Wow shows how busy I was to now post here in over a year. In fact right at the year mark I added a new RouterBoard CCR1009 to my setup having had such good luck with the CRS109. It’s quite fantastic in my book!
But onto the topic at hand. Today I managed to finally make some forward progress with using lxc containers on Ubuntu. I had been testing it a bit while trying to deploy OpenStack on my workstation, but ended-up using standard virtualization (KVM in my case) to get that working. Today I had a really good use case to try out lxc containers on a small scale. I have been testing some Linux-based NVR software to capture recordings of a simple IP camera we have setup. The camera is to see if we want to invest in buying nicer security cameras and mounting them to our house. I won’t get into why I’m not getting a Nest camera, or a Ring doorbell camera. If you know me, you know why I don’t like the idea of those.
Anyways, I’m using DigitalWatchdog’s Spectrum software. Before Open Source advocates bust me on it, yes I tried ZoneMinder and I liked it, but it is just way too resource hungry for what it does. It likes to crush my Ubuntu NAS. By contrast, Spectrum runs extremely well and can capture full video (as opposed to JPEG like ZoneMinder seems to like to do). I’m all about Open Source, but in this case, Spectrum works really well and I needed something solid since it is for home security, after all.
As good as Spectrum seems to be, there’s a few big gotchas. The service likes to run as root and likes to create it’s storage directories in really weird places. No doubt it is designed to run primarily on a dedicated server or VM. I may do that at some point, but for our tiny test setup, it didn’t make any sense to do that. But I don’t want it running as root on my NAS, for sure. Originally I simply modified the init script to run as a non-root user, and after some permission adjustments, despite what DW has said, it seems to run just fine. But I soon realized that containers can help avoid having to do customized stuff and improving my security even more without adding a lot of overhead. If my NAS were more powerful, I might look at a full virtualized setup, but given the space requirements, among other things, containers seem like a great fit!
I did have to end up making a small change to the Spectrum’s init script. It wants to set adjust umask settings which LXC does not currently support via unprivileged containers. I also had to install some packages apt-get didn’t catch for some reason which caused some confusion. And I setup the container to use
macvlan instead of the bridged mode. This let me assign an IP address to the container directly and vastly simplified the networking aspect of the whole thing. I also learned that
/var/log/upstart exists – who knew! Overall it’s working quite well and using nearly the same resources it did when it was running directly on my NAS.
I’m a big fan, in short. And plan on perhaps setting up containers for Dropbox and Plex as well.
I realize the post is light on details so here’s some information to get started with containers: