Below is a transcript of my YouTube video of the same title as this post.
Hey, you made it! Thank you so much for stopping by!
I really do appreciate you taking a couple of minutes of your day to hang out with me and listen to what my day has to say.
So in my last video, we took a look at what I’ve got running in my home lab back here, and we briefly discussed the hardware.
Then we talked about the two Proxmox servers I’ve got for production and the one I’ve got for testing and development. I don’t develop, but it’s for testing and tutorials, that sort of thing. I guess that’s the better way to word that.
So in that video, I covered all of that, right?
And that video is doing remarkably well.
I want to thank everybody who has watched it for checking it out. I really appreciate it. It really does help me out a lot and also gives me more motivation to create more videos like this. So thank you for watching, for the comments, for the likes, the shares, all of that really does mean a lot to me.
In the comment section of the last video I released about all of this stuff, a couple of people asked what was my rationale in deploying LXCs or Linux containers for each of my individual services rather than throwing up a couple of VMs, installing Docker, and then putting all of my services in those couple of VMs.
And I think that’s a great question.
And I’ve got some rationale that I would like to kind of put out there for you guys. Not necessarily to change your minds, but if I do, cool, if not, and you want to keep doing things the way you’ve been doing it, that is perfectly acceptable.
One of the things that I really dig about home labs and this kind of hobby is that there isn’t really one right way to do things across the board. The way that I do things may not be right for you, and the way you do things may not be right for me. And I love that we can all kind of do things differently and share our ideas and maybe learn something new when we’re doing that.
So again, the question was, why didn’t I just put up a couple of VMs, install Docker, and put all of my services in that rather than deploying an LXC for each of my different services.
So let’s talk about that for a couple of minutes.
There are actually a couple of reasons why I use LXCs for my individual services rather than full-on VMs. And I’m going to talk about a couple of those reasons, but the first reason is basically data backup, data protection, and data recovery.
That said, well, let’s just go to my desktop. It’ll make more sense.
Right. So here we are. We’re on my desktop and you know, this is ProxProd2 and I’ve got an LXC for AdGuard, my password manager, my speed test, and my analytics, and that sort of thing. Now, I’ve got this VM down here that’s for active pieces. That is a standalone service that actually required more than just an LXC for this.
So I spun up a Ubuntu server VM and deployed it there. And that’s why that one isn’t an LXC because it required it, is basically the long and the short of that.
So let’s say something goes wrong with my AdGuard. Let’s say it crashes, gets corrupted, and an update fails (what?). Something goes wrong, and I need to bring it back online.
Well, the easy way for me to do that is to then come over here to this backup right here, go over to my backup server, and then I can pick basically any day over the last month that I want to restore to, and I can just click here and click restore, and it will restore back to April 17th.
Now, the reason I bring this up is that if, for whatever reason, I had to restore an entire virtual machine full of Docker containers back to a specific date, all of the containers in that virtual machine get restored back to that date.
Right?
So let’s talk about, come over here. Let’s look at my demo server, right. It might make more sense this way.
Right. So I’ve got all of these different LXCs up here. None of these are being backed up. I don’t need them to be; this is just for testing purposes. But I do have this Ubuntu server VM down here that’s almost maxed out. But you know, if I come into here, there I am. I’m logged in. You know, I can do a Docker PS, oops, sudo Docker PS. I just do, I guess. Right. And here we can see, let’s move that down up the screen a little bit.
Okay. So here we can see that I’ve got Wallos, Sterling PDF, Hasty Paste, an Alpine Redis container, rather, for something. I don’t remember what (it’s Hasty Paste). I just threw all of this up just for the sake of this rationale video.
Of course, I’ve got Portainer there. I’m actually going to talk about Portainer in another video. They’re doing some weird stuff. I think nothing bad. I want to clarify. I’m not trying to throw shade. I just noticed something weird this morning with this instance of Portainer.
