Hacker News new | ask | show | jobs
by dizhn 46 days ago
My containers run in dedicated "docker host" VMs. And I never expose ports on 0.0.0.0, just the private internal IP. Most (all) of my docker hosts do not have a public IP anyway. I use wireguard to access them myself. If they need to be public I reverse proxy with caddy from my web server (or use Authentik's embedded proxy). These servers have access to the same private LAN which could be hardened without having the issues you brought up.

By the way most docker based implementations do not actually need the userland proxy docker runs automatically. Disable it in /etc/docker/daemon.js

{

    "userland-proxy": false

}
4 comments
zbentley 46 days ago
https://www.macchaffee.com/blog/2024/you-have-built-a-kubern...

Like, if that works for you, more power to you. But that is a lot of moving parts in exchange for using a tool whose value prop is that it doesn't have many.

link
chickensong 46 days ago
That's neither kubernetes nor a lot of moving parts, just basic sysadmin setup for good hygiene and piece of mind.
link
dizhn 46 days ago
I wish. There's nothing like Kubernetes here nor the features it gives you or any need for them. Just some basic sys admin stuff that works well for me.
link
hkpack 46 days ago
This is the way, ended up using identical setup.
link
KetoManx64 46 days ago
What would the config look like if I have my docker containers split up over multiple VMs?
link
dizhn 46 days ago
I have all of mine on the same (or accessible) internal LAN so they can all talk to each other. You can get the connection going with Wireguard if they are in different places in terms of networking.
link
KetoManx64 46 days ago
As in you have a VLAN just for the docker containers to talk to each other on?
link
dizhn 46 days ago
Amounts to the same thing but no. Promox servers with two bridged interfaces. One interface has a public IP, the other a 10.0.10.0/24 etc. Multiple baremetal servers are connected by wireguard and have access to each other's private subnets. Like one other might be the 10.0.20.0/24. Setup the routes and good to go. Firewall to taste. My private LAN is all open.

This is not just for docker. There are other vms and lxc containers too.

link
KetoManx64 46 days ago
Very interesting way to set things up. Thanks for the breakdown! It's given me some ideas for our non-prod Proxmox cluster.
link
dizhn 46 days ago
Sure thing. Let me know if you need more details.
link
Lord_Zero 46 days ago
Could you elaborate on your setup? Is the docker host also your web server on which you run caddy?
link
dizhn 46 days ago
No it just needs to have route to the internal IP of the docker host. And you expose your ports on that IP. Let me know if you need more details. You could also put the reverse proxy (Caddy in my case) on the docker host.
link