Opinions on container management for self-hosting
Hi GTALUG group, Currently, I'm using docker-compose to deploy my self-hosted apps. I'm considering upgrading this to something easier to maintain. What is everyone using? - Docker/Podman & diligence? - Pulumi / Ansible Terraform / OpenTofu to automate things? - Docker Swarm? - Watchtower for updates? - Rancher? - Kubernetes for a local install? The main issue I'm having is keeping on top of updating my containers, along with keeping track of how my deployments stitch together (aside from my Caddy reverse proxy). I think this is very easy to fix; however, I'm wondering if the community has some feedback on how they made their container management turn-key... without taking on too much technical debt. Warm regards, -- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
On 2024-09-08 17:26, Mark Prosser via talk wrote:
Hi GTALUG group,
Currently, I'm using docker-compose to deploy my self-hosted apps. I'm considering upgrading this to something easier to maintain.
What is everyone using? - Docker/Podman & diligence? - Pulumi / Ansible Terraform / OpenTofu to automate things? - Docker Swarm? - Watchtower for updates? - Rancher? - Kubernetes for a local install?
The main issue I'm having is keeping on top of updating my containers, along with keeping track of how my deployments stitch together (aside from my Caddy reverse proxy). I think this is very easy to fix; however, I'm wondering if the community has some feedback on how they made their container management turn-key... without taking on too much technical debt.
I have been using docker-compose with nginxproxy/nginx-proxy and nginxproxy/acme-companion. It is a nice proxy in that it will proxy multiple sites based on their docker configuration. The acme companion handles getting lets-encrypt certificates for each site so that I no longer need to be buying a wildcard cert. I have tried moving a number of things to podman but it still has enough quirks that it may be while before I move my self-hosted apps. Most of the other things you mention have a fairly high upfront technical cost. At least from my point of view. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || home: (905)513-7688 alvin@netvel.net ||
I have been using docker-compose with nginxproxy/nginx-proxy and nginxproxy/acme-companion. It is a nice proxy in that it will proxy multiple sites based on their docker configuration. The acme companion handles getting lets-encrypt certificates for each site so that I no longer need to be buying a wildcard cert.
That's pretty cool. I did give nginx-proxy a try a long while back, but I ended up settling on Caddy. It also handles the LE cert portion.
I have tried moving a number of things to podman but it still has enough quirks that it may be while before I move my self-hosted apps.
Most of the other things you mention have a fairly high upfront technical cost. At least from my point of view.
That's a fair point. I'm just glad to hear my config isn't too far off someone else's. Warm regards, -- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
Hey folks, here to add some more usage datapoints to the thread. Recently (1+ years now?) experienced a breakthrough with Podman in my homelab - everything is converted over on both Fedora and Guix (!). (Jellyfin, Nextcloud, RSS aggregator, Gitea, quassel-core). LetsEncrypt is handled by a standard OS reverse proxy service but I don't think containerizing it would be too hard; classic OS service setup is mostly owing to intertia and habit. My docker-compose.yml files are all working with podman-compose (the pip package) and I've gone through a few Fedora `dnf system-upgrade` processes which give me confidence in the forward viability of the setup. Not sure but there could be some differences between what myself and Alvin are deploying which accounts for quirks I'm unaware of. As for the "container needs updates" problem, I'm actually quite curious what folks are using since I haven't settled on a solution just yet, but the time is looking right for that consideration. Cheers, Mike Sent with Proton Mail secure email. On Monday, 9 September 2024 at 12:53, Mark Prosser via talk <talk@gtalug.org> wrote:
I have been using docker-compose with nginxproxy/nginx-proxy and nginxproxy/acme-companion. It is a nice proxy in that it will proxy multiple sites based on their docker configuration. The acme companion handles getting lets-encrypt certificates for each site so that I no longer need to be buying a wildcard cert.
That's pretty cool. I did give nginx-proxy a try a long while back, but I ended up settling on Caddy. It also handles the LE cert portion.
I have tried moving a number of things to podman but it still has enough quirks that it may be while before I move my self-hosted apps.
Most of the other things you mention have a fairly high upfront technical cost. At least from my point of view.
That's a fair point. I'm just glad to hear my config isn't too far off someone else's.
Warm regards,
-- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2024-09-09 14:14, Mike Holloway via talk wrote:
Hey folks, here to add some more usage datapoints to the thread.
Recently (1+ years now?) experienced a breakthrough with Podman in my homelab - everything is converted over on both Fedora and Guix (!). (Jellyfin, Nextcloud, RSS aggregator, Gitea, quassel-core). LetsEncrypt is handled by a standard OS reverse proxy service but I don't think containerizing it would be too hard; classic OS service setup is mostly owing to intertia and habit.
