Some key points based on community feedback: 1. 7:20 we are specifying the maximum available resources to be used when needed. It does not mean all these resources are blocked. 2. 12:15 Never port-foward or expose SSH port to the internet. 3. 13:00 Its obvious but I should have mentioned, SSH with key is the best way to maximize security. Password is not.
I have a small thing you should consider in the future when running multiple commands in sequence. When you separate the commands with a semi-colon as in "apt update ; apt upgrade", if something went wrong with the update, it will still try to upgrade. If you look away after pressing enter, you will not notice the error from update, and might think that everything went as planned. Instead, consider using double ampersand as in "apt update && apt upgrade". Then, if the first command fails, it will not run the second, and when you look at the screen, the error message from the first is still visible.
12:16 With tools like nmap, it takes an attacker less than one minute to figure out your SSH port, no matter to what you change it to. Just disable passwords and use ssh-keys for login.
I'm already subscribing at 2:49 after you started talking about privileged and unprivileged. I am roughly 12 hours into trying out Proxmox and have not learned a ton yet, so I'm very impressionable. :P Every other video I found on YT, so far, that was talking about initial setups and how to do blah blah blah just had you untick the "Unprivileged container" box. It didn't feel right to me, for obvious reasons. It felt lazy, but maybe that was how it was done in this new ecosystem. I didn't know. So, thank you for staying security minded, I'll be checking out your other vids!!
Many thanks Anand I'm pretty new to all this and up til now ive had docker running via a casaOS VM. I will be ditching that now and going forward with a Docker LXC for the future :)
@@AnandsLab I mean build the stack manually and not the automated Trafik script. Trafik auto is good, I tried version 2.0 but it had some errors and I left it. I prefer to have control of the containers and know why things happen. In fact, I recently installed Truenas (barmetal) on HP Microserver and I want to mount the plex, sonarr, jacket stack on proxmox (mini pc). Downloads on a synology DS218+. Your tutorial fits me like a glove. Thank you!!!
Hey I like your setup and if you could do a video on how you got it all setup from start to finish would be awesome. I'm currently trying to do a server for my Omada controller and I just can't seem to get it working. I using an old laptop with Ubuntu now but it seems nothing is working, but what I'm watching what you are doing and I'm am amazed.
One Question on Debian 12.5: - I install the Debian 12 Minimal install - I then install docker - I created two nginx container, with ports 8080 and 8081 respectively. - I then make sure that I can access each container site, plus ping the Debian host. - Now I install UFW, allow port 2052/tcp, then enable it. - I can still ping the Debian host & also access the two nginx site { WHY ??? } My question: How can I block everything and only allow access to ports that I need, like 2052, 8080, 8081/tcp?
This is a docker problem and one reason why some prefer podman. Docker by default adds firewall rules to allow traffic to all containers. Take a look at ufw-docker on GitHub.
Anand, thank you for your time in providing this tutorial. I have successfully initiated the docker engine in a container with all of the steps shown in your video. Do I have to create a new container for each docker application that I want to run in Proxmox?
@@AnandsLab I think you may have misunderstood my question. I was asking if I am limited into running a single docker service or application per container?
@@fourex59 What do you mean by "container"? The LXC container or the docker containers inside the LXC container? Your setup should be like this: 1 single LXC container in Proxmox, then install docker in this LXC container, and then install all your docker application on that docker instance.
Hi Anand, I have a question regarding the use of unprivileged LXC container in Proxmox and wanting to have container apps accessing a shared folder via CIFS or NFS to backup data or database. How do you do it? don't you face any issues? I normally run portainer and found is not possible to add external remote volume using CIFS. Then mapping through proxmox node seems to work but not for each situation and permissions can be tricky when using that method. Could you please provide your comments or share your experience on this? Thank you in advance and great video and guides in your website.
I know this has been a debate for some time, but for today, Is it a good idea to run Docker on a lot of Proxmox LXCs? Also please make a video on how to SSH with key, if you would. Thanks!
My home server is the "hs" container on proxmox. It is my home server that is running all apps including the Arr apps. Then i have a separate mds container that is media and database server.
New Sub; Detroit, Michigan, US Well Done Sir, Im working on Setting up ProxMox...Again, and getting to actually work and do seomthign this time lol Keep It Up!
That is definitely an option and offers a firewall outside the system. I tried to showcase something that could work not only for Proxmox LXC but also barebones Ubuntu.
