OCI Containers and How Best to Run Services/Applications

Hi-

First, I want to thank all the individuals that support the project. It is truly amazing how much work and features have been added in such a short time. Now that Incus is supporting OCI containers I have a couple of basic questions:

  1. Is there any way to view a docker style log file to ensure everything is running correctly?
  2. Any plan to allow container to be rebuilt on a schedule (i.e. every 30 days).? This would be awesome.
    3.With more choice in how to run applications, it raises the question on how to best run an application (incus container, incus oci container or VM). Maybe there is no complete correct answer, but I would be interested in how the experts would run the following common homelab apps:
  • Home Assistant
  • Jellyfin or Plex server
  • Pihole
  • Treafik

Here are some of my thoughts on the different approaches :

Incus Containers- You are installing from known sources, so I would think it is a less of a security risk. If it is in the container, you put it there. It seems to be a little harder to recreate if something gets corrupted and you have to manually update and getting the latest version can be difficult.

Do you run a group of applications in one incus container or run only one app as a service?

I have to say I have combined a few applications in one incus container and they have lived fine for over a year with no issues at all.

Incus OCI Container- This is obviously new to incus and is awesome. One of my main reasons for moving to lxd and now incus is that how do really know what is in the OCI image? Is there a security risk to OCI images? I know docker is hugely popular, so maybe this is not a big issue. One of the great benefits is the ability to have your data separate and throw away the container and replace with a more updated version.

Incus VMs- Obviously these are resource heavy and probably should only be used when you need a separate kernel from the host. I have played around with a few, but really have not had a need in my homelab yet. Would you run Home Assistant as a VM?

What would your use case for a VM be?

2 Likes

Hi!

Virtual machines and containers (either system containers or application containers - OCI) offer isolation from your host (your server, etc). This isolation is crucial and it’s what everyone desires. Don’t need a service anymore? Nuke the instance and it’s all gone. No messing up with the host files and configuration.

A virtual machine requires some hardware (virtualization) features of your CPU to work, and it’s a bit heavy when you try to run several of them on the same computer.

Is it possible to have most of the benefits of virtual machines but at lower cost in terms of resources? Sure it is. Containers do not require hardware virtualization features. Containers only require security features of the Linux kernel and this makes them very lightweight. You can have dozens of containers for each VM.

As a side note, the security features of the Linux kernel that are used in Linux containers are namespaces, seccomp, capabilities and cgroups. Anyone can implement Linux containers and many have created even educational implementations. barco is one such educational implementation. As a side note, initially users were asking from kernel developers to add a Linux container subsystem to the Linux kernel. The kernel developers were not having that. They replied, sorry, you get security primitives instead, and based on those primitives you make your Linux container implementations. In fact it was a very mature response.

You are using Incus because you would want a single tool with a service that would manage all (VMs, system containers and applications containers) in the same way. If you were to use a different tool for each, the learning curve would be too steep.

When you launch a VM or a container, you can starting off from an image. These are provided either by https://images.linuxcontainers.org (this project) or the OCI repository you have enabled. The images from this project are only generic images that are created directly from Linux distributions. You can look for distrobuilder which is the tool that creates them, and even re-create them by yourself with the same public configuration. In that sense, what you get is what comes from your chosen Linux distribution.

On the other hand, with OCI images you can either use official OCI images (i.e. generated by Docker), or you have access to user-uploaded images. I think it’s obvious that if you select a user-uploaded image, you are making the choice whether what’s inside is good for you.

A running VM or container are called collectively instances. The rule of thumb is that you would use one service per instance, and you would prefer containers over VMs (unless there are strong reasons against the use of containers for this use-case). It’s mostly OK if you run everything in a single instance. It is neater if you separate the services into different instances. Before VMs, system administrators had to use separate physical servers which were expensive. In those times, some had to put different services into a single physical server because it would get very expensive otherwise. But now with all these virtual instances, it’s too affordable not to put different services in different instances.

Security is an overloaded term and may mean different things to different people. The standard view is that VMs are more secure because you get hardware virtualization/separation from the host. Instead, containers are isolated using software only, through features of the Linux kernel. There may be bugs in the Linux kernel that will break this isolation.

However, the realist view is that at the moment there are no known lingering security vulnerabilities in the Linux kernel, and if one is found, it will be fixed. But since a few years ago there have been some hardware bugs in CPUs that would defeat the isolation of VMs. Run the following to see what mitigations are used for your CPU to avoid those vulnerabilities. Spectre is not a movie.

cat /proc/cpuinfo | grep ^bugs

There has been a discussion on how to write Incus documentation that is useful for Homelab users. It became obvious that writing documentation for each service would merely replicate what is available from the official documentation of said service. The solution should be similar to what the kernel developers did with container support in the Linux kernel. That is, discuss the primitives like networking, storage devices, how to get instances to communicate with each other, etc.

1 Like

Thanks Simos. I am looking forward to your home lab articles. I agree that one of the main strength of Incus is the ability to create Containers, OCI Containers and VMs with similar tooling.

It is properly worth to mention not all OCI images are black boxes.

As long as they are Open Source you are able to look into the Dockerfile and see how it is created. In general they start with a base OCI image created similar like Incus images and the application is installed on top. Some are multi stage images and it requires to read multiple Dockerfile’s. It takes a moment to understand the procedure but you will get the idea pretty quickly.

All in all OCI images are not that much different to Incus images except they are pretty much stripped down to a basic OS. In general they are even more secure or let’s say restricted as they don’t contain binaries to review running processes nor manage network layer etc.

The advantage of using OCI image is you just can use them where as with incus images you need to perform the installation and configuration of the application. This is properly why docker is more popular compared to other container solutions.

Would say the choice is yours which type of image to use.

You can also run your own OCI container registry - I run Harbor but I’m trying to downsize to Zot - and use a container vulnerability scanner like Trivy. Then you make sure you control which containers you allow into your environment, and if a component library is found to be vulnerable you have an SBOM of each container to see which are exposed.

Edited to add - you can also use container image sources which have been made more secure, I use Chainguard which is great as far as it goes, but their focus is enterprise rather than homelab so not every container you’ll want to use is available.