maybe finish LXD post?

This commit is contained in:
Amolith 2023-09-18 01:47:33 -04:00
parent 47bc405d8a
commit 547b0c29f0
Signed by: Amolith
GPG Key ID: 8AE30347CE28D101
1 changed files with 35 additions and 8 deletions

View File

@ -39,6 +39,11 @@ migrate as soon as there's an installable release.
{{< /adm >}} {{< /adm >}}
Questions, comments, and corrections are welcome! Feel free to use the
self-hosted comment system at the bottom, send me an email, an IM, reply to the
fediverse post, etc. Edits and corrections, if there are any, will be noted just
below this paragraph.
## The benefits of VMs and containers ## The benefits of VMs and containers
- **Isolation:** you don't want to allow an attacker to infiltrate your email - **Isolation:** you don't want to allow an attacker to infiltrate your email
@ -362,12 +367,37 @@ entered. You should see the home page with just the text `earl` on it. If you go
to `/login`, you'll be able to enter whatever access token you set earlier and to `/login`, you'll be able to enter whatever access token you set earlier and
log in. log in.
### Executing a fork bomb ### Further tips
One of the things you mind want to do post-installation is mess around with
profiles. There's a `default` profile in LXD that you can show with `lxc profile
show default`.
``` text
$ lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
used_by: []
```
Not all config options are listed here though; you'll need to read [the
documentation] for a full enumeration.
[the documentation]: https://documentation.ubuntu.com/lxd/en/latest/config-options/
I've seen some people say that executing a fork bomb from inside a container is I've seen some people say that executing a fork bomb from inside a container is
equivalent to executing it on the host. The fork bomb will blow up the whole equivalent to executing it on the host. The fork bomb will blow up the whole
system and render every application and container you're running inoperable. system and render every application and container you're running inoperable.
That's partially true because LXD _by default_ doesn't put a limit on how many That's partially true because LXD _by default_ doesn't put a limit on how many
processes a particular container can spawn. You can limit that number yourself processes a particular container can spawn. You can limit that number yourself
by running by running
@ -380,12 +410,9 @@ Any container you create under the `default` profile will have a total process
limit of `<num-processes>`. I can't tell you what a good process limit is limit of `<num-processes>`. I can't tell you what a good process limit is
though; you'll need to do some testing and experimentation on your own. though; you'll need to do some testing and experimentation on your own.
Note that this doesn't _save_ you from fork bombs, all it does is prevent an As stated in [the containers section,](#containers) this doesn't _save_ you from
affected container from affecting _other_ containers. If someone executes a fork fork bombs. It just helps prevent a fork bomb from affecting the host OS or
bomb in a container, it'll be the same as if they executed it in a virtual other containers.
machine; assuming it's a one-off, you'll need to fix it by rebooting the
container. If it was set to run at startup, you'll need to recreate the
container, restore from a backup, revert to a snapshot, etc.
[^1]: [^1]:
There's a [technical There's a [technical