I would not do this, I ran docker in proxmox lxc containers and then a kernel update came out and wiped out all my dockers inside those lxc containers. Its written all over the forums not to run docker in lxc containers yet theres so many new videos on how to do it. 🤦
This hasn't been my experience. I have been using this setup since Proxmox 6 with no issues. I do not recommend anything in my videos that I haven't be using myself. Can you share specifics. The only issue I have heard is very recently (proxmo 8.2???) and this video came out before that. So please elaborate.
There have been issues in the past with AppArmor getting in the way of docker containers starting when in an LXC. Yeah, docker is cool and you can run a lot of them under one LXC instance, but you also have to consider the backup and restore scenario if anything ever goes wrong with one of the apps. If everything is under 1 LXC, you must restore everything back to the latest backup in the event of a failure. In some situations this is ok, for instance I run all my arrs apps in 1 LXC and run a nightly backup, but I have other LXC instances for everything else so I can have a separate backup plan for each. This way, if something fails, I don't have to keep track of all the changes I'd have to make to each app if I did a restore.
Well, I cannot even take backups anymore of my docker LXC. The proxmox guys clearly do NOT advise to install docker on proxmox. They are strongly against it as mentioned several time in the proxmox forums on people who have problems with docker on proxmox.
You have to tweak UFW-rules seperately so that it works for Docker. It is one of the biggest mistake people make in regards with working with Docker. Countless services open on the internet that shouldn't be. Docker opens ports up by itself without asking and ufw doesn't work in default way for this. You can explicitely close a port or everything down with UFW and Docker will overrule it.
I’m planning my first Proxmox install and plan on using Docker. Tteck has a number of helper scripts, including a direct install of a Docker LXC without loading Ubuntu first. If I’m only going to use the LXC for Docker, is there any reason to have it nested in Ubuntu first? Thanks!
Although i am familiar with Tteck's scripts, I am not familiar with his/her Docker LXC. I assume it also use Ubuntu/Debian as a base inside the LXC anyway and is nested. I try to run it and do a quick check.
Unfortunatley, this is not something I have to tried. My homelabs are simple and have not had the need to have HA until now. May be one day. I will keep this in mind.
Yes, this is correct and something to watch out for. Its why UFW-Docker is nice to implement so you can continue to leverage the networking capabilities built into docker while also respective the firewall rules.
@@AnandsLab So does this mean that we should or should not apply the three lines of instruction to create the firewall? I do not want it to be accessible over the Internet. Thanks
We are learning of you and you are supposed to be showing us what you are teaching us, please after introduction I think it will be better to leave your face at the corner of the video and leave what you are teaching more on the screen so that we can follow better otherwise I am fighting more to pause to see what you want to show and teach between your face. Just a humble opinion, thank you.
If this LXC is only exposed to your LAN, why are you changing the SSH port (and if you're taking that step, why not disable password logins)? And enabling the firewall? Particularly since Docker clobbers the firewall rules anyway? These just seem like pointless complications.
good video but one suggestion, please keep the focus on the computer screen or the picture you are showing. We can see you, picture in picture of the video anyways.
would be great if you stay at that small ovelay, and show more of your screen. Yes you are handsome, but i prefer to see the screen slightly longer to follow :D:D:D thanks btw
Thanks for the video, but I’m afraid I have to disagree with your vision. To use Docker on top of an LXC container, privileged or unprivileged, is nonsense. Docker can run perfectly containers on top of a VM. Do you want a container? Use LXC directly and forget Docker. You are also ignoring fundamental knowledge such as DNS, FQDN, PVE firewall, ecc.
To each their own. I would not call Docker on LXC a nonsense. It works great and offers some great advantages over a VM. I have had only 1 issue over the last 2 years that too was a issue on Docker side and not proxmox.
Holy crap, the cuts. Cut after cut after cut. It's like you can't string two sentences together, so you have to cut EVERY SENTENCE. It's jarring and annoying. Stop it.
Some key points based on community feedback:
1. 7:20 we are specifying the maximum available resources to be used when needed. It does not mean all these resources are blocked.
2. 12:15 Never port-foward or expose SSH port to the internet.
3. 13:00 Its obvious but I should have mentioned, SSH with key is the best way to maximize security. Password is not.
