this post was submitted on 20 Feb 2025
38 points (95.2% liked)

Selfhosted

42767 readers
1316 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
38
Docker in LXC vs VM (lemmy.ml)
submitted 3 days ago by mr_jaaay@lemmy.ml to c/selfhosted@lemmy.world
55 comments fedilink hide all child comments
 

I run a small server with Proxmox, and I'm wondering what are your opinions on running Docker in separate LXC containers vs. running a specific VM for all Docker containers?

I started with LXC containers because I was more familiar with installing services the classic Linux way. I later added a VM specifically for running Docker containers. I'm thinking if I should continue this strategy and just add some more resources to the docker VM.

On one hand, backups seem to be easier with individual LXCs (I've had situations where I tried to update a Docker container but the new container broke the existing configuration and found it easiest just to restore the entire VM from backup). On the otherhand, it seems like more overhead to install Docker in each individual LXC.

top 50 comments
sorted by: hot top controversial new old
[–] MangoPenguin@lemmy.blahaj.zone 10 points 3 days ago* (last edited 3 days ago) (7 children)

Regardless of VM or LXC, I would only install docker once. There's generally no need to create multiple docker VMs/LXCs on the same host. Unless you have a specific reason; like isolating outside traffic by creating a docker setup for only public services.

Backups are the same with VM or LXC on Proxmox.

The main advantages of LXC that I can think of:

  • Slightly less resource overhead, but not much (debian minimal or alpine VM is pretty lightweight already).
  • Ability to pass-through directories from the host.
  • Ability to pass-through hardware acceleration from a GPU, without passing through the entire GPU.
  • Ability to change CPU cores or RAM while it's running.
[–] possiblylinux127@lemmy.zip 2 points 3 days ago

Also LXC shares the host filesystem to there is less concern with corruption due to power loss.

[–] Oisteink 1 points 3 days ago

There are differences in high availability, startup-time and cpu compatibility between hosts. As you are not emulating hardware

load more comments (5 replies)
[–] bizdelnick@lemmy.ml 9 points 3 days ago (4 children)

What's the purpose of running container in a container? Why not install docker on your host machine?

[–] darkknight@discuss.online 1 points 25 minutes ago

You want to to keep modification of the host to a minimum in virtualization. It makes troubleshooting so much easier.

[–] DarkDarkHouse@lemmy.sdf.org 8 points 3 days ago (2 children)

If you do that, Docker is stuck on that host. If it’s in an LXC it can move to another host. Plus, backing up and snapshotting are easier IMO.

[–] bizdelnick@lemmy.ml 5 points 3 days ago

Snapshotting in docker is as easy as docker commit. After that you can back it up with docker save. Then move to another host, but not without downtime.

However normally you need to backup/move only volumes attached to containers. If that's not the way how you like to organize your services, you likely don't need docker.

[–] just_another_person@lemmy.world 4 points 3 days ago

Docker doesn't need to portable because containers are...

I don't even understand this logic.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 3 days ago (2 children)

Dockers 'take-over-system' style of network management will interfere with proxmox networking.

[–] bizdelnick@lemmy.ml 1 points 2 days ago

Well, I don't use proxmox, however docker coexists with libvirt and other virtualization systems. If there are overlapping networks that docker ant proxmox attempt to manage, they are configurable.

[–] sugar_in_your_tea@sh.itjust.works 1 points 3 days ago* (last edited 3 days ago) (1 children)

I don't use proxmox, but it works absolutely fine for me on my regular Linux system, which has a firewall, some background services, etc. Could you be more specific on the issues you're running into?

Also, I only really expose two services on my host:

  • Caddy - handles all TLS and proxies to all other services in the internal docker network
  • Jellyfin - my crappy smart TV doesn't seem to be able to handle Jellyfin + TLS for some reason, it causes the app to lock up

Everything else just connects through an internal-only docker network.

If you're getting conflicts, I'm guessing you've configured things oddly, because by default, docker creates its own virtual interface to explicitly not interfere with anything else on the host.

[–] MangoPenguin@lemmy.blahaj.zone 3 points 3 days ago (1 children)

A couple posts down explains it, docker completely steamrolls networking when you install it. https://forum.proxmox.com/threads/running-docker-on-the-proxmox-host-not-in-vm-ct.147580/

The other reason is if it's on the host you can't back it up using proxmox backup server with the rest of the VMs/CTs

[–] sugar_in_your_tea@sh.itjust.works 2 points 3 days ago (1 children)

I don't use proxmox, so I guess I don't understand the appeal. I don't see any reason to backup a container or a VM, I just backup configs and data. Backing up a VM makes sense if you have a bunch of customizations, but that's pretty much the entire point of docker, you quarantine your customizations to your configs so it's completely reproducible if you have the configs and data.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 2 days ago* (last edited 2 days ago) (1 children)

Ease of use mostly, one click to restore everything including the OS is nice. Can also easily move them to other hosts for HA or maintenance.

Not everything runs in docker too, so it's extra useful for those VMs.

[–] sugar_in_your_tea@sh.itjust.works 1 points 2 days ago

That's fair.

That said, I can't think of anything I'd want to run that doesn't work in docker, except maybe pf? But I'd probably put that on a dedicated machine anyway. Pretty much everything else runs on Linux or has a completely viable Linux alternative, so I could easily built a docker image for it.

