Docker on Proxmox LXC 🚀 Zero Bloat and Pure Performance!
Вставка
- Опубліковано 13 чер 2024
- Running Docker on Proxmox LXC is the best to get maximum performance without unnecessary overheard, all the while, maintaining the much-desired system isolation.
But if you want security then an Unprivileged LXC is better than a Privileged Proxmox LXC. My home server and media server are both Proxmox LXCs and unprivileged.
This walkthrough shows you how to install Docker on an unprivileged Proxmox LXC. Knowing this can be very helpful while following my guides and Github repo.
#proxmox #homelab #minilab #homeserver #plex #docker
TIMESTAMPS
0:00 Introduction
1:03 Proxmox and Proxmox LXC
2:58 Setting up Ubuntu 22.04 Unprivileged Proxmox LXC
9:57 Preparing Ubuntu 22.04 Operating System for Docker
10:20 Create a New Non-Root User
11:11 System Update
12:03 Edit SSH Config
13:24 Installing Basic/Required Packages
14:20 System Tweaks (sysctl.conf)
15:05 Enable Firewall (UFW)
17:30 Automated Setup
18:22 Docker Setup
ULTIMATE DOCKER SERVER SERIES:
Playlist: • Mini Homelab Tour - I ...
RELEVANT GUIDES:
🔗 www.smarthomebeginner.com/ult...
🔗 www.smarthomebeginner.com/doc...
🔗 www.smarthomebeginner.com/tra...
AUTO-TRAEFIK
📰 www.smarthomebeginner.com/go/...
🎞️ • Auto Traefik 2 - Docke...
GITHUB REPOSITORIES:
📜 github.com/htpcbeginner/docke...
MY PROXMOX HOST:
🖥️ Topton V700 Intel i7-13800H Mini PC with 64 GB RAM: www.smarthomebeginner.com/go/... (Affiliate Link)
SUPPORT MY WORK:
🤝 www.smarthomebeginner.com/go/...
JOIN THE COMMUNITY:
👋 www.smarthomebeginner.com/go/...
🌐 www.smarthomebeginner.com/
FOLLOW US ON SOCIAL
Get updates or reach out to Get updates on our Social Media Profiles!
👥 Twitter: / anandslab
👥 Facebook: / anandslab
👥 Instagram: / smarthomebeginr - Наука та технологія
Some key points based on community feedback:
1. 7:20 we are specifying the maximum available resources to be used when needed. It does not mean all these resources are blocked.
2. 12:15 Never port-foward or expose SSH port to the internet.
3. 13:00 Its obvious but I should have mentioned, SSH with key is the best way to maximize security. Password is not.
I have a small thing you should consider in the future when running multiple commands in sequence.
When you separate the commands with a semi-colon as in "apt update ; apt upgrade", if something went wrong with the update, it will still try to upgrade. If you look away after pressing enter, you will not notice the error from update, and might think that everything went as planned.
Instead, consider using double ampersand as in "apt update && apt upgrade". Then, if the first command fails, it will not run the second, and when you look at the screen, the error message from the first is still visible.
This is a great point. I started out wrong and it became a habit that is hard to break. Thanks for nudge and sharing your point of view.
Many thanks for this detailed setup video and the guides, really appreciate
Glad you enjoyed it!
12:16 With tools like nmap, it takes an attacker less than one minute to figure out your SSH port, no matter to what you change it to.
Just disable passwords and use ssh-keys for login.
This is the way to go. But majority of the hits I get on my server are on Port 22.
I'd rather say; do not expose ssh to the internet - use VPN.
@@casperghst42 of course. Not sure if I mentioned it. To me it’s obvious but I should be more explicit about it.
do you know of a decent tutorial to go over implementing ssh keys?
who the hell allows port scanning on his firewall anyway?
Good video but you kept interrupting the screen with your fullscreen video, unneeded disruption when you've already got a webcam on screen
Thanks! Already being addressed in the newer videos :-)
That's why I hate Tiktok, you don't need to see the person talking and hand talking videos, are the worst. Rant over, I finally got it out.
Brilliant!! Bravo for your decision to start from scratch the old way!! To follow!!
Thanks!. Quick question. By "start from scratch the old way", what do you mean exactly?
@@AnandsLab I mean build the stack manually and not the automated Trafik script.
Trafik auto is good, I tried version 2.0 but it had some errors and I left it. I prefer to have control of the containers and know why things happen.
In fact, I recently installed Truenas (barmetal) on HP Microserver and I want to mount the plex, sonarr, jacket stack on proxmox (mini pc).
Downloads on a synology DS218+.
Your tutorial fits me like a glove.
Thank you!!!
Many thanks Anand I'm pretty new to all this and up til now ive had docker running via a casaOS VM. I will be ditching that now and going forward with a Docker LXC for the future :)
Great. CasaOS is great. But building from scratch and learning is the fun part.
very good guide, ty
Anand, thank you for your time in providing this tutorial. I have successfully initiated the docker engine in a container with all of the steps shown in your video. Do I have to create a new container for each docker application that I want to run in Proxmox?
