Underlying Debian OS

[amberleaf]

Are there any reasons why running anything on the underlying Debian OS, say Docker containers or other types of systems/applications, is a bad idea? I'm thinking about security and communications between Docker containers. Or is it better to run everything in VM's or LXC's. If there are how much extra overhead is incurred when say running a Debian VM to run the same Docker containers or LXC?
Thanks

 

[Kingneutron]

If you're doing homelab, you can setup pretty much anything that works for you. Developer workstation with X and Firefox, you name it. You just need to understand the risks, and what running more services at the host level might mean as far as impacting your overall security and VM performance / interactive response.

https://pve.proxmox.com/wiki/Developer_Workstations_with_Proxmox_VE_and_X11

As long as you have backups. If your Proxmox host gets compromised, You Need Something To Restore From. Proxmox Backup Server on separate hardware is ideal for this, as you can take advantage of dedup and other features.

If you're setting up a single node or cluster in a business environment, things are obviously different. You will need to follow Best Practices, not expose anything directly to the Internet, enable firewalls, not have a single point of failure, Backup regimen, etc.

 

[zodiac]

As long as your underlying Debian system stays as close to the stock configuration as possible, it is super easy to maintain long-term. It will upgrade cleanly. You can reinstall in case of hardware failures. There simply isn't a lot of state that you need to worry about.

But once you start customizing your host, you are on your own. This might feel OK for a year or two, but eventually, at some point down the line, it becomes a liability.

Fortunately, there really isn't a lot of a reason why you would ever want to make major changes to the host. Just move all of those into VMs or containers. Containers are particularly nice here, as they can share so much state with the host. In many ways, they are the sweet spot of separating for better maintenance while sharing for easy access to resources on the host.

But VMs are a fine solution too. They are particularly useful for passing through entire PCIe cards. If you only have a single computer and if you plan on using it as your main desktop environment, then you can often pass the GPU and USB keyboard/mouse to a VM and connect your local peripherals as if you were using the host directly. That gains you all the benefits of having a managed environment that is easy to snapshot and backup/restore. This is of course a bit of a hack'ish solution. You wouldn't do that in production. But for a homelab with limited resources, it's great to have options.

 

[alexskysilk]

Are there any reasons why running anything on the underlying Debian OS any hypervisor, say Docker containers or other types of systems/applications, is a bad idea?

So the answer is: it depends.

if you are using proxmox as a hypervisor, it completely circumvents your hypervisor tooling and resource awareness which means you introduce elements external to its C&C. If you are deploying a virtualization environment in production this is OBVIOUSLY a bad idea on every level.

If you're using it as a general purpose server (eg, homelab)- sure, go nuts.

 

[Impact]

Docker breaks the PVE firewall so if you use that it's not a good idea.
Running things on the host prevents you from benefitting from the hypervisor features like snapshots, backups, migration, isolation and so on.
CTs don't have much overhead. Usually < 60M of memory depending on the image. They also only use what they really need. With VMs you have to allocate a certain amount of memory and should consider it "used". Running docker in CTs is not recommend either.
I usually use a "big" VM to run all my docker containers. For things like frigate which only (officially) supports docker and which I wanted to run in a CT to be able to share my iGPU with I needed to run docker in a CT. It worked fine so far. Kernel or PVE upgrades can potentially break it but I feel comfortable enough to still do it.
So yes you can do all that but it's a personal choice most people recommend against and it should be an informed one.

 

[amberleaf]

Thanks for all the replies. I am using Proxmox for Homelab purposes so from your replies I'll stick to running things in VM's and CT's rather than using the underlying host OS.