1

Docker being an application container and not a system container like LXD, is it possible to use a Linux OS Docker image (say, for Ubuntu or Centos) to teach myself Linux, OS-level networking by creating a bunch of lightweight instances and then experimenting with things like NAT, bridging, routing, proxies (various kinds), firewall (iptables)... ?

Basically, I do not want to use a heavyweight solution like VirtualBox because I would like to be able to have multiple Linux OS instances in various setups, so the lighter my instances the better.

With LXD, the one issue I see is: Unless I use ZFS or BTRFS type file-system, I won't be able to save on disk space.

EDIT: My host OS is Ubuntu 20.04, not Windows.

Harry
  • 779
  • 1
  • 12
  • 28
  • 1
    With Ubuntu Snapcraft-installed LXD, ZFS isn't too hard to configure: LXD will setup a "disk image" in ZFS and use it for containers, while that image is just a single file in your host filesystem, just like all those "virtual disks" from VMs. – iBug May 14 '21 at 00:42
  • I have heard bad things about ZFS on low-end systems - it being a memory and a disk-space hog. So, even if it'll reside within a disk file, how much net space I'll be left with to use and how much memory it will hog, is something I'm not sure of. So, you're recommending LXD, then? – Harry May 14 '21 at 00:52
  • 1
    Either should be OK. The "ZFS virtual disk" is also CoW so its size represents roughly the amount of data, or i.e. it's not "preallocated". – iBug May 14 '21 at 00:53
  • 1
    Also: I didn't experience any memory issue with LXD's "ZFS virtual disk" setup but YMMV. – iBug May 14 '21 at 00:54
  • Sure. Minimally, I did expect the ZFS virtual disk to grow only on an as-needed basis (much like VirtualBox's .vdi files). My concern was, the internal overhead that comes with ZFS. Meaning, the sheer disk-space overhead of ZFS itself (relative to, say, ext4), regardless of whether it's inside a file or on a full drive/partition itself. However, I'm willing to give it a try now. – Harry May 14 '21 at 01:03

1 Answers1

1

Quick answer: Yes.

As far as networking is concerned, Docker containers and LXC/LXD containers are both good for your purpose.

Containers on Linux are implemented with various isolation techniques, including namespaces, seccomp, cgroup, among others. The core here is network namespace (CLONE_NEWNET in clone(2)), which creates an exact copy of the host's network stack, with an independent set of network interfaces, routing tables and rules, firewall (iptables or netfilter) etc., making it suitable for experimenting with network setup.

The only thing to note is that containers usually don't have access to "dangerous" actions to the host kernel, like managing kernel modules. For this reason, if you're experimenting with stuff like WireGuard, you'll have to install the module on the host side. Other than that I see no problem doing network experiments with containers, be it Docker or LXD.

For your concern of configuring and maintaining ZFS / Btrfs, I recommend going with LXD (installed from Snapcraft) which comes with ZFS support. Using the default setup guide (lxd init), you'll be able to create a "virtual disk" in ZFS format that supports all the advanced features, while remaining as simple as a single file in your host system. It should reside in /var/snap/lxd/common/lxd/disks. (I can't remember too man details on this because I've since migrated my host setup to ZFS so I'm using ZFS directly).

iBug
  • 10,304
  • 7
  • 37
  • 70
  • Appreciate your post! +1. Docker, I think, has a weird networking interface. For example, it's bridging setup can be (must be?) done via command-line args from "outside" of the (OS) container, which isn't something I'm happy about. Once the container gets assigned an IP address any which way (even the Docker way, from "outside" of the container!), I'd like to be able to use standard Linux-OS-only commands and methods to deal with other sibling OS container nodes. Is this possible with Docker? – Harry May 14 '21 at 00:58
  • 1
    @Harry The host OS can always access container's network namespace (`nsenter` or `ip netns exec`) and do stuff. As far as I can tell, Docker doesn't do anything special to the container's networking after the initial setup, so you can just ignore that and make your own setup. Persistence across container restarts might need special care, though. – iBug May 14 '21 at 01:02
  • could you please elaborate a bit on "Persistence across container restarts"? If I have a stopped-container (with an altered network config), or even better -- if I have snapshot it -- what other "special care" would I need to take? Btw, is there a book or online resource that uses Docker to teach what I'm trying to learn? – Harry May 14 '21 at 01:08
  • 1
    @Harry Since namespaces are created on-the-fly, any custom setup will be lost when the container is stopped. LXD does no initial setup and relies on services inside the system to configure themselves, like Netplan or NetworkManager. Docker, on the other side, configures network for containers, so with Docker you'll have to save your configuration to files or scripts for easier restoration across container restarts. – iBug May 14 '21 at 01:19