Dynamic DNS - Official/Recommended method?

[xgpt]

I can think of not less than half a dozen ways to successfully keep a Dynamic DNS updated, however I'd very much so like to start my Proxmox journey without going against the grain. Should I be doing this with a cronjob within the host debian system, install an LXC that will do this task for me? Is there a setting I'm missing in the main UI for this? I use Google DNS at the moment, however I'm happy to transfer to Cloudflare if that's easier with the recent sale to Squarespace. I see many in the community are utilizing DuckDNS, however I'm in need of using my own domain names.

Does Proxmox recommend a single preferred method for this?

Thank you!

 

[Dunuin]

Its good practice to run as less as possible directly on the PVE host as possible. PVE doesn't offer DynDNS support, so I my opinion it would be best to run that in a VM or LXC.
Many use a pfsense/OPNsense VM between the host and guests for additional security (IDS/IPS/DMZ/additonal firewalling) and there would be plugins for DynDNS.
Other people run reverse proxies like a "Nginx Proxy Manager" in a Docker VM which also got scripts to update DynDNS via APIs of different DNS providers and can also get/update a letsencrypt certificate via DNS-01 challenge.
Or simply run a minimal LXC with the linux distribution of your choice and install a DynDNS client yourself.

 

[scyto]

I use Cloudflare and run this https://hub.docker.com/r/oznu/cloudflare-ddns/#! (i have 3 VMs that run a docker swarm, one on each of my proxmox nodes)

 

[xgpt]

Oh, that actually makes me want to ask, should I be installing docker inside of an lxc or vm? I'm going to be resource constrained on a NUC and am thinking it's going to be more lightweight without VMs.

@Dunuin do you have a link to a tutorial that covers such networking/firewalling?

I think I'll do the dynamic DNS with an alpine lxc then.

 

[xgpt]

I use Cloudflare and run this https://hub.docker.com/r/oznu/cloudflare-ddns/#! (i have 3 VMs that run a docker swarm, one on each of my proxmox nodes)

Thanks for that. I need to learn more about swarms/container orchestration. It's my primary motivator for installing PVE

 

[Dunuin]

@Dunuin do you have a link to a tutorial that covers such networking/firewalling?

No, thats alot of stuff and will fill multiple books. In general for maximum securty:
- run guests in an isolated DMZ and not in your LAN
- segment your networks as much as reasonable (tagged VLAN capable router and multiple NICs will help)
- monitor all external traffic using intrusion detection or even intrusion prevention (for example suricata in OPNsense or something like wuzah)
- use something like a OPNsense to limit traffic between different network segments
- use the PVE firewall to limit traffic between the different guests of a network segment
- use whitelisting and not blacklisting...so block everything except the few ports and IPs that should be open

should I be installing docker inside of an lxc or vm?

Many use LXCs for that despite the official recommendation to use VMs:

If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox QEMU VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers.

 

[scyto]

I think I'll do the dynamic DNS with an alpine lxc then.

i think that will work just fine, i do my postifix relay in a debian lxc

for docker - the consensus seems to be use VMs (mine were already in VMs i brought over from hyper-v).
seems there are volumes written on how to get docker working in lxc, what to do when it gets broken, and on people arguing if it is wise to do it

all of that made me stay away as VM overhead of a lightweight debian or alpine install is trivial and the isolation from proxmox is wise IMHO.

this is my swarm architecture / install notes FWIW https://gist.github.com/scyto/f4624361c4e8c3be2aad9b3f0073c7f9

 

[xgpt]

No, thats alot of stuff and will fill multiple books. In general for maximum securty:
- run guests in an isolated DMZ and not in your LAN
- segment your networks as much as reasonable (tagged VLAN capable router and multiple NICs will help)
- monitor all external traffic using intrusion detection or even intrusion prevention (for example suricata in OPNsense or something like wuzah)
- use something like a OPNsense to limit traffic between different network segments
- use the PVE firewall to limit traffic between the different guests of a network segment
- use whitelisting and not blacklisting...so block everything except the few ports and IPs that should be open


Many use LXCs for that despite the official recommendation to use VMs:

I had never really considered migrations, but it is a pain to migrate docker container around, while a VM would just migrate all of the docker containers. Smart. Is there a way to have have VM or LXC without the limitations of pre-set constraints such as disk allocations?

 

[scyto]

VM or LXC without the limitations of pre-set constraints such as disk allocations

thats a feature not a bug

the answer is of course - connect over some protocol to a NAS or other resource (SMB, CIFS, VIRTIOFS, FUSE, GLUSTER, CEPH etc) only specify disk size for the OS,. size larger than you need, store on lvm-thin or ceph RBD (then only used space in the virtual disk is consumed)