Never use swap for lxc container if possible. It can make leak data from the container through the host to other containers
I have a small thing you should consider in the future when running multiple commands in sequence.
When you separate the commands with a semi-colon as in "apt update ; apt upgrade", if something went wrong with the update, it will still try to upgrade. If you look away after pressing enter, you will not notice the error from update, and might think that everything went as planned.
Instead, consider using double ampersand as in "apt update && apt upgrade". Then, if the first command fails, it will not run the second, and when you look at the screen, the error message from the first is still visible.
This is a great point. I started out wrong and it became a habit that is hard to break. Thanks for nudge and sharing your point of view.
I use Debian instead of Ubuntu for LXCs. Even docker runs on Debian out-of-the box without any modifications. Yes, on unprivileged mode.
12:16 With tools like nmap, it takes an attacker less than one minute to figure out your SSH port, no matter to what you change it to.
Just disable passwords and use ssh-keys for login.
This is the way to go. But majority of the hits I get on my server are on Port 22.
I'd rather say; do not expose ssh to the internet - use VPN.
@@casperghst42 of course. Not sure if I mentioned it. To me it’s obvious but I should be more explicit about it.
do you know of a decent tutorial to go over implementing ssh keys?
who the hell allows port scanning on his firewall anyway?
I'm already subscribing at 2:49 after you started talking about privileged and unprivileged. I am roughly 12 hours into trying out Proxmox and have not learned a ton yet, so I'm very impressionable. :P Every other video I found on YT, so far, that was talking about initial setups and how to do blah blah blah just had you untick the "Unprivileged container" box. It didn't feel right to me, for obvious reasons. It felt lazy, but maybe that was how it was done in this new ecosystem. I didn't know. So, thank you for staying security minded, I'll be checking out your other vids!!
There is a separate linux distro for the purpose of kubernetes / docker called: Talos.
You Right... This video show me people don't understand what they do! Wasting resources and our time!
Many thanks Anand I'm pretty new to all this and up til now ive had docker running via a casaOS VM. I will be ditching that now and going forward with a Docker LXC for the future :)
Great. CasaOS is great. But building from scratch and learning is the fun part.
Brilliant!! Bravo for your decision to start from scratch the old way!! To follow!!
Thanks!. Quick question. By "start from scratch the old way", what do you mean exactly?
@@AnandsLab I mean build the stack manually and not the automated Trafik script.
Trafik auto is good, I tried version 2.0 but it had some errors and I left it. I prefer to have control of the containers and know why things happen.
In fact, I recently installed Truenas (barmetal) on HP Microserver and I want to mount the plex, sonarr, jacket stack on proxmox (mini pc).
Downloads on a synology DS218+.
Your tutorial fits me like a glove.
Thank you!!!
such a good explanation... new follower.
Good video but you kept interrupting the screen with your fullscreen video, unneeded disruption when you've already got a webcam on screen
Thanks! Already being addressed in the newer videos :-)
That's why I hate Tiktok, you don't need to see the person talking and hand talking videos, are the worst. Rant over, I finally got it out.
Hey I like your setup and if you could do a video on how you got it all setup from start to finish would be awesome. I'm currently trying to do a server for my Omada controller and I just can't seem to get it working. I using an old laptop with Ubuntu now but it seems nothing is working, but what I'm watching what you are doing and I'm am amazed.
One Question on Debian 12.5:
- I install the Debian 12 Minimal install
- I then install docker
- I created two nginx container, with ports 8080 and 8081 respectively.
- I then make sure that I can access each container site, plus ping the Debian host.
- Now I install UFW, allow port 2052/tcp, then enable it.
- I can still ping the Debian host & also access the two nginx site { WHY ??? }
My question: How can I block everything and only allow access to ports that I need, like 2052, 8080, 8081/tcp?
This is a docker problem and one reason why some prefer podman. Docker by default adds firewall rules to allow traffic to all containers. Take a look at ufw-docker on GitHub.
Anand, thank you for your time in providing this tutorial. I have successfully initiated the docker engine in a container with all of the steps shown in your video. Do I have to create a new container for each docker application that I want to run in Proxmox?
No. One lxc with docker can run as many containers as you want. In fact my home server lxc runs about 50 docker containers
@@AnandsLab I think you may have misunderstood my question. I was asking if I am limited into running a single docker service or application per container?
