Docker is not recommended to be installed on PVE nodes. Is it because LXC conflicts with Docker or some other reason?
- Thread starter shining
- Start date
Security. (and probably that all noobs come here after destroying their PVE system with docker and rant about PVE)
Best isolation if it runs inside of a QEMU/KVM machine.
Jup. I also wouldn`t want to run docker outside of a VM. Most people using docker want to run containers they didn't created themself and they choose docker so they don't need to know whats actually going on inside that container. They just want a turnkey solution without needing to learn how everything is working. So its easy to run a malicious docker container (docker account might get hacked and update is distributed running malware or something similar) and then you want that isolated in a VM and best also in a DMZ and not directly on your host.
In addition to security considerations, docker is installed on the physical machine of PVE. Does running the Docker container itself have any impact on the system? Whether LXC itself conflicts with Docker?
The main idea is to run the program in Docker. This is similar to the Kolla method of openstack.
The main idea is to run the program in Docker. This is similar to the Kolla method of openstack.
That depends on what you do with it. Every container can potentially use highest prividedges and therefore/or have full access to the hardware.
If you use a VM, it is harder to screw up your PVE host.
As usual with security related things: weight the pro and cons, use hardened docker containers (which are rare, most people building containers have no clue about security), test them rigorously, use additional firewall rules etc. Docker (the local daemon) does not have good out-of-the-box network security, so you have to deal with that too.