Docker, LXC and storage

[yeetistan]

Hi everyone,

i want to restructure my services at home to all run on my proxmox-machine.
At the moment i have some containers with single services running on them.

My other apps are running as docker-containers on a raspberry pi and they will be moved to PVE.
The raspberry is also running smb with a 8TB external drive.

Now for my concerns/questions:
1. Since running docker in lxc requires some modifications regarding apparomor and cgroups, is it "safe" to run docker there, or should i just create a standard qemu-vm ?
2. Does it make sense to plug in the drive as PVE-storage and attach it to the machines as mountpoints, or is that considered bad/unsafe ?

As of now i have the following scenarios in mind:
Container-focused
- Attach the drive via usb, mount it in PVE and pass it through via mountpoints to LXC
- Modify the lxc to be able to run docker
Pro: easy setup, lower idle-load and thus poweruse
Cons: potentially unsafe
"Security"-focused
- Create a VM, pass the whole drive through as USB-device and run a nfs-server
- Create a VM as dockerhost, access the storage via NFS
Pro: Safer?
Cons: More setup required, more idle-load

Appreciate any input.

 

[oguz]

hi,

1. Since running docker in lxc requires some modifications regarding apparomor and cgroups, is it "safe" to run docker there, or should i just create a standard qemu-vm ?

you should use a VM for better separation and less trouble, it's possible to run docker in lxc as you say, but nesting containers isn't a very good idea in general

2. Does it make sense to plug in the drive as PVE-storage and attach it to the machines as mountpoints, or is that considered bad/unsafe ?

it's not unsafe unless you configure it unsafe (meaning privileges and rights)


for your setup both scenarios you mentioned should work, you'll have to decide what is better for your use-case.

if these services won't be accessible from the outside internet then it might be okay to do the docker setup in lxc

 

[yeetistan]

Hi Oguz, thanks for the quick answer!

Since some services will be accessible from the outside, i will run the qemu-variant to be safe.
Since the VMs dont support mountpoints, i guess thats off the table as well and i will be setting up a nfs-server in a vm.

 

[oguz]

Since the VMs dont support mountpoints, i guess thats off the table as well and i will be setting up a nfs-server in a vm.

you could still use device passthrough[0] to pass your drive device directly to the VM, but keep in mind this will inhibit migration if you're using a cluster

[0]: https://pve.proxmox.com/wiki/PCI(e)_Passthrough