Jump to content

Virtual Machine running on Armbian?


McStevie

Recommended Posts

Hi all,
I want to isolate Nextcloud on my BananaPro with a virtual machine.
(Background: I want to open the port in the router to sync with Nextcloud from the internet. To protect my other data (NAS with OMV, Smart Home with fhem) Nextcloud should run isolated by a virtual machine or in a Docker container.)
I have found a lot of information about Docker in this forum, but not about virtual machines.

Is, perhaps, "Own your bits" a good solution?

 

Currently running Debian Stretch with Armbian Linux 4.19.62-sunxi on Banana Pro.
It is a headless server without desktop, so the virtual machine has to be installed and configured only with CLI.
Inside the virtual machine should also run Debian without desktop.

I know, the performance in a virtual machine on such a small CPU will be extremly poor. But for sync with Nextcloud (in a low-prio background-task) it does not matter.

 

Is it possible? How?

 

 

Docker is my "plan B". But lets focus only on virtual machines in this thread.

 

Thank you :-)

 

Edited by McStevie
Link to comment
Share on other sites

Yes, lxc seems to be the best solution if a real VM is not available.

 

I did some research and found out that docker is based on lxc and uses the same isolation/ virtualization principles. 

So probably both offer the same security for exposing nextcloud to the internet. 

-> Please correct me if I´m wrong.

 

Docker is more application centric while pure lxc/ lxd is more OS centric.

For my usecase (one application nextcloud) docker seems to be more convenient.

 

I will try this docker-image from docker hub:

https://hub.docker.com/_/nextcloud/

 

It ships with nextcloud and apache web server and is available for arm32.

 

Thank you both for your help :)

Link to comment
Share on other sites

1 hour ago, McStevie said:

I did some research and found out that docker is based on lxc and uses the same isolation/ virtualization principles. 

So probably both offer the same security for exposing nextcloud to the internet. 


Docker container uses the same kernel space as hardware.

soe8E.jpg

https://stackoverflow.com/questions/32756988/what-is-meant-by-shared-kernel-in-docker

Link to comment
Share on other sites

So, after spending many many hours in the last weeks, I have tried two different solutions: docker and LXC.

In both solutions I have installed Nextcloud, MariaDB and Apache.

I want to share my impressions for all those who come along here in search for a virtualization solution:

 

1. Docker

Docker seems to be an industry-standard for containers at the moment. It is used worldwide in professional software development. E.g. in my company there are dozens of SW-developers running a standardized build environment on their local machines. The focus is not on security, but to provide an isolated build environment with all dependencies inside the container and no dependencies to the rest of the machine. The benefit is that the builds of all those machines are exactly the same and reproducible. This prevents the “It works on my machine”-problem.

Since docker is used in the industry, the documentation and support is really amazing and up-to-date.

You do not need much more than the manuals on docker.com.

I followed the instructions on https://docs.docker.com/install/linux/docker-ce/debian/

If you really want to understand what you are doing then it will take you several hours to study the documentation. But if you just want to run through, then it does not take long.

To install Nextcloud I used a very convenient way: Just run docker and get the nextcloud image: https://hub.docker.com/_/nextcloud/

And, out of the box, the nextcloud webpage was available in my network.

 

Disadvantages:

The reason why I stopped this approach was:

If you stop the docker image and start it again, then all the data inside is lost. You have to configure bind mounts (or other mechanisms) to save the configurations and the MariaDB database outside of the container.

If you want to make changes to the system (e.g. updates or installing further programs) then you have to make those changes to the “image” of the container. And then start a new container from that image.

I didn´t like this, because it doesn´t feel like a virtual machine not at all.

 

2. LXC

LXC containers run like a full blown operating system (feels like a virtual machine) and you can log into it and configure and install what you want and everything stays there when you stop and start again the container.

One advantage for example is, that I could run a debian buster image on my debian stretch machine. This was necessary because nextcloud requires php >= 7.2 and that is not available in armbian stretch.

I followed the instructions on https://linuxcontainers.org/lxc/getting-started/ and https://linuxcontainers.org/lxc/articles/

For installation of nextcloud you can follow the instructions on: https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#

 

Disadvantages:

LXC is not an industry standard. Not everything works out of the box. It is not documented as good as docker.

I had some struggles with unprivileged containers running from an unprivileged user (for security reasons. If an attacker breaks out of the container he will be a nobody without privileges). But this makes things more complicated. For example starting the container at bootup automatically. I found a lot of different “solutions” in a lot of forums, but either they did not work (perhaps because they refer to other versions of LXC or OS) or were just ugly hacks. This is the reason why I have concerns to expose the server to the internet.

OK, perhaps my problem was that I am still running debian stretch with LXC 2.0. Perhaps everything will be fine when you run LXC 3.0 on debian Buster.

But, in the end it runs fine on my machine locally in my home network and I am happy in the moment.

 

My advice:

Use LXC > 3.0 on Debian Buster or greater. Perhaps everything will run fine out of the box. Do not expose the server to the internet if there are other services with sensitive data (e.g. NAS) on that machine. If you want to do that, then consider to run a separate hardware (without the sensitive data) instead of a container.

 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines