this post was submitted on 13 Dec 2023
233 points (97.9% liked)

Selfhosted

40487 readers
251 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I'm a retired Unix admin. It was my job from the early '90s until the mid '10s. I've kept somewhat current ever since by running various machines at home. So far I've managed to avoid using Docker at home even though I have a decent understanding of how it works - I stopped being a sysadmin in the mid '10s, I still worked for a technology company and did plenty of "interesting" reading and training.

It seems that more and more stuff that I want to run at home is being delivered as Docker-first and I have to really go out of my way to find a non-Docker install.

I'm thinking it's no longer a fad and I should invest some time getting comfortable with it?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 11 months ago (2 children)

Why wouldn't you want to use containers? I'm curious. What do you use now? Ansible? Puppet? Chef?

[–] [email protected] 6 points 11 months ago (2 children)

Currently no virtualisation at all - just my OS on bare metal with some apps installed. Remember, this is a single machine sitting in my basement running Samba and a couple of other things - there's not much to orchestrate :-)

[–] [email protected] 5 points 11 months ago

Oh, I thought you had multiple machines.

I use docker because each service I use requires different libraries with different versions. With containers, that doesn't matter. It also provides some rudimentary security. If an attacker gets in, they'll have to break out of the container first to get at the rest of the system. Each container can run with a different user, so even if they do get out of the container, at worst they'll be able to destroy the data they have access to - well, they'll still see other stuff in the network, but I think it's better than being straight pwned.

[–] [email protected] 1 points 11 months ago

It makes deployments a lot easier once you have the groundwork laid (writing your compose files). If you ever need to nuke the OS reinstalling and configuring 20+ apps can only take a few minutes (assuming you still have the config data, which should live outside of the container).

For example, setting up my mediaserver, webserver, SQL server, and usenet suit of apps can take a few hours to do natively. Using Docker Compose it takes one command and about 5-10 minutes. Granted, I had to spend a few hours writing the compose files and testing everything, along with storing the config data, but just simply backing up the compose files with git means I can pull everything down quickly. Even if I don't have the config files anymore it probably only takes like an hour or less to configure everything.

[–] [email protected] 0 points 11 months ago (4 children)

Not OP, but, seriously asking, why should I? I usually still use VMs for every app i need. Much more work I assume, but besides saving time (and some overhead and mayve performance) what would I gain from docker or other containers?

[–] [email protected] 7 points 11 months ago (1 children)

One of the things I like about containers is how central the IaC methodology is. There are certainly tools to codify VMs, but with Docker, right out of the gate, you'll be defining your containers through a Dockerfile, or docker-compose.yml, or whatever other orchestration platform. With a VM, I'm always tempted to just make on the fly config changes directly on the box, since it's so heavy to rebuild them, but with containers, I'm more driven to properly update the container definition and then rebuild the container. Because of that, you have an inherent backup that you can easily push to a remote git server or something similar. Maybe that's not as much of a benefit if you have a good system already, but containers make it easier imo.

[–] [email protected] 1 points 11 months ago (1 children)

Actually only tried a docker container once tbh. Haven't put much time into it and was kinda forced to do. So, if I got you right, I do define the container with like nic-setup or ip or ram/cpu/usage and that's it? And the configuration of the app in the container? is that IN the container or applied "onto it" for easy rebuild-purpose? Right now I just have a ton of (big) backups of all VMs. If I screw up, I'm going back to this morning. Takes like 2 minutes tops. Would I even see a benefit of docker? besides saving much overhead of cours.

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago) (1 children)

You don't actually have to care about defining IP, cpu/ram reservations, etc. Your docker-compose file just defines the applications you want and a port mapping or two, and that's it.

Example:

***
version: "2.1"
services:
  adguardhome-sync:
    image: lscr.io/linuxserver/adguardhome-sync:latest
    container_name: adguardhome-sync
    environment:
      - CONFIGFILE=/config/adguardhome-sync.yaml
    volumes:
      - /path/to/my/configs/adguardhome-sync:/config
    ports:
      - 8080:8080
    restart:
      - unless-stopped

That's it, you run docker-compose up and the container starts, reads your config from your config folder, and exposes port 8080 to the rest of your network.

[–] [email protected] 1 points 11 months ago (1 children)

Oh... But that means I need another server with a reverse-proxy to actually reach it by domain/ip? Luckily caddy already runs fine 😊

Thanks man!

[–] [email protected] 2 points 11 months ago (1 children)

Most people set up a reverse proxy, yes, but it's not strictly necessary. You could certainly change the port mapping to 8080:443 and expose the application port directly that way, but then you'd obviously have to jump through some extra hoops for certificates, etc.

Caddy is a great solution (and there's even a container image for it 😉)

[–] [email protected] 1 points 11 months ago

Lol...nah i somehow prefer at least caddy non-containerized. Many domains and ports, i think that would not work great in a container with the certificates (which i also need to manually copy regularly to some apps). But what do i know 😁

[–] [email protected] 4 points 11 months ago (1 children)

what would I gain from docker or other containers?

Reproducability.

Once you've built the Dockerfile or compose file for your container, it's trivial to spin it up on another machine later. It's no longer bound to the specific VM and OS configuration you've built your service on top of and you can easily migrate containers or move them around.

[–] [email protected] 1 points 11 months ago (2 children)

But that's possible with a vm too. Or am I missing something here?

[–] [email protected] 3 points 11 months ago (1 children)

If you update your OS, it could happen that a changed dependency breaks your app. This wouldn't happen with docker, as every dependency is shipped with the application in the container.

