this post was submitted on 13 Dec 2023
234 points (98.0% liked)
Selfhosted
59955 readers
375 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam.
-
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
-
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
-
Submission headline should match the article title.
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Why wouldn't you want to use containers? I'm curious. What do you use now? Ansible? Puppet? Chef?
Currently no virtualisation at all - just my OS on bare metal with some apps installed. Remember, this is a single machine sitting in my basement running Samba and a couple of other things - there's not much to orchestrate :-)
Oh, I thought you had multiple machines.
I use docker because each service I use requires different libraries with different versions. With containers, that doesn't matter. It also provides some rudimentary security. If an attacker gets in, they'll have to break out of the container first to get at the rest of the system. Each container can run with a different user, so even if they do get out of the container, at worst they'll be able to destroy the data they have access to - well, they'll still see other stuff in the network, but I think it's better than being straight pwned.
It makes deployments a lot easier once you have the groundwork laid (writing your compose files). If you ever need to nuke the OS reinstalling and configuring 20+ apps can only take a few minutes (assuming you still have the config data, which should live outside of the container).
For example, setting up my mediaserver, webserver, SQL server, and usenet suit of apps can take a few hours to do natively. Using Docker Compose it takes one command and about 5-10 minutes. Granted, I had to spend a few hours writing the compose files and testing everything, along with storing the config data, but just simply backing up the compose files with git means I can pull everything down quickly. Even if I don't have the config files anymore it probably only takes like an hour or less to configure everything.
One of the things I like about containers is how central the IaC methodology is. There are certainly tools to codify VMs, but with Docker, right out of the gate, you'll be defining your containers through a Dockerfile, or docker-compose.yml, or whatever other orchestration platform. With a VM, I'm always tempted to just make on the fly config changes directly on the box, since it's so heavy to rebuild them, but with containers, I'm more driven to properly update the container definition and then rebuild the container. Because of that, you have an inherent backup that you can easily push to a remote git server or something similar. Maybe that's not as much of a benefit if you have a good system already, but containers make it easier imo.
You don't actually have to care about defining IP, cpu/ram reservations, etc. Your docker-compose file just defines the applications you want and a port mapping or two, and that's it.
Example:
That's it, you run
docker-compose upand the container starts, reads your config from your config folder, and exposes port 8080 to the rest of your network.(deleted content)
Most people set up a reverse proxy, yes, but it's not strictly necessary. You could certainly change the port mapping to
8080:443and expose the application port directly that way, but then you'd obviously have to jump through some extra hoops for certificates, etc.Caddy is a great solution (and there's even a container image for it 😉)
(deleted content)
Reproducability.
Once you've built the Dockerfile or compose file for your container, it's trivial to spin it up on another machine later. It's no longer bound to the specific VM and OS configuration you've built your service on top of and you can easily migrate containers or move them around.
If you update your OS, it could happen that a changed dependency breaks your app. This wouldn't happen with docker, as every dependency is shipped with the application in the container.
Apart from the dependency stuff, what you need to migrate when you use docker-compose is just a text file and the volumes that hold the data. No full VMs that contain entire systems because all that stuff is just recreated automatically in seconds on the new machine.
If anything, containers are less resource intensive than VMs.
The great thing about containers is that you don't have to understand the full scope of how they work in order to use them.
You can start with learning how to use docker-compose to get a set of applications running, and once you understand that (which is relatively easy) then go a layer deeper and learn how to customize a container, then how to build your own container from the ground up and/or containerize an application that doesn't ship its own images.
But you don't need to understand that stuff to make full use of them, just like you don't need to understand how your distribution builds an rpm or deb package. You can stop whenever your curiosity runs out.
Saves time, minimal compatibility, portability and you can update with 2 commands There's really no reason not to use docker
You can tinker in the image in a variety of ways, but make sure to preserve your state outside the container in some way:
docker exec -it containerName /bin/bashYes, you can set a variety of resources constraints, including but not limited to processor and memory utilization.
There's no reason to "freeze" a container, but if your state is in a host or volume mount, destroy the container, migrate your data, and resume it with a run command or docker-compose file. Different terminology and concept, but same result.
It may be worth it if you want to free up overhead used by virtual machines on your host, store your state more centrally, and/or represent your infrastructure as a docker-compose file or set of docker-compose files.
It's really not! I migrated rapidly from orchestrating services with Vagrant and virtual machines to Docker just because of how much more efficient it is.
Granted, it's a different tool to learn and takes time, but I feel like the tradeoff was well worth it in my case.
I also further orchestrate my containers using Ansible, but that's not entirely necessary for everyone.
(deleted content)
There's a container web UI called Portainer, but I've never used it. It may be what you're looking for.
I also use a container called Watchtower to automatically update my services. Granted there's some risk there, but I wrote a script for backup snapshots in case I need to revert, and Docker makes that easy with image tags.
There's another container called Autoheal that will restart containers with failed healthchecks. (Not every container has a built in healthcheck, but they're easy to add with a custom Dockerfile or a docker-compose.)
The Docker client communicates over a UNIX socket. If you mount that socket in a container with a Docker client, it can communicate with the host's Docker instance.
It's entirely optional.
Of course!
VMs have a ton of overhead compared to Docker. VMs replicate everything in the computer while Docker just uses the host for everything, except it sandboxes the apps.
In theory, VMs are far more secure since they're almost entirely isolated from the host system (assuming you don't have any of the host's filesystems attached), they are also OS agnostic whereas Docker is limited to the OS it runs on.
Docker is still secure, it's just less secure than Virtualization. It's like a standard door knob lock (the twist/push button kind) vs a deadbolt. Both will keep 90% of bad-actors out but those who really want to get in can based on how high the security is.