@@fourex59 What do you mean by "container"? The LXC container or the docker containers inside the LXC container? Your setup should be like this: 1 single LXC container in Proxmox, then install docker in this LXC container, and then install all your docker application on that docker instance.
@@RaduRadonys Ok thanks that answers my question. Should I start off with Portainer as my first application?
@@fourex59 Yes you could definitely do that, that's what I'm doing too. And then you could use Portainer to install all remaining apps that you want.
Rather than set a static IP, I use a DHCP reservation. That way all of the IP are documented in the dhcp config making the config discoverable.
Hi Anand, I have a question regarding the use of unprivileged LXC container in Proxmox and wanting to have container apps accessing a shared folder via CIFS or NFS to backup data or database. How do you do it? don't you face any issues? I normally run portainer and found is not possible to add external remote volume using CIFS. Then mapping through proxmox node seems to work but not for each situation and permissions can be tricky when using that method. Could you please provide your comments or share your experience on this? Thank you in advance and great video and guides in your website.
7:20 you are not allocating cpu cores or memory. You are just giving the limitation. This is advantage of LXC. If im wrong correct me.
Yes, good point. Thanks for clarifying. It is the upper limit. This does not mean all the allocated resources are used.
I know this has been a debate for some time, but for today, Is it a good idea to run Docker on a lot of Proxmox LXCs?
Also please make a video on how to SSH with key, if you would. Thanks!
Many thanks for this detailed setup video and the guides, really appreciate
Glad you enjoyed it!
Hi thanks for your great and professional tutorials..
Just one question what is the "my Home Server" for, you are talking about here 9:10 ?
My home server is the "hs" container on proxmox. It is my home server that is running all apps including the Arr apps. Then i have a separate mds container that is media and database server.
@@AnandsLab Thanks.. 👍
New Sub; Detroit, Michigan, US
Well Done Sir, Im working on Setting up ProxMox...Again, and getting to actually work and do seomthign this time lol
Keep It Up!
Uh the state up north 🤮. lol! Thanks for joining. Go bucks!
@@AnandsLab Thanks for Taking Toledo 🤣🔫
16:00 Why you dont use Proxmox firewall instead?
That is definitely an option and offers a firewall outside the system. I tried to showcase something that could work not only for Proxmox LXC but also barebones Ubuntu.
I would not do this, I ran docker in proxmox lxc containers and then a kernel update came out and wiped out all my dockers inside those lxc containers. Its written all over the forums not to run docker in lxc containers yet theres so many new videos on how to do it. 🤦
This hasn't been my experience. I have been using this setup since Proxmox 6 with no issues. I do not recommend anything in my videos that I haven't be using myself.
Can you share specifics. The only issue I have heard is very recently (proxmo 8.2???) and this video came out before that. So please elaborate.
Glad someone said it.
There have been issues in the past with AppArmor getting in the way of docker containers starting when in an LXC. Yeah, docker is cool and you can run a lot of them under one LXC instance, but you also have to consider the backup and restore scenario if anything ever goes wrong with one of the apps. If everything is under 1 LXC, you must restore everything back to the latest backup in the event of a failure. In some situations this is ok, for instance I run all my arrs apps in 1 LXC and run a nightly backup, but I have other LXC instances for everything else so I can have a separate backup plan for each. This way, if something fails, I don't have to keep track of all the changes I'd have to make to each app if I did a restore.
How does docker in proxmox compare to running docker pods in kubernetes?
This is beyond my experience. I do not use Kubernetes, at least yet. May be others can chime in.
I also have it in lxc Containers with zfs in proxmox. It works but Backups are not restorable
What??? I just recently switched to zfs. I have to check the backups then.
Well, I cannot even take backups anymore of my docker LXC. The proxmox guys clearly do NOT advise to install docker on proxmox. They are strongly against it as mentioned several time in the proxmox forums on people who have problems with docker on proxmox.
@@AnandsLab have you also some issues?
What does it mean "not restorable"? I've restored a VM last week, Proxmox 8.2.2 on ZFS.
Thank you.
well done!
You have to tweak UFW-rules seperately so that it works for Docker.
It is one of the biggest mistake people make in regards with working with Docker.
Countless services open on the internet that shouldn't be.
Docker opens ports up by itself without asking and ufw doesn't work in default way for this.
You can explicitely close a port or everything down with UFW and Docker will overrule it.
thank you
very good guide, ty
I’m planning my first Proxmox install and plan on using Docker.
