Working with LXD

A long time ago I spun some instances on Amazon Web Services and configured my site to what it is today. There were a lot of security concerns especially at a breach level on how to react if someone exploited the PHP scripts and somehow escalated the necessary privileges to take over the server.

For that to realistically happen I would have to be a target, and thankfully I’m not a target. But, exploits and automation are a pair together these days so you never know.

Now, the first concern I had when I started studying Docker is that it seems there was little concern about security as everything has been containerized. It would be devised in a way that once you deployed your docker image it was gonna be one of those “set it and forget it” thing. But, realistically speaking, PHP and any PHP web application is always vulnerable… and from the gist of it it seems I would have to rebuild the image and redeploy.

If you were to run WordPress on Docker on the idea that it’s going to be “set it and forget it” then at some point the container has to restart so it can pick up all the security updates for the language, if any.

Devising the structure was actually quite fun. You would have the HTTP server which acts more as a load balancer/reverse proxy server than anything. It has all the certificates and the proper network access to most of what you need.

Then I would introduce two additional LXD servers. The application containers server for all things related to web applications and the persistence containers server in case I needed more than just MySQL.

As visualized on this super horrible diagram I did this is pretty much the new setup for everything.

As you would probably guess the http front server has all the certificates. It’s just a nginx server reverse proxying back to the application container(s). It is honest to God probably the most simple setup I have done in a while.

Usually I would spend days worrying about the correct permissions if I had to run multiple sites on the same server because that would mean I would have to create a new user without privileges on the server. Assign that user to PHP-FPM pool and keep it as isolated as possible. I don’t think I needed a whole lot of permissions for nginx.

With containers there’s definitely some overhead you can easily use a 1GB or more of ram in a LXD server. MySQL itself is quite a big boy when it comes to memory consumption.

I think there’s some more improvements I can do on the networking side but because these are just personal servers I can just take it slow.

Overall it’s been a learning experience with LXD. The community is amazing and there’s a lot of helpful people out there. It also comes with challenges if you aren’t really that into networking. In terms of backing up things you could create snapshots but I find that snapshots are too costly to have when all you want to do is backup the serving folder to the web.

LXD itself also presents to you the opportunity to just modularize everything. However, it doesn’t make sense making containers of the same application on the same LXD server when it comes to scaling your site…. instead you would have several LXD servers with your image and let nginx handle the balance for it with the assigned IPs.

1 comment

Leave a Reply