disable lxc services

[RolandK]

is it safe to disable these services if you won't need/use lxc ?

pve-t620# systemctl --all|grep lxc
  var-lib-lxcfs.mount                                                                                        loaded    active     mounted   /var/lib/lxcfs
  lxc-monitord.service                                                                                       loaded    active     running   LXC Container Monitoring Daemon
  lxc-net.service                                                                                            loaded    active     exited    LXC network bridge setup
  lxc.service                                                                                                loaded    active     exited    LXC Container Initialization and Autoboot Code
  lxcfs.service                                                                                              loaded    active     running   FUSE filesystem for LXC
  pve-lxc-syscalld.service                                                                                   loaded    active     running   Proxmox VE LXC Syscall Daemon

 

[fabian]

why? they don't do anything load-wise if no containers are running, and it's not tested that there isn't something that relies on them being there..

 

[RolandK]

i like it to have knowledge about my systems and i like thinking modular.

i don't like running unnecessary services whatever ressources they need.

from a security aware perspective, it's always good to think minimalistic: switch off what isn't needed, so it can't be hacked, or causing any sort of problem.

there are at least 3 lxc related processes and there is a lxc fuse mount

if they are relevant to proxmox even if lxc is not being used, i simply like to know what's their role/purpose in proxmox and how are they tied to the rest of the system.

would you want samba processes on your fileserver if you know that you are only using nfs for the next years ?
would you be happy if some debian maintainer tells "oh, it's not tested what happens if you shutdown samba? better leave it up and running!"

 

[fabian]

LXC functionality is a core component of PVE though. you can obviously try running PVE with all sorts of parts disabled/stopped, but it might mean breakage (either now, or down the line with upgrades). it's simply an untested configuration with a higher risk of things going wrong.

there are at least 3 lxc related processes and there is a lxc fuse mount

yes, the others (lxc.service and lxc-net.service) are just bootup oneshot services (from regular LXC, not PVE-managed LXC, so they are a no-op if you haven't set up manual LXC in any fashion).

lxcfs is the fuse file system responsible for providing a containerized view of /proc inside containers (it gets mounted into the container to overlay certain files in /proc)
pve-lxc-syscalld is a service written by us to filter/handle certain syscalls from processes within containers
lxc-monitord is a legacy/compat service (modern LXC containers provide their state directly via their command sockets, and any tools using it like lxc-monitor will spawn their own copy if needed anyway)

they are pretty much all related to starting/running containers - I don't *think* there is any part relying on either of these services running, provided you don't have any containers configured - but again, this is not something that we regularly test or guarantee to be or remain the case!

 

[RolandK]

thanks for long explanation! very valuable!

i will try running the services disabled on my home/test server.