A Modern Proxmox Docker Architecture with Disposable VMs, VirtIO-FS, and ZFS (opens in new tab)

(du.nkel.dev)

19 pointsHelmut100019d ago7 comments

7 comments

7 comments · 3 top-level

saltamimi9d ago· 2 in thread

I like this although I would not have chosen Docker. Podman comes with no socket and rootless by default, it just seems more in line with this sort of architecture, not to mean Podman Quadlets and honestly, I would think it's better with git tracking but to each their own.

I probably wouldn't have chosen Debian. It'd probably be easier to use a RHEL spinoff like Alma or Rocky Linux.

Overall, very nice!

Helmut10001OP9d ago

Thanks for the feedback! I agree. I do have a comment on this, to explain my choice:

> Podman vs Docker You may point to Podman here because Podman is natively rootless and doesn't require a daemon and additional workarounds to run rootless. I agree. However, Docker in rootless user nesting is also robust and possible, and I decided to stick to the docker-compose.yml because it is still the industry (and homelab) standard. This minimizes the time I need to translate examples or templates. Docker in rootless and Podman are mostly interchangeable at this level. Both run processes in isolated Linux namespaces on your host VM (not the Hypervisor!).

This is not 100% and may change anytime. I guess, for me, at this time, the difference between Docker in rootless and Podman is just too small, and the time needed to migrate all my docker-compose.yml's too much, to make the jump. Overall, it is not a critical decision for this architecture, more a choice.

Regarding Debian is similar, I just stick with what I am familiar with. Debian also never lost me.

tym08d ago

I did have a terrible time setting up rootless podman in a proxmox VM with virtiofs.

I just couldn't get the ids to work. But I've not tried the specific thing they do here.

tym08d ago· 2 in thread

Ooh, I need to look into that id mapping technique.

I attempted to port my homelab quadlet setup to a disposable VM on proxmox with the state folder mounted via virtiofs and after losing a weekend I realised that it essentially wasn't compatible with rootless podman id mapping and I gave up.

But maybe I missed something...

Helmut10001OP8d ago

Yeah, I ran into the same wall when setting the system up. I then reverted to the standard mount utility, which also supports id-mapping. But it is really not that known. See the links in the article that point to the source of the idea.

    > Network file systems can cause UID/GID mismatches and add network overhead. With VirtIO-FS, I use the Linux kernel's Virtual File System to translate the hypervisor's UID to the guest's unprivileged UID. This avoids exposing the host file structure. I utilize the `X-mount.idmap` fstab option for this. Documentation on this specific implementation is not easy to find. It builds upon the idmapped mounts feature introduced by Christian Brauner in Linux 5.12 [1] and its later integration with util-linux v2.39 into the standard `mount` utility [2].

    [1]: https://github.com/brauner/mount-idmapped + https://docs.kernel.org/filesystems/idmappings.html
    [2]: https://github.com/systemd/systemd/releases/tag/v254

tym08d ago

Thanks I'll give it a shot when I have a free weekend.

I think I may have complicated things by using linuxserver.io images which already require some id mapping trickery on the rootless podman side as they expect to run as root...

Melatonic9d ago

Proxmox is awesome

j / k navigate · click thread line to collapse

7 comments

7 comments · 3 top-level

saltamimi9d ago· 2 in thread

I probably wouldn't have chosen Debian. It'd probably be easier to use a RHEL spinoff like Alma or Rocky Linux.

Overall, very nice!

Helmut10001OP9d ago

Thanks for the feedback! I agree. I do have a comment on this, to explain my choice:

Regarding Debian is similar, I just stick with what I am familiar with. Debian also never lost me.

tym08d ago

I did have a terrible time setting up rootless podman in a proxmox VM with virtiofs.

I just couldn't get the ids to work. But I've not tried the specific thing they do here.

tym08d ago· 2 in thread

Ooh, I need to look into that id mapping technique.

But maybe I missed something...

Helmut10001OP8d ago

    > Network file systems can cause UID/GID mismatches and add network overhead. With VirtIO-FS, I use the Linux kernel's Virtual File System to translate the hypervisor's UID to the guest's unprivileged UID. This avoids exposing the host file structure. I utilize the `X-mount.idmap` fstab option for this. Documentation on this specific implementation is not easy to find. It builds upon the idmapped mounts feature introduced by Christian Brauner in Linux 5.12 [1] and its later integration with util-linux v2.39 into the standard `mount` utility [2].

    [1]: https://github.com/brauner/mount-idmapped + https://docs.kernel.org/filesystems/idmappings.html
    [2]: https://github.com/systemd/systemd/releases/tag/v254

tym08d ago

Thanks I'll give it a shot when I have a free weekend.

I think I may have complicated things by using linuxserver.io images which already require some id mapping trickery on the rootless podman side as they expect to run as root...

Melatonic9d ago

Proxmox is awesome

j / k navigate · click thread line to collapse