I'm trying to decide whether to make the jump from ESXi to Proxmox. I've read a lot about Proxmox recently and there are some aspects of it that really appeal to me and would suit my setup.
One of the things I really like is the built in LXC containerisation, the fact that Proxmox treats containers very similarly to full VMs (in terms of administration) and the automated backup system that includes containers. These things are either not available in ESXi at all or are not available with my (free) license.
However, one thing that does concern me is running containers directly on the hypervisor. In my current ESXi setup I have several guest VMs which themselves host groups of LXC containers. If an adversary manages to break out of one of the LXC containers they will find themselves inside the guest VM, which gives me an extra level of security between groups of containers and (more importantly) the host hypervisor itself. I just can't seem to pull the trigger on a migration to Proxmox knowing that if any one of my container services is breached, the adversary will be into the hypervisor and could well end up with control over my entire system.
I've been trying to reconcile these conflicting desires and the only thing I can think of is to have a base install of Proxmox on the baremetal which will host the non-containerised VMs plus a couple of nested Proxmox VMs which will then host my groups of containers. That way I can cluster all of the Proxmox instances and effectively have full control over all of my VMs and containers from one WebUI. I have one physical server with plenty of horsepower but I'm not willing to lose more than a couple of percent performance over my current setup.
Can anyone comment on whether the setup I describe will work close to the performance I require (in effect it's the same level of nesting as my current setup, only replacing the nix container hosts with Proxmox container hosts instead) or whether there's a better way of doing this?
Would the Proxmox developers consider adding a way to manage containers that are not hosted directly on the Proxmox hypervisor itself?
One of the things I really like is the built in LXC containerisation, the fact that Proxmox treats containers very similarly to full VMs (in terms of administration) and the automated backup system that includes containers. These things are either not available in ESXi at all or are not available with my (free) license.
However, one thing that does concern me is running containers directly on the hypervisor. In my current ESXi setup I have several guest VMs which themselves host groups of LXC containers. If an adversary manages to break out of one of the LXC containers they will find themselves inside the guest VM, which gives me an extra level of security between groups of containers and (more importantly) the host hypervisor itself. I just can't seem to pull the trigger on a migration to Proxmox knowing that if any one of my container services is breached, the adversary will be into the hypervisor and could well end up with control over my entire system.
I've been trying to reconcile these conflicting desires and the only thing I can think of is to have a base install of Proxmox on the baremetal which will host the non-containerised VMs plus a couple of nested Proxmox VMs which will then host my groups of containers. That way I can cluster all of the Proxmox instances and effectively have full control over all of my VMs and containers from one WebUI. I have one physical server with plenty of horsepower but I'm not willing to lose more than a couple of percent performance over my current setup.
Can anyone comment on whether the setup I describe will work close to the performance I require (in effect it's the same level of nesting as my current setup, only replacing the nix container hosts with Proxmox container hosts instead) or whether there's a better way of doing this?
Would the Proxmox developers consider adding a way to manage containers that are not hosted directly on the Proxmox hypervisor itself?
