Should everything be a container?

LXC
1

Hello,

I have an idea but first I want to run it through more experienced people than me just to make sure it is the right way to do it. I have a home server where I host a couple of services (deluge, jackett, plex), some programs (mkvtools, filebot) and want to run a few extra things (pfSense, OpenVPN, reverse proxy, etc.). All these things used to run directly on my home server, I had to upgrade my server completely and basically it’s time to install (almost) everything from scratch. Most things are pretty simple but for others I have to manually reconfigure them, even though migrating to a new server doesn’t happen very often (maybe once every 5 years), I was thinking that maybe trying lxc would save me some time in the future. I’ve also heard about ansible and while it’s not the same thing as lxc, it might be a tool that helps me migrate everything from one server to another more easily, this is where I want advise, I’m holding a hammer and everything looks like a nail right now.

The main task assigned to the server is to be a centralized storage for all my data, this is achieved through a combination of ZFS and SMB to share the directories (this will become relevant ahead), along with some clever ACLs, users and groups to achieve a system compliant with the principle of least privilege. Everything else is just an add-on to the server.

I played around with LXC to see how it would fit into this idea, first creating privileged containers (which are unsuitable if I ever decide to open the server to the internet in lieu of openvpn) and then used unprivileged containers. The advantages or privileged containers is that mounting directories (remember ZFS?) is a breeze, configuration is minimal and granting the container RW access is almost transparent. Unprivileged containers while more secure by design have a very hard time with mounts.

It feels like going through the motions of properly configuring the containers to work as I want to is just not worth it. Creating users and groups for the containers, creating mounts specific to each container so they have RW but only to the directories they need, the LXC configuration related to unprivileged containers and all that just to achieve what I could do on bare metal seems too much work, with the small advantage of being able to (almost) copy paste the container into the new server or a new machine with minimal effort, which doesn’t happen very often.

So, maybe I’m using the wrong tool for the job, maybe I’m using the tool incorrectly, maybe there are some tools I’m missing in my solution, or my solution is just trash, but it feels like reinventing the wheel just for the sake of a home server. I’m also considering that maybe not everything has to be a container, some things should run on bare metal, some others as a privileged container and others as an unprivileged container.

I’m not afraid of learning new tools or getting my hands dirty, actually, learning is part of this big hobby, but it seems like I’ve reached kind of a dead end and I’m not sure which direction would be the most appropriate one, so I come to you looking for the expertise I’m lacking in the subject.

Hope I’ve provided enough information and I didn’t bore you too much with my post.

Looking forward to your suggestions.

Thanks!

2

Welcome to the group…

First let me start by saying I am not part of development group, I am just a web developer and web hoster, my opinions are my own.

I have been working with these lxd clusters/containers for years now and I love it. I have 4 production servers, 1 with hundreds of containers, other have less depending on how power hungry some of these containers are. I also have a couple at home. The only thing I have outside of the containers is nginx as a proxy and things like backup software and honey pots.

I have no other users on my containers, they are sealed for security. They are isolated from each other as much as possible. Some containers are for MYSQL/Postgress etc…, Most are running WordPress.

It took me years, and many many problems to get where I am.There are still many thing in LXD that are not perfect and may be not for the faint of heart.

Now, this said it has gotten immensely better in the last year. I can call it reliable now.
However managing user profiles is not really easy in my opinion. ZFS is still a bit of a blackbox to me, I need to spend more times to learn how really use it properly.

So why do I use containers. Ease of configuring a virtual server. Let us say I have a wordpress/mysql container, and need another. I just clone it and go to my nginx proxy and set it up. It takes minutes, and I can automate it pretty easy. Let us say I need a Wordpress with sqlite, clone it and it is done. I have a bunch of preconfigured containers ready to go. I can move them around from server to server to load balance it, or for backups. This is how I use it. I even have LXD setup on my workstation at home where I can run a SQL Server or any client containers for testing.
I hope that telling you how I use it helps. If you are not going to be doing something like this, I don’t see a reason to use it, something like Virtual box is much easier.