Okay. So all of these containers that I’ve got, you know, here and here and here, all of those are running inside this VM.
So let’s say for whatever reason, let’s say Wallos, it’s not set up yet. But let’s say that Wallos gets corrupted, backup fails. Something goes wrong. It’s hacked, whatever, right. And so I want to restore Wallos to a previous known good state.
Well, because it’s inside of this VM, I can’t restore this entire VM back to that last known good state without affecting Sterling PDF and Hasty Paste.
Does that make sense?
So basically, what it boils down to is that I want each of my services to run in its own LXC for a couple of reasons.
One, I want all of my containers to be isolated from each other so that if one of them is compromised, it will be harder, not impossible, but harder for the bad actor, the bad guy, the hacker, the whatever, to then infiltrate and compromise my other services. I hadn’t mentioned that yet, but that is one of those things is keeping them each individually isolated. That’s another layer of protection.
And of course, the other reason is not only isolation for security purposes, but isolation of individual data sets for their databases, for all of the storage that each individual service needs. If I need to back up or if I need to restore one of those services back to a previously known good date, I don’t want to lose data on my other services on that VM. So I went ahead and just put each of my services in their own LXCs with the one exception of the VM as I just because it needed it.
But all of my services run in LXCs so that they’re isolated from each other as far as where they’re running, but also their data is separate from each other. So if I have to restore, then I can just restore that one application and not have to basically lose data from other applications by restoring backward previous date. So hopefully that helps kind of explain what my rationale is there why I did what I did.
There’s also other little things like I’ve got notes here that I took because my memory sucks.
Basically, I’m just going to read this. It says “LXCs share the host system’s kernel making them much faster to start and they use fewer resources than virtual machines.”
So basically, each LXC, each Linux container shares the Proxmox kernel and doesn’t load its own kernel on top of the Proxmox kernel. So you’re reducing necessary resources to spin up those services by putting them in an LXC versus a VM.
And I know that there’s somebody and you’re probably right, having all of those LXCs is probably the same resource usage as a single VM, but again, my argument is mostly the separation of each individual container for security purposes and then also the data backup and recovery.
And of course, there are some cons to doing it this way. I’ve got those notes here as well.
“LXCs provide some isolation, but since they share the kernel, there’s a security issue in one container could possibly impact others if they manage to hit the kernel.”
So my logic isn’t foolproof, but there’s some logic there in my own monkey brain.
So I hope that kind of helps make sense of the rationale that I’ve got in my setup and why I went with LXCs for each individual service rather than a single VM or even a couple of VMs for multiple services. It’s how my monkey brain works, and I wanted to just kind of explain that to you guys.
And of course, if you’ve got ideas on why I’m wrong or ideas why I’m right, definitely leave that in the comment section under the video.
If you’re interested in this kind of content where I talk about home lab stuff and the rationale about why I do certain things and when I cover Docker containers, we’re just kind of all over the place here. But if you’re interested in my content, definitely don’t forget to get subscribed.
If you want to support the channel, of course, you can become a channel member or become a patron. Neither of those are required. But if you do either of those things, you will get access to my content with no ads in it at all. So that’s something to take into consideration if you’re interested in supporting the channel besides subscribing to like.
So I want to go ahead and wrap this up. I know you guys have got other things to get done today. But thank you guys for spending a few minutes of your day with me today, and I’ll talk to you in the next video.
Additional info on LXCs and VMs:
LXC Pros:
- Lightweight: LXCs share the host system’s kernel, making them much faster to start and use fewer resources than VMs.
LXC Cons:
- Limited Isolation: They provide some isolation, but since they share the kernel, a security issue in one container could potentially impact others.
- Linux-only: LXCs can only run Linux distributions that are compatible with the host’s kernel.
Use for VMs:
- Running applications that require a specific operating system not compatible with the host.
- Situations where a high degree of security and isolation is critical.
- Running software that requires direct access to hardware resources.