Run Docker in a Proxmox LXC Container
HTML-код
- Опубликовано: 19 авг 2024
- f you want to run Docker on Proxmox VE (www.proxmox.com) then the documentation suggests you run Docker inside a VM. But if you tick the right two or three problems then you can easily run Docker inside an LXC Container on Proxmox VE. The key is nesting and keyctl
RUclips: / onemarcfifty
Twitter: / onemarcfifty
Github: github.com/one...
Patreon: / onemarcfifty
Discord: / discord
#docker #proxmox #linux #containerization #virtualization
If you try this with unprivileged containers - sorry but it turned out that the Debian version of Docker is incompatible with unprivileged containers. Please see this article here www.reddit.com/r/Proxmox/comments/t8medr/docker_inside_lxc_on_proxmox_7_failing_with_oci/
Please also tell about the Security Issues that this creates! If you "take" the Docker container, you "take" the Proxmox host. That doesn't happen in a VM.
arguably, you wouldn't run this in an environment that's exposed to the internet.
Huge difference between doing this in a homelab, or doing this in a production server.
Especially as in a homelab the extra overhead of a VM vs a CT is usually enough to warrant the effort.
@@rayjaymor8754 In what scenario would it warrant it? The overhead created is so tiny that it's laughable. It's literally next to no cycles and maybe half a gig of ram at MOST (as overhead).
If you balloon it it's next to no measurable overhead at all unless you run it on super outdated first gen raspis...
@@kontonameagreed, the overhead is minimal.
I'm doing the same on Proxmox VE. LXC helps with network setup (a dedicated public IP per LXC container) and docker helps deploy the applications.
Hi, many thanks for the feedback. That's a great explanation!
You don't need separate LXC containers to get dedicated public IPs. You can have 1 LXC and docker networks can give you different IPs.
I got confused a bit - I guess it deserves a bit longer video.
Hi Robert - fair enough - I might pick that up some time (maybe in a larger tutorial)
AWESOME TIP.
Pls make another video - I need to run Oracle Express Database (to test query optimization of office work) in Proxmox.
Hey, thank you very much. Unfortunately I am not using Oracle DB ;-(
@@OneMarcFifty :(
I'm going to try this RIGHT NOW!!!
Awesome - let me know if it worked !
It worked out great! I wanted to thank you for your content, in specific, anything related to proxmox! You've opened my eyes as to what it can do! Thank you!
Excellent! Glad it helped ;-)
personaly I use a VM with alpine Linux to take lower ressources through vagrant and then I install Docker
Totally valid solution. Gives you better isolation between Docker and Proxmox.
I installed docker on the proxmox host, but maybe I'd better do this approach
Yeah - much better to run it in a container or VM - installing Docker on the host can mess up networking
I recommend it as the whole point of Proxmox is compartmentalizing your services. If you need to restart the host running Docker you can do it without restarting Proxmox.
Good stuff as usual, thanks Marc.
Not sure but I think I have read somewhere that proxmox makes SSD life shorter if installed on it, I hope you could explain this in one of your next videos. Cheers
that sounds odd. a server OS shouldn't do a lot IO unless you run applications on it. also keep in mind that a puny consumer ssd can write like 100+TB of storage before it's no longer under warranty (and not yet even broken).
I‘ll have a look into that! Thanks for the feedback!
I haven't seen this in my homelab with 2 proxmox hosts. I also don't see why it should. The SSDs that are getting "consumed" are the ones used for VM storage. But that's because VM doing writes, that's expected
I have a Dell R210II with a consumer grade 128GB 2.5” SSD to boot proxmox, running 24/7 for about a year now. No problem at all. TGFT
cool video format!
Thank you very much;-)
While you can do that and will save yourself a couple of MBs, this is a big security risk.
Just keep in mind that if your Proxmox VE Host uses zfs, you might run into problems with some docker containers (vfs etc.)
You mean this issue here right? github.com/moby/moby/issues/41055
@@OneMarcFifty Exactly, my Nginx Proxy Manager container exploded in size because of this :)
Thanks for the Tip.
