I have a VPS with stuff like web services, git hosting, xmpp server. I consider moving services from host to the unprivileged LXC containers. I’ve decided to LXC instead of Docker because I’m familiar with LXC.
A list of reasons why I want to move services from the host to unprivileged LXC containers:
Less dependencies, system-wide libraries and packages on the host, more minimal host
More easy running multiple instances of the same service with different configs
Portability, making easier to move entire environment with running service between different hosts (e.g. testing environment and production)
Improving security by running services from unprivileged user accounts, reducing potential blast radius if there’s some vulnerability in some service (assuming separate user per container)
I like LXC, I have some experience with it, I use it on my PC and want to try it on server
Do you think the reasons mentioned above are good enough to move services from the host to containers?
Note: if the commands you’re currently using contain a dash, like lxc-start, then you’re using lxc directly. If the commands are lxc start (with a space), then you’re actually using lxd (“lxc” = “lxd client”) - although lxd does use lxc under the hood to run containers. It’s confusing.
Either way, I suggest you look at incus. incus is a community fork of lxd. It gives you a wide range of features including the ability to run VMs as well as containers, and lots of cool storage stuff including incremental zfs copying. And recent versions can run docker containers too, should you so wish.
The separation of services to different physical-baremetal servers/virtual machines/containers has been the best practice in the system’s administrator for quite some time.
When you setup all services on the same server, you do not have to deal with port forwarding and how to expose ports for different services. I think that’s the main difference. Other than that, I think it should be fine.
in addition to what others have already mentioned in their comments there are also benefits to how easy it is to snapshot & restore an Incus VM or Container if the active one encounters a problem.