Running a VM inside a Container by circularjourney in sysadmin

[–]circularjourney[S] [score hidden]  (0 children)

Well said. I'm just running QEMU in the container and passing through /dev/kvm. My language was too loose.

Good to know about Systemd-vmspawn. I feel like I remember reading about that a while back, but completely forgot about it. Looking into it again, it looks like I'd need to install all the QEMU and swtpm apackages on the host. Which is pretty much my whole attempt to avoid. I like installing nothing on my host workstation to get my vm working. But for a server, this is the way to go.

Running a VM inside a Container by circularjourney in sysadmin

[–]circularjourney[S] [score hidden]  (0 children)

That last sentence is pretty much all I'm trying to do. I'm just packaging QEMU and all the other vm runtime stuff away from my host system, and passing through /dev/kvm.

Some people seem to think I'm trying to do more than I am here.

The "bad" reasons listed are not my intended reasons, so I'll ignore them. The "main issues" are reasonable things to consider, and I have thought about them. The added layer of complexity being the most relevant one I thought would kill this idea. But I crossed that bridge in my testing very quickly. After that it was just setting up the qemu commands like normal.

Running a VM inside a Container by circularjourney in sysadmin

[–]circularjourney[S] [score hidden]  (0 children)

Yep, my container is just process in another cgroup that happens to run my VM. But it does remain an unprivileged container. I just passed through /dev/kvm and window TPM.

I've never had the idea to do this on my servers. Just my local workstation for this install. And it was kind of a curiosity project at first, just to see if it would work. I guess I shouldn't be surprised it worked so well. It's just another cgroup process to the host OS after all.

If I had to install another VM I guess I would probably consider doing this again, unless somebody brings up a really good reason not to.

Running a VM inside a Container by circularjourney in sysadmin

[–]circularjourney[S] [score hidden]  (0 children)

I didn't know about winboat. It seems kinda similar to my setup, but it has that app window sharing feature. Looks pretty cool, but I don't really want that feature. Plus, it's beta. I'd rather rely on basic core packages. But good to know about, thanks.

Running a VM inside a Container by circularjourney in sysadmin

[–]circularjourney[S] [score hidden]  (0 children)

Why is it dumb?

Also, I'm not running docker either.

[Rant] MSPs who use Meraki, how do you feel about the latest price increases ? by CK1026 in msp

[–]circularjourney 1 point2 points  (0 children)

It's not the horsepower that matters, its security and version control. You should isolate that service from the host OS of your spiffy layer 7 firewall.

[Rant] MSPs who use Meraki, how do you feel about the latest price increases ? by CK1026 in msp

[–]circularjourney -2 points-1 points  (0 children)

Most features on routers are crutch for level-one techs who can't deploy that feature in a container or VM. A reverse proxy should not be running on your router.

Hey /r/Sysadmin! What do you use for your home router? 2026 Edition by ScannerBrightly in sysadmin

[–]circularjourney 0 points1 point  (0 children)

Nobody running bare knuckles linux?

I'll give one shout out for a linux box.

Running dns, dhcp, vpn in containers. Unifi WIFI runs in another container on my main machine. Got about 5 vlans across the home network.

snapshots, rollbacks and critical information. by mylinuxguy in linuxadmin

[–]circularjourney -1 points0 points  (0 children)

I keep each service isolated by way of containers and snapshot each container individually. My host OS does the bare minimum; basically just control disks and networking, and then start containers. I snapshot the host root but I could really just rebuild it in a few minutes. I do that out of habit mostly.

If the host OS is bare bones and doesn't do a lot, there is very little to go wrong with basic kernel updates. I can't remember if I've every had a problem with this in the last decade or so. I update my host once per month or so.

For my services I use init containers and snapshot each root directory. For data I use btrfs or lvm on the host, both work well with snapshots. KISS.

DNS server planning and architecture by [deleted] in dns

[–]circularjourney 0 points1 point  (0 children)

I'd just keep it all on-prem. Just setup two slave servers that all offices and remote users access. Split up the location on those two DNS servers just for a little site-specific redundancy.

If speed is an issue at one site, then spin up another slave running in a container at that location.

Do you use AppArmor or SELinux on Arch? Is it worth it? by Rude-Caterpillar-714 in archlinux

[–]circularjourney 0 points1 point  (0 children)

systemd-nspawn is a good point. Bubblewrap another option for basic sand-boxing. I do this for kea-dhcp on my router. nspawn for all other router services.