What FS you are using?
I use a "classic" ext4 file system
I suggest migrating the container disk to zvol then.
Hi Marc, and thank you for the tip. i'm using your option 1, privileged container so i am wondering what additional risks there may be if i was running in a production environment (i'm not, it's just my own learning home lab...but if i were.... ?). i also went for the turnkey core container, because it was right there in the templates, ready to deploy and i figured it would make for a lightweight host in which to run docker containers.
The general challenge/Risk with privileged containers is that someone who breaks into the container can also break into the host system. That means that the isolation between the host and the guest is not that strong. It's better with an unprivileged container and best with a VM. The Turnkey containers are nice. Just some of them are still running on older versions of Debian and might need an apt dist-upgrade or the like.
@@OneMarcFifty thank you so much for the reply, i'll keep these points in mind going forwards (applying best practices even if i am only doing homelab stuff). i plan on exploring high-level ansible next and will create testing hosts as non-privileged and with keyctl & nesting enabled. i'll be interested to see if i notice any differences (restrictions). Cheers, have a great day.
Hi @OneMarcFifty Is it possible to use Fedora CoreOS instead of Debian for the LXC-Container?
Marc, I'm trying to learn Linux creating a media server at my home. I'm looking to setup Proxmox and have two server distros installed in containers(one as a backup incase something happen with the main one). I was wondering if I should use Docker, is this a bit advanced to my use case?
Why does keyctl need to be enabled? I have docker running on LXC without keyctl
Hi, you only need it with unprivileged containers. Keyctl is a system call which will be allowed by the setting
@@OneMarcFifty i am running an unprivileged container with docker and portainer is running there. I have enabled only fuse and nesting. Fuse allows me to use fuse-overlayfs file system. Keyctl doesn't seem to do anything at all so i keep it disabled.
Can't that lead to some kernel issues? Making it privileged can have it change the kernel and bork the proxmox install?
Dear,
Then to host docker in LXC container is to enable keyctl, nesting AND to keep unpriviliged. Is it right?
Or go down the Kubernetes rabbit hole 🐇🕳️🥰
👍👏Yeah that ez😜
In theory ;-)
@@OneMarcFifty It always sounds easy in theory :D
Just don't do that. VM's are just so much better for isolation, backup and migration. And if you are creating the Docker LXC-Container on a ZFS filesystem, you have to create a ext4-Disk on top of that for /var/lib/docker as a workaround.
Best practice is to not even create a single LXC container and just rely on VM's and Docker-containers.
I just used the template...
👍
Thanks Andrei!
where is Details Video ?
I liked proxmox but one day it just failed on me and was a pain to fix so I switched to ESXi and never looked back
Plus one comment
Thanks mate !
this is unsupported, i found out the hard way once.
But why tho
NO lxc containers are NOT ment for docker the brake all the time. Please don't
Gosh this video keeps popping up for me and I truly hate it
Or just ssh and install docker?
Yeah - well no - if the container is not configured correctly it won‘t work because the /proc filesystem is not exposed ;-)
Proxmox is just debían under the hood, if you ssh in the proxmox machine and run the command for a Debian docker install you will get docker running natively on Debian
Oh you mean on the host directly - of course that’s a third option
Hang on - I have thought this over. Installing Docker directly on the Proxmox host has side effects! Not so much with regards to virtualization - that should work. But rather with networking! If you only have one network interface defined on your Proxmox host then this is fine. But Docker adds additional networks and also ENABLES IPv4 FORWARDING. That means that your Proxmox host becomes a router! Also, Docker adds forwarding rules for the bridge network etc. so that might interfere with your Proxmox firewall. In a nutshell - I wouldn't do it if my Proxmox host had access to multiple networks.
Please don't install docker on the Proxmox host. If you break something you're basically screwed, rolling back a host snapshot is not going to be practical.
Run a container inside a container doesnt seem right 😂
This is the third level of Inception. But don't worry, it's contained.
not every docker image works smoothly in this way eg: appsmith. so moved away from it and running a vm for docker