I run a small server with Proxmox, and I’m wondering what are your opinions on running Docker in separate LXC containers vs. running a specific VM for all Docker containers?
I started with LXC containers because I was more familiar with installing services the classic Linux way. I later added a VM specifically for running Docker containers. I’m thinking if I should continue this strategy and just add some more resources to the docker VM.
On one hand, backups seem to be easier with individual LXCs (I’ve had situations where I tried to update a Docker container but the new container broke the existing configuration and found it easiest just to restore the entire VM from backup). On the otherhand, it seems like more overhead to install Docker in each individual LXC.
Honestly you can do either.
LXC
-
shares host kernel (theoretically lighter weight)
-
less isolation from host (less secure)
-
devices are passed via device files
-
less flexible due to dependence on host
-
no live transfers
-
filesystem shared with host
virtualization
-
has own kernel and filesystem
-
supports live transfers
-
hardware pass though is done at the device level
-
more flexible due to independent kernel
-
more overhead
-
Regardless of VM or LXC, I would only install docker once. There’s generally no need to create multiple docker VMs/LXCs on the same host. Unless you have a specific reason; like isolating outside traffic by creating a docker setup for only public services.
Backups are the same with VM or LXC on Proxmox.
The main advantages of LXC that I can think of:
- Slightly less resource overhead, but not much (debian minimal or alpine VM is pretty lightweight already).
- Ability to pass-through directories from the host.
- Ability to pass-through hardware acceleration from a GPU, without passing through the entire GPU.
- Ability to change CPU cores or RAM while it’s running.
Also LXC shares the host filesystem to there is less concern with corruption due to power loss.
I use individual lxc for each docker compose so I don’t have to revert 8 services at once if I need to restore.
I would also argue that an alpine lxc runs in 22mb ram by itself … Significantly smaller footprint on disk and in memory. But most importantly, lxc can actually share memory space effectively, one doesn’t need to reserve blocks of ram.
You don’t have to revert 8 services, you can stop/start them independently:
docker compose stop <service name>.This is actually how I update my services, I just stop the ones I want to update, pull, and restart them. I do them one or two at a time, mostly to mitigate issues. The same is true for pulling down new versions, my process is:
- edit the docker-compose file to update the image version(s) (e.g. from 1.0 -> 1.1, or 1.1 -> 2.0); I check changelog/release notes to check for any manual upgrade notices
- pull new images (doesn’t impact running services)
docker compose up -dbrings up any stopped services using new image(s)- test
- go back to 1 until all services are done
I do this whenever I remember, and it works pretty well.
Oh, nice. Thanks!
This is me showing my docker ignorance, I suppose.
How do you handle backups? Install restic or whatever in every container and set it up? What about updates for the OS and docker images, watchtower on them I imagine?
It sounds like a ton of admin overhead for no real benefit to me.
I just snapshot the parent lxc. The data itself isn’t part of the container at any level, so if I bung up compose yml or env, I can just flip it back. The only real benefit is that all my backups are in the same place in the same format.
Like I’m not actually opposed to managing docker in one unit, I just haven’t got there yet and this has worked so far.
If I were to move to a single platform for several docker, what would you suggest? For admin and backups?
What’s the purpose of running container in a container? Why not install docker on your host machine?
If you do that, Docker is stuck on that host. If it’s in an LXC it can move to another host. Plus, backing up and snapshotting are easier IMO.
Docker doesn’t need to portable because containers are…
I don’t even understand this logic.
Snapshotting in docker is as easy as
docker commit. After that you can back it up withdocker save. Then move to another host, but not without downtime.However normally you need to backup/move only volumes attached to containers. If that’s not the way how you like to organize your services, you likely don’t need docker.
Honestly, I never really thought of installing Docker directly on Proxmox. I guess that might be a simpler solution, to run Dockers directly, but I kind of like to keep the hypervisor more stripped down.
Dockers ‘take-over-system’ style of network management will interfere with proxmox networking.
Well, I don’t use proxmox, however docker coexists with libvirt and other virtualization systems. If there are overlapping networks that docker ant proxmox attempt to manage, they are configurable.
I don’t use proxmox, but it works absolutely fine for me on my regular Linux system, which has a firewall, some background services, etc. Could you be more specific on the issues you’re running into?
Also, I only really expose two services on my host:
- Caddy - handles all TLS and proxies to all other services in the internal docker network
- Jellyfin - my crappy smart TV doesn’t seem to be able to handle Jellyfin + TLS for some reason, it causes the app to lock up
Everything else just connects through an internal-only docker network.
If you’re getting conflicts, I’m guessing you’ve configured things oddly, because by default, docker creates its own virtual interface to explicitly not interfere with anything else on the host.
A couple posts down explains it, docker completely steamrolls networking when you install it. https://forum.proxmox.com/threads/running-docker-on-the-proxmox-host-not-in-vm-ct.147580/
The other reason is if it’s on the host you can’t back it up using proxmox backup server with the rest of the VMs/CTs
I don’t use proxmox, so I guess I don’t understand the appeal. I don’t see any reason to backup a container or a VM, I just backup configs and data. Backing up a VM makes sense if you have a bunch of customizations, but that’s pretty much the entire point of docker, you quarantine your customizations to your configs so it’s completely reproducible if you have the configs and data.
