Ironically I just did this this morning to start moving some of my more important docker containers out from my main docker instance into their own LXCs ... and here's your video tonight :D Main difference is that I based mine on Ubuntu 23, pre-install watchtower and for networking have them in their own subnet as there will be a few. The OCD part of my brain made me set them to also use a template MAC where the last 4 hex are match to the IP octet of the LXC IP - which also matches the LXC container # One thing tho, after I created the finalised template I did a one-off backup of it (retention = 1) so that it can be deployed to another box if needed. Seemed like a good idea at the time :)
@11:05 - at this point is there a way in Linux to protect this LXC ? - 1. firewall - how to install and configure it to protect the LXC & docker containers? - 2. Fail2Ban - 3. Crowdsec
If you used the turnkey core version of the debian template that I show in this video, you can go to your.prox.ct.ip:12321 you'll be brought to a login page. Enter the username "root" and whatever password you set up for the CT. Down the left side of the page, you'll see "Networking". Click that and there you can configure fail2ban and a firewall for each individual container if you want. While you're there, there are lots of other things you can do in the webmin panel, but I wanted to point out fail2ban and firewall since they were specifically mentioned in your question.
I'm not sure when i started doing this as well, but it's quite some time. I originally tried to use the "convert to template" option, but then I realised that I couldn't start the LXC container back up, to be able to update it; for example, prior to using it as a said template. So, that's when I deleted that converted template, and did it again, but then kept the LXC container as a LXC container, rather than converting it to a template, that way, I would still be able to boot the template back up, update it, and then shut it back down, so that if I need to clone it again; I'll be able to do that.
A good addition to this would be to run ‘docker system prune’ just after deleting the containers. That will delete the orphaned docker images and any orphaned docker network in the system.
I'm diving into proxmox now, just set up my second node. I have read somewhere that using docker inside lxc containers was not recommended. Using docker would help me greatly tbh. Do you know about this? Alsoa request for next videos, how to set up replication between nodes in a cluster Very glad to see you doing better man!
Again, thank you for pointing this out. I've modified both of the scripts I showed in this video to also add the user to the docker group. Credited you in the update notes on Github! :)
after watching some of your videos on LXCs I thought I would go and see what was available. To my surprise theres very little provisioning in terms of 3rd party images that are mostly set up. One I use as a VM Diet-pi is a swiss army knife of different utils that can be installed, and i thougth that would be perfect because once you have the base one set up as a template then you could just keep cloning them. does anybody know why it is that there are so few 3rd party images? i googled around and found some blog post about converting diet-pi into an LXC container but it really does feel like something that should be out of the box like that
Just a suggestion but could you please lower the resolution of your setup before recording as its currently very hard to see what you are doing on an 11" tablet. I did appreciate you zooming in sometimes though 😁. Thanks for the videos.
Frist nice to have you back and doing better. Second just a question about this vid. Is this just and example of how to "speed up proxmox deployments" or do you really have every CT run dockge? Sorry super thick here and kinda brain is burnt out atm.
This is just an example of how I deploy LXCs faster in my homelab. I have every service on my setup running in a separate LXC. Each one is deployed from the same template (an earlier version of the Portainer script I've got on Github). The nice thing about both Portainer and Dockge is that you can control multiple nodes from one Portainer or Dockge dashboard if you want. I even made a video about doing this with Dockge fairly recently.
I set up a new LXC for each service I'm running. In some cases that might include a Wordpress container, a MySQL container, a Redis container, etc. But each service gets its own LXC so that I can keep everything more separate and more easily recoverable if something goes wrong. I explain in more detail here: th-cam.com/video/8E4B4b-7wAM/w-d-xo.html
@@DBTechYT How do you have the clones generate new ssh host key files? Also when I followed this and cloned my template, each clone i created had the same IP address even though all of the MAC addresses were different
@@calummcallister137 Yeah. I set my LXCs to use DHCP. I show that in the video. Then, once I've got a container/device up and running the way I want. I log into my router and tell it to keep that IP assigned to that container/device. The container/device doesn't know the difference, but my router now has it set as a static IP in the router.