My docker-compose.yml files are all working with podman-compose (the pip package) and I've gone through a few Fedora `dnf system-upgrade` processes which give me confidence in the forward viability of the setup.
Not sure but there could be some differences between what myself and Alvin are deploying which accounts for quirks I'm unaware of.
As for the "container needs updates" problem, I'm actually quite curious what folks are using since I haven't settled on a solution just yet, but the time is looking right for that consideration.
Cheers, Mike
The things that caught me with podman was the network plumbing. The proxy I am using also depends on being able to get information back from the docker runtime about the creation of containers that it may need to proxy. Since podman is now the RH blessed way to go I expect I will find answers to all my problems soon. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || home: (905)513-7688 alvin@netvel.net ||
The things that caught me with podman was the network plumbing. The proxy I am using also depends on being able to get information back from the docker runtime about the creation of containers that it may need to proxy.
Right, that's a tricky piece. I don't know if my experience is at all similar to yours, but I recall my containers couldn't network between each other using a default host namespace until I sorted out cgroups kernel commandline options. After that it was remarkably transparent to use existing docker-compose.yml files with podman-compose - no network finaggling required. Mike Sent with [Proton Mail](https://proton.me/) secure email. On Monday, 9 September 2024 at 14:32, Alvin Starr via talk <talk@gtalug.org> wrote:
On 2024-09-09 14:14, Mike Holloway via talk wrote:
Hey folks, here to add some more usage datapoints to the thread.
Recently (1+ years now?) experienced a breakthrough with Podman in my homelab - everything is converted over on both Fedora and Guix (!). (Jellyfin, Nextcloud, RSS aggregator, Gitea, quassel-core). LetsEncrypt is handled by a standard OS reverse proxy service but I don't think containerizing it would be too hard; classic OS service setup is mostly owing to intertia and habit.
My docker-compose.yml files are all working with podman-compose (the pip package) and I've gone through a few Fedora `dnf system-upgrade` processes which give me confidence in the forward viability of the setup.
Not sure but there could be some differences between what myself and Alvin are deploying which accounts for quirks I'm unaware of.
As for the "container needs updates" problem, I'm actually quite curious what folks are using since I haven't settled on a solution just yet, but the time is looking right for that consideration.
Cheers, Mike
The things that caught me with podman was the network plumbing. The proxy I am using also depends on being able to get information back from the docker runtime about the creation of containers that it may need to proxy.
Since podman is now the RH blessed way to go I expect I will find answers to all my problems soon.
-- Alvin Starr || land: (647)478-6285 Netvel Inc. || home: (905)513-7688 alvin@netvel.net ||
On 2024-09-09 15:09, Mike Holloway via talk wrote:
The things that caught me with podman was the network plumbing. The proxy I am using also depends on being able to get information back from the docker runtime about the creation of containers that it may need to proxy.
Right, that's a tricky piece. I don't know if my experience is at all similar to yours, but I recall my containers couldn't network between each other using a default host namespace until I sorted out cgroups kernel commandline options.
After that it was remarkably transparent to use existing docker-compose.yml files with podman-compose - no network finaggling required.
Mike
Thanks for weighing in Mike & Alvin. You've both given me lots to think about :) I'll probably give Podman another go & see how I enjoy it. Sucks I overlooked the in person meeting the other day; Hope to make it to the next one! -- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
Thanks Mark, please do share anything challenging or interesting that you run into on your way. Would be great to see ahead to tactics and strategies I haven't yet come across myself. Cheers, Mike
From my mobile device
-------- Original Message -------- On 9/12/24 18:18, Mark Prosser via talk <talk@gtalug.org> wrote:
On 2024-09-09 15:09, Mike Holloway via talk wrote:
The things that caught me with podman was the network plumbing. The proxy I am using also depends on being able to get information back from the docker runtime about the creation of containers that it may need to proxy.
Right, that's a tricky piece. I don't know if my experience is at all similar to yours, but I recall my containers couldn't network between each other using a default host namespace until I sorted out cgroups kernel commandline options.
After that it was remarkably transparent to use existing docker-compose.yml files with podman-compose - no network finaggling required.
Mike
Thanks for weighing in Mike & Alvin. You've both given me lots to think about :) I'll probably give Podman another go & see how I enjoy it.
Sucks I overlooked the in person meeting the other day; Hope to make it to the next one!
-- Mark Prosser // E: mark@zealnetworks.ca // W: https://zealnetworks.ca
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
participants (3)
-
Alvin Starr -
Mark Prosser -
Mike Holloway