Ease of use mostly, one click to restore everything including the OS is nice. Can also easily move them to other hosts for HA or maintenance.
Not everything runs in docker too, so it’s extra useful for those VMs.
That’s fair.
That said, I can’t think of anything I’d want to run that doesn’t work in docker, except maybe pf? But I’d probably put that on a dedicated machine anyway. Pretty much everything else runs on Linux or has a completely viable Linux alternative, so I could easily built a docker image for it.
I have been run Docker container in both LXC and VM for a long time without issues or meaningful performance penalties. So I run important single docker containers on top of LXC and everything else in Dockge / Portainer VMs.
I used to use LXC, and switched to VM since internet said it was better.
I kinda miss the LXC setup. Day to day I don’t notice any difference, but increasing storage space in VM was a small pain compared to LXC. In VM I increased disk size through proxmox, but then I had to increase the partition inside VM.
In LXC you can just increase disk size and it immediately is available to the containers
I don’t think the internet gave particularly good advice here. Sure, there are use-cases for both, and that’s why we have both approaches available. But you can’t say VMs are better than containers. They’re a different thing. They might even be worse in your case. But I mean in the end, all “simple thruths” are wrong.
Dont listen to them! The main issue with containers vs vm is security as you lxc runs in the hosts, while a vm runs on the host.
Use what you are familiar with and remember that lxc are containers and docker are containers, but the use of them are vastly different.
Personally I just Mount file shares within the VM
I tried that too for a time, using samba. But databases didn’t work from a share. I just found it easier in the end to have volumes inside the LXC / VM directly
Using Samba for a database is crazy. You want unencrypted NFS.
Databases aren’t all that big in my case so I usually just leave them be.
When I have used nfs in the past, i have issues with different user ID. What is the best solution these days?
After becoming a father last year, the time I have for tinkering is close to 0. I found it easiest to keep all the data in the same vm / lxc, pretty straight forward to maintain
I can’t say much to docker in LXC as I’m not using it, I vaguely remember some limitation I’ve read of but if it works fine for you those don’t seem to apply.
A VM has more overhead than an LXC, but with several LXCs maybe a single VM wins on overhead.
I currently have most Docker containers in one VM and am thinking about splitting it, the main reason is that 2 deployments have way larger volumes than the rest. This leads to the snapshots of the VM being very large as well and if I would need to restore from snapshots for a “small” application, it would take super long because of the large ones.
A single VM may be a bit easier on maintenance than several LXCs.
If you don’t have a specific reason to switch, I would not.
If you use Live Migrate, realize that it doesn’t work on an LXC, only VMs. Your containers will be restarted with the LXC on the new node.
You can also create a single LXC for Docker and run multiple Docker containers on it. The VM argument is for security as it’s harder to escalate to the host from a VM than from an LXC.
You could create a fresh container, install docker, and create a new template image from it. This way the overhead of installing disapears. The overhead in resource usage for each docker installation would remain the same as before.
As mentioned in another reply, you could run several container in one lxc. For example with docker compose or podman. Since I have no experience with podman but with docker compose, docker compose is pretty simple.
But all in all, I prefer to install everything “bare metal” in lxc containers. The main reason is, I don’t want to mess around with the extra layer of configurating ports etc.
Run Docker at the host level. Every level down from there is not only a knock to performance across the spectrum, it just makes a mess of networking. Anyone in here saying “it’s easy to backup in a VM” has completely missed the point of containers, and apparently does not understand how to work with them.
You shouldn’t ever need to backup containers, and if you’re expecting data loss if one goes away, yerdewinitwrawng.
Just chiming in, this is not recommended for proxmox
The documentation (FAQ 13) actually directly says that docker should be installed as a QEMU VM on proxmox and that it should not be installed on the Proxmox VE Host
You dont need or want docker on your vm host. But a bare metal docker host can solve many peoples needs.
What in the world are you talking about? It’s literally the entire point of containers orchestration systems, and the reason why you don’t run containers inside containers. It’s makes zero sense.
People are probably looking for tools like cloud init, butane and Ansible
These should absolutely no place in the mix with containers at all. Very confused how you’ve made these work of that’s what you’re suggesting.
No, I mean they should setup VMs and LXC containers in automated way. I get the impression that some people here are trying to use a Dockerfile instead of something like Ansible where the end changes apply to a end system instead of creating a template for temporary deployments.
I personally like lxc’s over vms for my home lab and i run a dedicated lxc for docker and one running a single node k8s.
This thread has raised so many questions I’d like answered:
- Why are people backing up containers?
- Why are people running docker-in-docker?
- I saw someone mention snapshotting containers…what’s the purpose of this?
- Why are people backing up docker installs?
Seriously thought I was going crazy reading some of these, and now I’m convinced the majority of people posting suggestions in here do not understand how to use containers at all.
Flat file configs, volumes, layers, versioning…it’s like people don’t know what these are are how to use them, and that is incredibly disconcerting.