I think if you clone from a container it clones as is. If you clone from a template it changes the mac address of the network interface and then it will receive new ip. I'm just starting with proxmox so this could be totally wrong 😅
I have a feeling Proxmox wants to manage the networking, that way you can change the IP or hostname of an LXC from the Proxmox GUI or CLI, change the LXC name or IP and the hostname changes to match, certainly on Ubuntu there are warning in the network config files saying Proxmox Managed. I am talking about the vanilla templates not the Turnkey ones though, they could be different
Interested to see how the cloud-init script works as I have wondered about doing this myself then the customisation is the same between VM’s using the cloud images and LXC. At the moment I build Ansible into the template and initiate a pull on boot which bloats the container. Cloudi-init also would take care of the source LXC and all the clones having duplicate SSH host keys I think?
Are LXC's faster than VM's?? Very cool...I run PROXMOX on a Deb12 install...so doing Deb LXC's should use less resources than VM's for docker instances? I have a VM running a bunch of cloudflare tunnels and my Pi-Hole instance...just wanting to make sure it uses less resources and is better than a VM install Either way...great video! Thanks for the walkthru and howto's! Keep em coming!!!!
They're more lightweight than VMs because they're able to share resourced like the Proxmox Kernel, but there are some limitations and sometimes a VM is the better solution. But I like keeping things light and fast whenever I can, so I use LXCs for most things. I explain a bit more in this video: th-cam.com/video/8E4B4b-7wAM/w-d-xo.html
During the last update to Proxmox 8.2.2, I crashed my entire Docker-supported installation on an LXC container. After some research, the cause is said to be that Docker does not run stably on an LXC container and is explicitly not recommended. Instead, if you want to use Docker under Proxmox, you should do the whole thing under your own "Docker" VM. Do you agree with this, or is this rubbish?
I've been running docker inside an LXC just like I show in this video for more than a year and everything has been running without issue the entire time :)
@@DBTechYTYes, it's funny. There are many different opinions. Proxmox itself says: "NoteIf you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox QEMU VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers. " What is best practice here?
Turnkey Linux itself is a bloated with their backup and other stuff. I advise to remove all the bloatware before you proceed. Once that is removed the memory requirements are reduced by around 100mb
Wondering what the benefits are to using the Turnkey versions and then disabling the “bloatware” over using the standard Debian template from Proxmox? I have never really used the Turnkey versions.
Woah, Back to back videos finally. Really glad to see you 100% hyped up.
Great to see you back at full speed!
Thank you! I'm not quite 100% still, but I'm getting better :)
Thanks so much I enjoy all your videos!!
Ironically I just did this this morning to start moving some of my more important docker containers out from my main docker instance into their own LXCs ... and here's your video tonight :D
Main difference is that I based mine on Ubuntu 23, pre-install watchtower and for networking have them in their own subnet as there will be a few.
The OCD part of my brain made me set them to also use a template MAC where the last 4 hex are match to the IP octet of the LXC IP - which also matches the LXC container #
One thing tho, after I created the finalised template I did a one-off backup of it (retention = 1) so that it can be deployed to another box if needed.
Seemed like a good idea at the time :)
Excellent video thank you for showing us the template process. Also for creating those scripts great work thank you
@11:05 - at this point is there a way in Linux to protect this LXC ?
- 1. firewall - how to install and configure it to protect the LXC & docker containers?
- 2. Fail2Ban
- 3. Crowdsec
If you used the turnkey core version of the debian template that I show in this video, you can go to your.prox.ct.ip:12321 you'll be brought to a login page. Enter the username "root" and whatever password you set up for the CT. Down the left side of the page, you'll see "Networking". Click that and there you can configure fail2ban and a firewall for each individual container if you want.
While you're there, there are lots of other things you can do in the webmin panel, but I wanted to point out fail2ban and firewall since they were specifically mentioned in your question.