No. One lxc with docker can run as many containers as you want. In fact my home server lxc runs about 50 docker containers
@@AnandsLab I think you may have misunderstood my question. I was asking if I am limited into running a single docker service or application per container?
@@fourex59 What do you mean by "container"? The LXC container or the docker containers inside the LXC container? Your setup should be like this: 1 single LXC container in Proxmox, then install docker in this LXC container, and then install all your docker application on that docker instance.
@@RaduRadonys Ok thanks that answers my question. Should I start off with Portainer as my first application?
@@fourex59 Yes you could definitely do that, that's what I'm doing too. And then you could use Portainer to install all remaining apps that you want.
One Question on Debian 12.5:
- I install the Debian 12 Minimal install
- I then install docker
- I created two nginx container, with ports 8080 and 8081 respectively.
- I then make sure that I can access each container site, plus ping the Debian host.
- Now I install UFW, allow port 2052/tcp, then enable it.
- I can still ping the Debian host & also access the two nginx site { WHY ??? }
My question: How can I block everything and only allow access to ports that I need, like 2052, 8080, 8081/tcp?
This is a docker problem and one reason why some prefer podman. Docker by default adds firewall rules to allow traffic to all containers. Take a look at ufw-docker on GitHub.
How does including LXD alongside LXC change things? I am still having difficulty understanding LXD.
Proxmox is not using LXD. I would ignore it in this case
I’m planning my first Proxmox install and plan on using Docker.
Tteck has a number of helper scripts, including a direct install of a Docker LXC without loading Ubuntu first. If I’m only going to use the LXC for Docker, is there any reason to have it nested in Ubuntu first?
Thanks!
Although i am familiar with Tteck's scripts, I am not familiar with his/her Docker LXC. I assume it also use Ubuntu/Debian as a base inside the LXC anyway and is nested. I try to run it and do a quick check.
I would not do this, I ran docker in proxmox lxc containers and then a kernel update came out and wiped out all my dockers inside those lxc containers. Its written all over the forums not to run docker in lxc containers yet theres so many new videos on how to do it. 🤦
This hasn't been my experience. I have been using this setup since Proxmox 6 with no issues. I do not recommend anything in my videos that I haven't be using myself.
Can you share specifics. The only issue I have heard is very recently (proxmo 8.2???) and this video came out before that. So please elaborate.
7:20 you are not allocating cpu cores or memory. You are just giving the limitation. This is advantage of LXC. If im wrong correct me.
Yes, good point. Thanks for clarifying. It is the upper limit. This does not mean all the allocated resources are used.
16:00 Why you dont use Proxmox firewall instead?
That is definitely an option and offers a firewall outside the system. I tried to showcase something that could work not only for Proxmox LXC but also barebones Ubuntu.
I also have it in lxc Containers with zfs in proxmox. It works but Backups are not restorable
What??? I just recently switched to zfs. I have to check the backups then.
Well, I cannot even take backups anymore of my docker LXC. The proxmox guys clearly do NOT advise to install docker on proxmox. They are strongly against it as mentioned several time in the proxmox forums on people who have problems with docker on proxmox.
@@AnandsLab have you also some issues?
What does it mean "not restorable"? I've restored a VM last week, Proxmox 8.2.2 on ZFS.
Try docker swarm. I gave up trying lxc. You may run into issues running HA when clustered.
Unfortunatley, this is not something I have to tried. My homelabs are simple and have not had the need to have HA until now. May be one day. I will keep this in mind.
What is HA
@@ruukes4770 High Availability.
@@ruukes4770 high availability. It is an architecture to ensure uptime of a service.
@@ruukes4770my guess would be home assistant. it is a way to aggregate different smart devices to one place .
Becareful, ufw does not work with docker containers! You will have all container ports opened to internet.
Yes, this is correct and something to watch out for. Its why UFW-Docker is nice to implement so you can continue to leverage the networking capabilities built into docker while also respective the firewall rules.
@@AnandsLab I tried UFW-Docker, in 2024 it does not work.
to protect my containers, i just install UFW in the docker container itself.
@@AnandsLab So does this mean that we should or should not apply the three lines of instruction to create the firewall? I do not want it to be accessible over the Internet. Thanks
At ua-cam.com/video/-ZSQdJ62r-Q/v-deo.html Im not receiving these Get statements. All of mine are "Ign" instead of "Get"
Sorry, I do not understand your comment. Can you explain?
Nevermind I think my static ip was invalid.
We are learning of you and you are supposed to be showing us what you are teaching us, please after introduction I think it will be better to leave your face at the corner of the video and leave what you are teaching more on the screen so that we can follow better otherwise I am fighting more to pause to see what you want to show and teach between your face. Just a humble opinion, thank you.
Feedback noted🙂