[–] [email protected] 2 points 11 months ago

Ah okay. So it's like an escape from dependancy-hell... Thanks.

[–] [email protected] 2 points 11 months ago (1 children)

Apart from the dependency stuff, what you need to migrate when you use docker-compose is just a text file and the volumes that hold the data. No full VMs that contain entire systems because all that stuff is just recreated automatically in seconds on the new machine.

[–] [email protected] 1 points 11 months ago (1 children)

Ok, that does save a lot of overhead and space. Does it impact performance compared to a vm?

[–] [email protected] 2 points 11 months ago (1 children)

If anything, containers are less resource intensive than VMs.

[–] [email protected] 1 points 11 months ago (1 children)

Thank you. Guess i really need to take some time to get into it. Just never saw a real reason.

[–] [email protected] 2 points 11 months ago (1 children)

The great thing about containers is that you don't have to understand the full scope of how they work in order to use them.

You can start with learning how to use docker-compose to get a set of applications running, and once you understand that (which is relatively easy) then go a layer deeper and learn how to customize a container, then how to build your own container from the ground up and/or containerize an application that doesn't ship its own images.

But you don't need to understand that stuff to make full use of them, just like you don't need to understand how your distribution builds an rpm or deb package. You can stop whenever your curiosity runs out.

[–] [email protected] 1 points 11 months ago

Won't need to containerize my own stuff. Yet. But many apps just give a recent docker or some outdated manual install stuff. Hence why i get more and more annoyed/intrigued by docker 😁

Thanks for the guide!

[–] [email protected] 2 points 11 months ago (1 children)

Saves time, minimal compatibility, portability and you can update with 2 commands There's really no reason not to use docker

[–] [email protected] 1 points 11 months ago (1 children)

But I can't really tinker IN the docker-image, right? It's maintained elsewhere and I just get what i got. But with way less tinkering? Do I have control over the amount/percentage of resources a container uses? And could I just freeze a container, move it to another physical server and continue it there? So it would be worth the time to learn everything about docker for my "just" 10 VMs to replace in the long run?

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago) (1 children)

You can tinker in the image in a variety of ways, but make sure to preserve your state outside the container in some way:

  1. Extend the image you want to use with a custom Dockerfile
  2. Execute an interactive shell session, for example docker exec -it containerName /bin/bash
  3. Replace or expose filesystem resources using host or volume mounts.

Yes, you can set a variety of resources constraints, including but not limited to processor and memory utilization.

There's no reason to "freeze" a container, but if your state is in a host or volume mount, destroy the container, migrate your data, and resume it with a run command or docker-compose file. Different terminology and concept, but same result.

It may be worth it if you want to free up overhead used by virtual machines on your host, store your state more centrally, and/or represent your infrastructure as a docker-compose file or set of docker-compose files.

[–] [email protected] 2 points 11 months ago (1 children)

Hm. That doesn't really sound bad. Thanks man, I guess I will take some time to read into it. Currently on proxmox, but AFAIK it does containers too.

[–] [email protected] 1 points 11 months ago (1 children)

It's really not! I migrated rapidly from orchestrating services with Vagrant and virtual machines to Docker just because of how much more efficient it is.

Granted, it's a different tool to learn and takes time, but I feel like the tradeoff was well worth it in my case.

I also further orchestrate my containers using Ansible, but that's not entirely necessary for everyone.

[–] [email protected] 1 points 11 months ago (1 children)

I only use like 10 VMs, guess there's no need for overkill with additional stuff. Though I'd like a gui, there probably is one for docker? Once tested a complete os with docker (forgot the name) but it seemed very unfriendly and ovey convoluted.

[–] [email protected] 2 points 11 months ago (1 children)

There's a container web UI called Portainer, but I've never used it. It may be what you're looking for.

I also use a container called Watchtower to automatically update my services. Granted there's some risk there, but I wrote a script for backup snapshots in case I need to revert, and Docker makes that easy with image tags.

There's another container called Autoheal that will restart containers with failed healthchecks. (Not every container has a built in healthcheck, but they're easy to add with a custom Dockerfile or a docker-compose.)

[–] [email protected] 2 points 11 months ago (1 children)

Thanks for the tips! But did i get it right here? A container can has access to other containers?

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago) (1 children)

The Docker client communicates over a UNIX socket. If you mount that socket in a container with a Docker client, it can communicate with the host's Docker instance.

It's entirely optional.

[–] [email protected] 2 points 11 months ago (1 children)

Ah okay. Sounds safe enough. Thanks again :-)

[–] [email protected] 2 points 11 months ago
[–] [email protected] 1 points 11 months ago (1 children)

VMs have a ton of overhead compared to Docker. VMs replicate everything in the computer while Docker just uses the host for everything, except it sandboxes the apps.

In theory, VMs are far more secure since they're almost entirely isolated from the host system (assuming you don't have any of the host's filesystems attached), they are also OS agnostic whereas Docker is limited to the OS it runs on.

[–] [email protected] 0 points 11 months ago (1 children)

Ah ok thanks, the security-aspect is indeed important to me. So I shouldn't really use it for critical things. Especially those with external access.

[–] [email protected] 1 points 11 months ago

Docker is still secure, it's just less secure than Virtualization. It's like a standard door knob lock (the twist/push button kind) vs a deadbolt. Both will keep 90% of bad-actors out but those who really want to get in can based on how high the security is.