Very cool! Digestible video size, excellent content.
Big thanks! Much appreciated :)
I'm not sure when i started doing this as well, but it's quite some time.
I originally tried to use the "convert to template" option, but then I realised that I couldn't start the LXC container back up, to be able to update it; for example, prior to using it as a said template.
So, that's when I deleted that converted template, and did it again, but then kept the LXC container as a LXC container, rather than converting it to a template, that way, I would still be able to boot the template back up, update it, and then shut it back down, so that if I need to clone it again; I'll be able to do that.
Welcome back dude, long time no see :)
Thank you and thanks so much for checking out the new video!
Thank you so much. This is exactly what I was looking for 🙏
Glad it was helpful! Thanks for watching and commenting!! :)
I’m happy to see that you’re eventually getting better numbers. It’s still nowhere near what you deserve but it’s heading in the right direction 👍
Thank you so much!! I'm trying to get back into things and creating as much content as I can while I can :)
A good addition to this would be to run ‘docker system prune’ just after deleting the containers. That will delete the orphaned docker images and any orphaned docker network in the system.
I'm diving into proxmox now, just set up my second node.
I have read somewhere that using docker inside lxc containers was not recommended. Using docker would help me greatly tbh. Do you know about this?
Alsoa request for next videos, how to set up replication between nodes in a cluster
Very glad to see you doing better man!
Just after writing this comment TH-cam suggested to me a video from you from a year ago talking about that 😅
Why should I create multiple LXC with Docker inside for a single service? What's the benefit of this setup?
Good stuff Dave as always. Quick question. Why isn’t the created user added to the docker group as well?
honest oversight when I started working on the script. definitely need to fix that. thanks for pointing it out :)
Again, thank you for pointing this out. I've modified both of the scripts I showed in this video to also add the user to the docker group. Credited you in the update notes on Github! :)
after watching some of your videos on LXCs I thought I would go and see what was available. To my surprise theres very little provisioning in terms of 3rd party images that are mostly set up. One I use as a VM Diet-pi is a swiss army knife of different utils that can be installed, and i thougth that would be perfect because once you have the base one set up as a template then you could just keep cloning them.
does anybody know why it is that there are so few 3rd party images? i googled around and found some blog post about converting diet-pi into an LXC container but it really does feel like something that should be out of the box like that
You might look here: dietpi.com/blog/?p=2642
Just a suggestion but could you please lower the resolution of your setup before recording as its currently very hard to see what you are doing on an 11" tablet. I did appreciate you zooming in sometimes though 😁. Thanks for the videos.
Sweet! Thanks for this!
Thanks for watching and leaving a comment!! Much appreciated! :)
Thank you very much. Great info.
Very welcome!
Frist nice to have you back and doing better. Second just a question about this vid. Is this just and example of how to "speed up proxmox deployments" or do you really have every CT run dockge? Sorry super thick here and kinda brain is burnt out atm.
This is just an example of how I deploy LXCs faster in my homelab. I have every service on my setup running in a separate LXC. Each one is deployed from the same template (an earlier version of the Portainer script I've got on Github). The nice thing about both Portainer and Dockge is that you can control multiple nodes from one Portainer or Dockge dashboard if you want. I even made a video about doing this with Dockge fairly recently.
@@DBTechYT Oh ok that makes sense. Ya I saw it. Great vid btw. Was up late playing around so was braindead at a point. LOL thanks for the reply!
Thanks for your great videos. If you want to show the IP at the login screen, add "IP: \4" to your /etc/issue file...
Thanks for the tip!
Is there a way to get Dockge to use SSL with a self signed cert?
Dockge doesn't come with a self-signed cert, so you'd have to come up with a way to do that on your own.
Chapeau! 🎉😎👍
Thanks for watching and commenting!! Much appreciated!! :)
Do you create a new lxc for each service you are setting up or do you put multiple docker containers in one lxc?
