[SAC] Virtualbox on Osgeo6

Martin Spott Martin.Spott at mgras.net
Sat Oct 21 15:12:31 PDT 2017 

Markus Neteler and I had a little chat this morning.

We were talking about how to isolate CMS'es like Wordpress in order to
reduce the potential risk that evolves from running your own.  This still
doesn't reduce the risk of potential break-in's into the CMS itself, but at
least the rest of your environment remains unaffected.

As always, there are several options:

1.) Virtualize the entire host containing web server, CMS and database.
2.) Containerize the entire host containing web server, CMS and database.
3.) Containerize the web server and CMS into one instance and the database
    into a second.
4.) Containerize the web server and CMS and run the database on the host.
5.) Choose your favourite not listed here.

Now, there's a neat virtualization technique which could have saved us from
the hassle we're facing wrt.  upgrading old VM's on both of our hosts (and
more), but it's not very popular in OSGeo land.  Moreover, virtualization
always bears more overhead than containerization, so let's keep this can of
worms closed.

Second, let's look at the containerization techniques available today, with
rkt and Docker being among the most popular ones.  They allow
containerization of just a small application environment, just to fit the
needs of a webserver, a database, whatever you like.  As far as I can tell,
rkt and Docker could even co-exist on the same host.
Moreover there's LXC, a tool I like a lot because it has so little overhead
and which I consider perfect for running even a full system at much less
overhead than in full virtualization.  They all rely on Linux Control
Groups.

Nowadays Docker is pretty bloated - but apparently "everybody" (TM) loves
it.  Therefore, hoping that it will avoid heated discussions, I'm herewith
suggesting to containerize certain services into Docker.  Note: I do *not*
suggest to let everybody containerize their garbage on OSGeo hosts in a
"fire and let others deal with the trouble they cause"-manner just because
there's a platform that would be able to run it.  Careful selection should
still remain a core principle.  I'm suggesting to dockerize the web server
and CMS parts only and keep the database instance(s) on the host, simply to
ease the database backup procedure and because I see little net benefit in
containerizing the DB as well.

A reverse proxy on the host would serve as a web gateway from outside, it
would even be able to terminate SSL encryption, if needed/wanted.

If we manage to reach consensus, then we'd start by dockerizing a new GRASS
web server instance on Osgeo6 to act as a guinea pig for the entire
procedure.

And while we're at it, I'd ask for permission to remove the remains of
VirtualBox from Osgeo6.

Cheers,
	Martin.
-- 
 Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

More information about the Sac mailing list