Tteck has a number of helper scripts, including a direct install of a Docker LXC without loading Ubuntu first. If I’m only going to use the LXC for Docker, is there any reason to have it nested in Ubuntu first?
Thanks!
Although i am familiar with Tteck's scripts, I am not familiar with his/her Docker LXC. I assume it also use Ubuntu/Debian as a base inside the LXC anyway and is nested. I try to run it and do a quick check.
Try docker swarm. I gave up trying lxc. You may run into issues running HA when clustered.
Unfortunatley, this is not something I have to tried. My homelabs are simple and have not had the need to have HA until now. May be one day. I will keep this in mind.
What is HA
@@ruukes4770 High Availability.
@@ruukes4770 high availability. It is an architecture to ensure uptime of a service.
@@ruukes4770my guess would be home assistant. it is a way to aggregate different smart devices to one place .
How does including LXD alongside LXC change things? I am still having difficulty understanding LXD.
Proxmox is not using LXD. I would ignore it in this case
Becareful, ufw does not work with docker containers! You will have all container ports opened to internet.
Yes, this is correct and something to watch out for. Its why UFW-Docker is nice to implement so you can continue to leverage the networking capabilities built into docker while also respective the firewall rules.
@@AnandsLab I tried UFW-Docker, in 2024 it does not work.
to protect my containers, i just install UFW in the docker container itself.
@@AnandsLab So does this mean that we should or should not apply the three lines of instruction to create the firewall? I do not want it to be accessible over the Internet. Thanks
Use Alpine for minimum footprint
Thanks
We are learning of you and you are supposed to be showing us what you are teaching us, please after introduction I think it will be better to leave your face at the corner of the video and leave what you are teaching more on the screen so that we can follow better otherwise I am fighting more to pause to see what you want to show and teach between your face. Just a humble opinion, thank you.
Feedback noted🙂
If this LXC is only exposed to your LAN, why are you changing the SSH port (and if you're taking that step, why not disable password logins)? And enabling the firewall? Particularly since Docker clobbers the firewall rules anyway? These just seem like pointless complications.
A lot can be done. Just a simple obfuscation. All of what you mentioned are good practices.
good video but one suggestion, please keep the focus on the computer screen or the picture you are showing. We can see you, picture in picture of the video anyways.
Thanks. Already addressed. I was starting out then. My recent videos should be easier on the eye :-)
Where are my sunglasses! OMG my eyes, please but it in dark mode :p
LOL switched to immediately :-)
@AnandsLab RHEL yes install desktop not proxmox yes terminal install alll desktop apps docker yeah or not
would be great if you stay at that small ovelay, and show more of your screen. Yes you are handsome, but i prefer to see the screen slightly longer to follow :D:D:D thanks btw
lol. I was starting out. A lot has changed since.
At ua-cam.com/video/-ZSQdJ62r-Q/v-deo.html Im not receiving these Get statements. All of mine are "Ign" instead of "Get"
Sorry, I do not understand your comment. Can you explain?
Nevermind I think my static ip was invalid.
I think best virtual in proxmox use vm not lxc
This depends on need. LXC works great for many reasons.
Thanks for the video, but I’m afraid I have to disagree with your vision. To use Docker on top of an LXC container, privileged or unprivileged, is nonsense. Docker can run perfectly containers on top of a VM. Do you want a container? Use LXC directly and forget Docker. You are also ignoring fundamental knowledge such as DNS, FQDN, PVE firewall, ecc.
To each their own. I would not call Docker on LXC a nonsense. It works great and offers some great advantages over a VM. I have had only 1 issue over the last 2 years that too was a issue on Docker side and not proxmox.
It is better to let us see your screen than to see your face. To put your face on the screen when speaking
Of course, I was new youtube. I have evolved my methods over time.
Holy crap, the cuts. Cut after cut after cut. It's like you can't string two sentences together, so you have to cut EVERY SENTENCE. It's jarring and annoying. Stop it.
Its a learning process. I already addressed it. I was starting out then. My recent videos should be easier on the eye :-)
Noooooooooo. Run it in a VM. Better still, don't use Proxmox.
See my other detailed response. I have had no issues in 2 years of running it.
I am very new on linux, Please can you help me some issue of proxmox. regarding networking.
Please reach out on discord.