[–] mr_jaaay@lemmy.ml 1 points 3 days ago

Honestly, I never really thought of installing Docker directly on Proxmox. I guess that might be a simpler solution, to run Dockers directly, but I kind of like to keep the hypervisor more stripped down.

[–] possiblylinux127@lemmy.zip 5 points 3 days ago

Honestly you can do either.

LXC

  • shares host kernel (theoretically lighter weight)

  • less isolation from host (less secure)

  • devices are passed via device files

  • less flexible due to dependence on host

  • no live transfers

  • filesystem shared with host

virtualization

  • has own kernel and filesystem

  • supports live transfers

  • hardware pass though is done at the device level

  • more flexible due to independent kernel

  • more overhead

[–] Pulsar@lemmy.world 6 points 3 days ago

I have been run Docker container in both LXC and VM for a long time without issues or meaningful performance penalties. So I run important single docker containers on top of LXC and everything else in Dockge / Portainer VMs.

[–] tofuwabohu@slrpnk.net 5 points 3 days ago

I can't say much to docker in LXC as I'm not using it, I vaguely remember some limitation I've read of but if it works fine for you those don't seem to apply.

A VM has more overhead than an LXC, but with several LXCs maybe a single VM wins on overhead.

I currently have most Docker containers in one VM and am thinking about splitting it, the main reason is that 2 deployments have way larger volumes than the rest. This leads to the snapshots of the VM being very large as well and if I would need to restore from snapshots for a "small" application, it would take super long because of the large ones.

A single VM may be a bit easier on maintenance than several LXCs.

If you don't have a specific reason to switch, I would not.

[–] DarkDarkHouse@lemmy.sdf.org 4 points 3 days ago

You can also create a single LXC for Docker and run multiple Docker containers on it. The VM argument is for security as it’s harder to escalate to the host from a VM than from an LXC.

[–] conrad82@lemmy.world 3 points 3 days ago (3 children)

I used to use LXC, and switched to VM since internet said it was better.

I kinda miss the LXC setup. Day to day I don't notice any difference, but increasing storage space in VM was a small pain compared to LXC. In VM I increased disk size through proxmox, but then I had to increase the partition inside VM.

In LXC you can just increase disk size and it immediately is available to the containers

[–] hendrik@palaver.p3x.de 3 points 2 days ago

I don't think the internet gave particularly good advice here. Sure, there are use-cases for both, and that's why we have both approaches available. But you can't say VMs are better than containers. They're a different thing. They might even be worse in your case. But I mean in the end, all "simple thruths" are wrong.

[–] Oisteink 3 points 3 days ago

Dont listen to them! The main issue with containers vs vm is security as you lxc runs in the hosts, while a vm runs on the host.

Use what you are familiar with and remember that lxc are containers and docker are containers, but the use of them are vastly different.

[–] possiblylinux127@lemmy.zip 1 points 3 days ago (1 children)

Personally I just Mount file shares within the VM

[–] conrad82@lemmy.world 1 points 2 days ago (1 children)

I tried that too for a time, using samba. But databases didn't work from a share. I just found it easier in the end to have volumes inside the LXC / VM directly

[–] possiblylinux127@lemmy.zip 2 points 2 days ago (1 children)

Using Samba for a database is crazy. You want unencrypted NFS.

Databases aren't all that big in my case so I usually just leave them be.

[–] conrad82@lemmy.world 1 points 2 days ago

When I have used nfs in the past, i have issues with different user ID. What is the best solution these days?

After becoming a father last year, the time I have for tinkering is close to 0. I found it easiest to keep all the data in the same vm / lxc, pretty straight forward to maintain

[–] Nephalis@discuss.tchncs.de 3 points 3 days ago

You could create a fresh container, install docker, and create a new template image from it. This way the overhead of installing disapears. The overhead in resource usage for each docker installation would remain the same as before.

As mentioned in another reply, you could run several container in one lxc. For example with docker compose or podman. Since I have no experience with podman but with docker compose, docker compose is pretty simple.

But all in all, I prefer to install everything "bare metal" in lxc containers. The main reason is, I don't want to mess around with the extra layer of configurating ports etc.

[–] ikidd@lemmy.world 2 points 3 days ago

If you use Live Migrate, realize that it doesn't work on an LXC, only VMs. Your containers will be restarted with the LXC on the new node.

[–] just_another_person@lemmy.world 2 points 3 days ago (5 children)

Run Docker at the host level. Every level down from there is not only a knock to performance across the spectrum, it just makes a mess of networking. Anyone in here saying "it's easy to backup in a VM" has completely missed the point of containers, and apparently does not understand how to work with them.

You shouldn't ever need to backup containers, and if you're expecting data loss if one goes away, yerdewinitwrawng.

[–] Pika@sh.itjust.works 1 points 2 days ago* (last edited 2 days ago)

Just chiming in, this is not recommended for proxmox

The documentation (FAQ 13) actually directly says that docker should be installed as a QEMU VM on proxmox and that it should not be installed on the Proxmox VE Host

[–] Oisteink 2 points 3 days ago (1 children)

You dont need or want docker on your vm host. But a bare metal docker host can solve many peoples needs.

load more comments (1 replies)
load more comments (3 replies)
[–] Dalraz@lemmy.ca 2 points 3 days ago

I personally like lxc's over vms for my home lab and i run a dedicated lxc for docker and one running a single node k8s.

load more comments
view more: next ›