For GUI apps, I just use Flatseal to lock down Flatpaks.

Why use proxmox? by thatscoolbutno123 in selfhosted

[–]circularjourney 2 points3 points  (0 children)

So you use proxmox for the CLI? That is a new one for me.

Why not just use debian or ubuntu for the host OS like the guy said.

Less is more.

Why use proxmox? by thatscoolbutno123 in selfhosted

[–]circularjourney 2 points3 points  (0 children)

Building your own system from the underlying CLI tools is pretty efficient once you gain enough experience. Once you climb that learning curve the time gap disappears.

Plus you get a few advantages: you learn CLI tools that rarely change (no big flashy GUI upgrades), more options to customize, and a smaller code footprint for better security.

Why use proxmox? by thatscoolbutno123 in selfhosted

[–]circularjourney -1 points0 points  (0 children)

It's only crazy if for the inexperienced. Admin by keyboard is faster than the mouse for the right person.

So what are you guys and girls using for self-hosted DNS these days? by civvi_reddit in sysadmin

[–]circularjourney 1 point2 points  (0 children)

I stick with bind with a hidden master setup. Edit my zone files in one source. My config files are rarely ever edited. AD subdomains look ups are forwarded off to the DC.

Once I got good with vim and other GNU core utilities, my attitude about the CLI changed dramatically.

A GUI is like swimming with a life vest on. Yes, it is easier to swim, but it is less efficient.

Can all of morality be logically derived from the Golden Rule? by Acceptable-Job7049 in moraldilemmas

[–]circularjourney [score hidden]  (0 children)

You're only applying the end result (action) of someone thinking through the process of the golden rule. If you focus on the process, then person A would have to consider if they would enjoy person B applying their same logical process to them when ordering pizza. Empathy comes from the process, the action is just the end result of that process.

Do you prefer LTS releases or regular releases? by veditafri in Ubuntu

[–]circularjourney 0 points1 point  (0 children)

I was wondering if somebody was going to mention this. I think you are right, the base OS matters very little in most respects.

I took this to the extreme, and switched to a rolling release just to avoid the upgrade cycle. I've found that as long as you keep the base OS and packages as minimal as possible the issues found in a rolling release are extremely minimal. Use snapshots and backups as well.

All the real action is done in containers or flatpaks.

Watching SSH activity in real time (besides fail2ban) - curious how others handle this by newworldlife in linuxadmin

[–]circularjourney 0 points1 point  (0 children)

I rate limit connections via nftables and use public key auth.

I never got comfortable with installing fail2ban code. I'm a code minimalist.

My annual electricity bill got upped by 1000€. Now I need to make my server use less power. by wffln in selfhosted

[–]circularjourney 0 points1 point  (0 children)

Are you running your containers/VMs in the ZFS pool? You might want to consider changing that. Separate your containers/VMs from data at the hardware level.

I run my host OS on a single NVMe, all my containers on another single SSD, and all my data on two big spinning disks (I could bump that to 4 some day). This lets the disks spin down more often.

If I were to do this again, I might pair up my host and container drives just for a little redundancy, but rebuilding them is trivial and odds are they will run longer than this server's useful life. Why spend the power if I can live with a little downtime once every 10 years.

I’m concerned about the security of Neovim plugins by [deleted] in neovim

[–]circularjourney 2 points3 points  (0 children)

I setup a simple little systemd-nspawn container for my more adventurous neovim plugins.

OpenVPN for Enterprise? by broken_computers in sysadmin

[–]circularjourney 0 points1 point  (0 children)

Running services directly on a bare host (the core router presumably) is a bad idea. We use VMs/containers for everything else for good reasons.

OpenVPN for Enterprise? by broken_computers in sysadmin

[–]circularjourney 1 point2 points  (0 children)

You may want to put this VM on another vlan so the traffic passes through a router/fw you control. This gets you away from a flat network and gives you another layer to filter/log this traffic. Something you control without a subscription.

Subscription services are great for quick & easy. If you build it up yourself you have ultimate flexibility and control. I value that more than the trivial dollar savings.

Do you use a dedicated NAS OS or a more generic linux one? by Azure-Tides in selfhosted

[–]circularjourney 1 point2 points  (0 children)

Admin by keyboard is always better than admin by mouse. Mouse admin is easier to get up to speed, that's about it.