution itself.

=head2 lxc-app-run

is the script called to run a program within its specific application
container.  It automatically starts a new container or attaches to an
already running container and also allows running the application as a
specific user (provided that user exists within the container).

=head1 BUILT-IN CONTAINERS

Two container names are special built-in for testing purposes.  Using them
allows you to check for principle LXC configuration problems:

=over

=item no-network

is a minimal container only providing a minimal set of everything without
any network access.  It can be used to check what can be seen from every LXC
application container created by the scrips.

=item local-network

is a minimal container providing a minimal set of everything with network
access limited to the host of the container.  This is also the minimum

lib/App/LXC/Container.pm  view on Meta::CPAN 


Docker containers need additional disk space for the images and additional
main memory as nothing is shared with the main system.

=item +

Installing / updating Docker containers can be quite time-consuming.

=back

=head2 compared to Snap / Flatpak

=over

=item -

Snap / Flatpak packages may come from a source providing faster and/or more
recent versions of at least their main programs.

=item +

For Snap / Flatpak you must either trust that the provider of that package
takes care of installing all security updates of all packages used within it
or check those versions yourself against those of the used distribution.

=item +

Snap / Flatpak packages need additional disk space for the packages and
additional main memory as nothing is shared with the main system (usually
less than Docker containers).

=back

=head2 compared to virtual machines

=over

=item -

Virtual machines allow running different versions of applications, different
Linux distributions and even other operating systems.

=item -

Like Docker containers virtual machines are also much better for scalable
server applications.

=item -

Virtual machines are completely separated (except for low-level hardware
attacks like Heartbleed etc.) and more secure than any type of container.

=item +

The images for virtual machines need a lot more disk space and main memory
as nothing is shared with the main system (even more than Docker
containers).

=item +

Virtual machines must be updated separately from the main system.

=item +

Starting an application inside of a virtual machine is slower than starting
an application container.

=back

I<Additional advantages/disadvantages are welcome.>

=head1 BEST PRACTICES

Especially external packages often haven't all their real dependencies
configured.  For those it is often necessary to manually add some packages
and bind mount points like the following:

=head2 additional packages

Note that the examples are from Debian.

=over

=item fontconfig-config (select C</usr/share/fontconfig>)

=item locales (select C</usr/share/locale/locale.alias>)

=back

=head2 additional bind mounts

Note that again the examples are from Debian.

=over

=item C</usr/share/fonts>

=back

=head1 KNOWN BUGS

Currently the package only supports Debian based distributions.  If you're
using something different please get in touch to extend the support.  (The
framework is already there, but the specific commands are missing, and
that's where I need some help.)  Everything derived from Debian should be
easy to add.  For RPM based distributions I've also already some ideas.

Also only X11 graphic and pulseaudio/pipewire sound has been tested so far.
Wayland probably works as well but other sound systems most surely not.
(Again, some help would be appreciated.)

Non-standard user configuration (not using C</etc/passwd>, C</etc/group>
etc. or not using C</home> as location for normal users) are currently not
supported.

It is not properly checked that LXC and LXCFS are really installed.  If not,
this will produce some other errors.

Currently recommended or suggested packages are ignored while following the
dependencies.  This will be fixed (and configurable) in a later version.

lib/App/LXC/Container.pm  view on Meta::CPAN 

	require App::LXC::Container::Setup;
	App::LXC::Container::Setup->import;
    }
    if ($0 =~ m!(?:^|/)(?:lxc-app-update|06-update\.t)$|^-e!)
    {
	require App::LXC::Container::Update;
	App::LXC::Container::Update->import;
    }
    if ($0 =~ m!(?:^|/)(?:lxc-app-run|07-run\.t)$|^-e!)
    {
	require App::LXC::Container::Run;
	App::LXC::Container::Run->import;
    }
}
use App::LXC::Container::Texts;

#########################################################################
#########################################################################

=head1 MAIN FUNCTIONS

The module defines the following main functions for the scripts
C<lxc-app-setup> and C<lxc-app-update>:

=cut

#########################################################################

=head2 B<setup> - setup meta-configuration

    App::LXC::Container::setup($container);

=head3 parameters:

    $container          name of the container to be configured

=head3 description:

This is the actual code for the wrapper script C<lxc-app-setup>.

=cut

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

sub setup($)
{
    defined $ENV{ALC_DEBUG}  and  $ENV{ALC_DEBUG} =~ m/^[0-9]+$/  and
	debug($ENV{ALC_DEBUG});
    my $container = App::LXC::Container::Setup->new(shift);
    $container->main();
}

#########################################################################

=head2 B<update> - update LXC configuration

    App::LXC::Container::update(@containers);

=head3 parameters:

    @container          name of the container(s) to be updated

=head3 description:

This is the actual code for the wrapper script C<lxc-app-update>.

=cut

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

sub update(@)
{
    defined $ENV{ALC_DEBUG}  and  $ENV{ALC_DEBUG} =~ m/^[0-9]+$/  and
	debug($ENV{ALC_DEBUG});
    my $container = App::LXC::Container::Update->new(@_);
    $container->main();
}

#########################################################################

=head2 B<run> - run LXC configuration

    App::LXC::Container::run([@options,] $name, <program> [, <program-options>]);

=head3 parameters:

    @options            parameters for container:
                        {-d|--dir|--directory} <starting-directory>
                        {-u|--user} <user-to-be-used>
    $container          the name of the container to be run

=head3 description:

This is the actual code for the wrapper script C<lxc-app-run>.

=cut

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

sub run(@)
{
    my ($user, $dir) = ('root', '/');
    while (2 < @_  and  $_[0] =~ m/^(?:-[du]|--(?:dir|directory|user))$/)
    {
	if ($_[0] =~ m/^(-u|--user)$/)
	{   shift;   $user = shift;   }
	else
	{   shift;   $dir = shift;   }
    }
    my $name = shift;
    $name =~ m/^[A-Za-z][-A-Z_a-z.0-9]+$/  or  fatal 'bad_container_name';
    defined $ENV{ALC_DEBUG}  and  $ENV{ALC_DEBUG} =~ m/^[0-9]+$/  and
	debug($ENV{ALC_DEBUG});
    my $container = App::LXC::Container::Run->new($name, $user, $dir, @_);
    $container->main();
}

#########################################################################
# Trick to see previously stored standard error output even when Curses
# clears the screen at the very end of program:



( run in 0.493 second using v1.01-cache-2.11-cpan-39bf76dae61 )