- I’m backing up LXCs, like I’d back up a VM. I don’t back up Docker containers, just their config and volumes.
- I don’t think anyone is doing that. We’re talking about installing Docker in LXC. One of the Proxmox rules you can live by is to not install software on the host. I don’t see the problem with installing Docker in an LXC for that reason.
- I’ll snapshot an LXC before running things like a dist-upgrade, or testing something that might break things. It’s very easy, so why not?
- I back up my LXC that has Docker installed because that way it’s easy to restore everything, including local volumes, to various points in time.
Because a lot of people don’t learn docker, they install docker because some software they want to use is distributed that way.
Yup, this is me exactly. I’ve been planning on going more indepth but haven’t found the time. Inunderstand Linux and how to use LXCs, docker less so.
Follow-up question: do you have any good resources to start with for a simple overview on how we should be using containers? I’m not a developer, and from my experiences most documentation on the topic I’ve come across targets developers and devops people. As someone else mentioned, I use docker because it’s the way lots of things happen to be packaged - I’m more used to the Debian APT way of doing things.
I don’t have anything handy, but I see your point, and I’d shame lazy devs for not properly packaging things maybe 😂
You mentioned you use Proxmox, which is already an abstraction on bare-metal, so that’s about as easy as easy an interface as I can imagine for a hosted machine without using something like Docker Desktop and using it to manage a machine remotely (not a good idea).
As a develop, I guess I was slightly confused on some suggestions on ways to use things being posted in this sub, but some of the responses I guess clarify that. There isn’t enough simplicity in explaining the “what” of containers, so people just use them the simplest way they understand, which also happens to be the “wrong way”. It’s kind of hard to grasp that when you live with these things 24/7 for years. Kind of a similar deal with networking solutions like Tailscale where I see people installing it everywhere and not understanding why that’s a bad idea 😂
So save you a lot of learning, I’ll just not go down a rabbit hole if you just want something to work well. Ping back here if you get into a spot of trouble, and I’ll definitely hop in to give a more detailed explanation on a workflow that is more effective than what it seems most people in here are using.
In fact, I may have just been inspired to do a write up on it.
Fair enough, would love to read something like this :-)
Yeah, I’ve been into Linux for 20 years, sometimes a bit on/off, as an all-around-sysadmin in mainly Windows places. And learned just enough of Docker to use it instead of apt - which I’d prefer, but as you said, many newer services don’t exist in debian repos or as .deb packages, only docker or similar.
If you’re familiar with Linux, just read the Dockerfile of any given project. It’s literally just a script for running a thing. You can take that info and install how you’d like if needed.
I’m guessing people are largely using the wrong terminology for things that make more sense, like backing up/snapshotting config and data that containers use. Maybe they’re also backing up images (which a lot of people call “containers”), just in case it gets yanked from wherever they got it from.
That said, yeah, someone should write a primer on how to use Docker properly and link it in the sidebar. Something like:
- docker-compose or podman for managing containers (a lot easier than
docker run) - how to use bind mounts and set permissions, as well as sharing volumes between containers (esp. useful if your TLS cert renewal is a separate container from your TLS server)
- docker networks - how to get containers to talk w/o exposing their ports system-wide (I only expose two ports, Caddy for TLS, and Jellyfin because my old smart TV can’t seem to handle TLS)
- how tags work - i.e. when to use latest, the difference between
<image>:<major>.<minor>.<patch>and<image>:<major>, etc, and updating images (i.e. what happens when you “pull”)
I’ve been using docker for years, but I’m sure the are some best practices I am missing since I’m more of a developer than a sysadmin.
- docker-compose or podman for managing containers (a lot easier than
Is your server a dedicated server, or a VPS? Because if it’s a VPS, you’re probably already running in a VM.
Adding a VM might provide more security, especially if you aren’t an expert in LXC security configuration. It will add overhead. Running Docker inside Docker provides nothing but more overhead and unnecessary complexity to your setup.
Also, because it isn’t clear to me from your post: LXC and Docker are two ways of doing the same thing, using the same Kernel capabilities. Docker was, in fact, written in top of LXC. The only real difference is the container format. Saying “running Docker on LXC” is like saying “running Docker on Docker,” or “running Docker on Podman,” or “running LXC on Docker”. All you’re doing is nesting container implementations. As opposed to VMs, which do not just use Linux namespace capabilities, and which emulate an entirely different computer.
LXC, Podman, and Docker use the underlying OS kernel and resources. VMs create new, virtual hardware (necessarily sharing the same hardware architecture, but nothing else from the host) and run their own kernels.
Saying “Docker VM” is therefore confusing. Containers - LXC, Podman, or Docker - don’t create VMs. They partition and segregate off resources from the host, but they do not provide a virtual machine. You can not run OpenBSD in a Docker container on Linux; you can run OpenBSD in a VM on Linux.
I think they mean a VM running docker
It’s a dedicated server (a small Dell micro-pc). Thanks for the comment, I understand the logic, I was approaching it more from an end-user perspective of what’s easier to work with. Which given my skill set are LXC containers. I have a VM on top of Proxmox specifically for Docker :-)
Lxc and docker are not equivalent. They are system and software containers respectively.