I set up a new LXC for each service I'm running. In some cases that might include a Wordpress container, a MySQL container, a Redis container, etc. But each service gets its own LXC so that I can keep everything more separate and more easily recoverable if something goes wrong. I explain in more detail here: th-cam.com/video/8E4B4b-7wAM/w-d-xo.html
@@DBTechYT I was able to reply, I found the answer looking at your video LXCs vs VMs - What Was My Rationale? Thank you so much!!
@@DBTechYT How do you have the clones generate new ssh host key files? Also when I followed this and cloned my template, each clone i created had the same IP address even though all of the MAC addresses were different
This is good, but do you know a way to “sysprep” a template. That’s my problem with templates is they will all have the same name, ip
That's why I don't use DHCP for my templates. Once it deploys, my router gives it an IP and then I assign the IP as static in my router.
@@DBTechYT What you mean your router gives it an IP?
That would be with DHCP if it did??
@@calummcallister137 Yeah. I set my LXCs to use DHCP. I show that in the video. Then, once I've got a container/device up and running the way I want. I log into my router and tell it to keep that IP assigned to that container/device. The container/device doesn't know the difference, but my router now has it set as a static IP in the router.
I think if you clone from a container it clones as is. If you clone from a template it changes the mac address of the network interface and then it will receive new ip.
I'm just starting with proxmox so this could be totally wrong 😅
I have a feeling Proxmox wants to manage the networking, that way you can change the IP or hostname of an LXC from the Proxmox GUI or CLI, change the LXC name or IP and the hostname changes to match, certainly on Ubuntu there are warning in the network config files saying Proxmox Managed. I am talking about the vanilla templates not the Turnkey ones though, they could be different
I made a proxmox cloud-init script , that I use when i deploy my stuff , then from their i just have a docker script i run as well
That's awesome!!
Interested to see how the cloud-init script works as I have wondered about doing this myself then the customisation is the same between VM’s using the cloud images and LXC. At the moment I build Ansible into the template and initiate a pull on boot which bloats the container. Cloudi-init also would take care of the source LXC and all the clones having duplicate SSH host keys I think?
Are LXC's faster than VM's??
Very cool...I run PROXMOX on a Deb12 install...so doing Deb LXC's should use less resources than VM's for docker instances? I have a VM running a bunch of cloudflare tunnels and my Pi-Hole instance...just wanting to make sure it uses less resources and is better than a VM install
Either way...great video! Thanks for the walkthru and howto's!
Keep em coming!!!!
They're more lightweight than VMs because they're able to share resourced like the Proxmox Kernel, but there are some limitations and sometimes a VM is the better solution. But I like keeping things light and fast whenever I can, so I use LXCs for most things.
I explain a bit more in this video: th-cam.com/video/8E4B4b-7wAM/w-d-xo.html
nice vib thanks
During the last update to Proxmox 8.2.2, I crashed my entire Docker-supported installation on an LXC container.
After some research, the cause is said to be that Docker does not run stably on an LXC container and is explicitly not recommended.
Instead, if you want to use Docker under Proxmox, you should do the whole thing under your own "Docker" VM.
Do you agree with this, or is this rubbish?
I've been running docker inside an LXC just like I show in this video for more than a year and everything has been running without issue the entire time :)
@@DBTechYTYes, it's funny. There are many different opinions.
Proxmox itself says: "NoteIf you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox QEMU VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers. "
What is best practice here?
If Proxmox says that's best practice for their product, it very well may be what they said.
@@DBTechYT Yes, probably.
VMs are just a little more complicated to handle.
Let's see.
Turnkey Linux itself is a bloated with their backup and other stuff. I advise to remove all the bloatware before you proceed. Once that is removed the memory requirements are reduced by around 100mb
Wondering what the benefits are to using the Turnkey versions and then disabling the “bloatware” over using the standard Debian template from Proxmox? I have never really used the Turnkey versions.
@@richardbillington3185 very very slick and easy to install Debian Linux.