You must log in or # to comment.
i usually do a dedotated container vm inside proxmox. i find it a bit easier to manage, and more secure.
do you guys manage containers directly through proxmox? why do you like it?
I think it’s highly recommended to do it the way you’re doing it, especially for the DR aspect of it, using the builtin tools of Proxmox like replication and PBS.
I do it that way and I’ve had nothing but success with recovering a borked update or other problems in my containers.
It would be cool if they would integrate podman
OCI images is very exciting. But, I don’t see any way to keep them updated. You don’t normally do an update on the applications inside an OCI container, you usually rebuild the container on a new image.
My reading of it makes it sound like a local container repo. So if you have 5 containers using nginx:latest it pulls from the template not an online repo each time.
But I could be wrong, I haven’t played with PVE LXCs yet.
Yes, but then you’re on that specific version of nginx. A lot of containers are built using a multi stage build process where the first stage uses a container with build tooling to build the application, then a second stage installs the result. So your end image doesn’t have the build tooling and no way to update. That’s intentional for security reasons. Images are meant to be immutable.
Sounds like they’re used as a template and it’s now a regular LXC that you can treat like a running distro.
Right, but these containers are usually not designed to be updated like that. It totally defeats the nature of the OCI image and delivering something that has been tested to work. I’m sure there is a use case for this, but it seems more like a gimmick than a useful feature.
Actually, I could see myself using this for development if there were an easy way to package it back into a container image.
Back into an OCI image? I don’t know if lxc can do that, but podman can. I think it is
podman savethat allows you to save your current container as an image. Or, even better would be to use buildah. With buildah your expected workflow is to kind of run a container, run a script against that container, then save it at the end. In fact I’m specifically thinking of images I’ve created with buildah as being almost completely useless with this LXC technique. I’ve used the RHEL UBI micro image before and it doesn’t even have a package manager. You actually mount the container to the host and use the host’s package manager to install what is needed and then unmount it to save. It makes a super slim image with as little attack surface as possible.That last is interesting. I’m going to play with that some.
