98 lines
3.0 KiB
Markdown
98 lines
3.0 KiB
Markdown
::: navbar
|
|
<div>
|
|
|
|
[Home](../index.html)
|
|
|
|
</div>
|
|
|
|
<div>
|
|
|
|
[Blog](blog--01.html)
|
|
|
|
</div>
|
|
|
|
<div>
|
|
|
|
[Git](https://renraku.dingo-bramble.ts.net/clement)
|
|
|
|
</div>
|
|
|
|
<div>
|
|
|
|
[CV](../files/CV.pdf)
|
|
|
|
</div>
|
|
:::
|
|
|
|
------------------------------------------------------------------------
|
|
|
|
<div>
|
|
|
|
# LXC and Friends
|
|
|
|
</div>
|
|
|
|
With Proxmox in place, I started work on LXC containers. They really are
|
|
wonderful. Fast to start up, way lower memory footprint, and much easier
|
|
configuration in general. Without the long wait for VMs to fully
|
|
install, I have a lot more motivation to set up some stuff I\'ve been
|
|
planning.
|
|
|
|
First up is Wireguard. Wireguard required some fiddling because
|
|
Proxmox\'s Linux kernel has not integrated the kernel module. While I
|
|
could\'ve achieved this on a virtual machine without altering my
|
|
hypervisor, I felt Wireguard was worth it. Wireguard is so easy to set
|
|
up and comes with an extremely low latency cost. Now that my Android
|
|
device is always routed through Wireguard, I have a lot more options to
|
|
secure and experiment with its networking.
|
|
|
|
Next up is a popular favourite, Pi-Hole. I\'ve always been hesitant
|
|
about installing Pi-Hole on a physical device like a RPi or a VM because
|
|
it felt like overkill for such a simple application. A containerized
|
|
environment is just perfect. I\'ve also wired devices connected to my
|
|
Wireguard instance to use Pi-Hole as the DNS server. It was enlightening
|
|
knowing what my devices are doing. Side note: Firefox\'s telemetry
|
|
service is pretty aggressive if you leave it on.
|
|
|
|
The last application is Apache Guacamole. This is a rather \"heavy\"
|
|
application because it runs on Java Tomcat, but Guac is seriously
|
|
amazing. If you\'ve always been worried about securing entry to your
|
|
devices, fear no more. With Guac, you can use your browser as the remote
|
|
gateway to your internal network. I\'ve never wanted to expose my SSH
|
|
jumper to the ravages of the Internet, so Guac allows me to have
|
|
2-factor authentication and easy access to my internal network while
|
|
I\'m not at home. Why not connect to my Wireguard instance you say?
|
|
Mainly because I have not automated adding devices to my Wireguard
|
|
instance, so the manual work is still slightly cumbersome. Also, Guac
|
|
does not require any specialized remote tools such as OpenSSH or PuTTY;
|
|
It only requires a browser that supports SSL.
|
|
|
|
## The Drawbacks
|
|
|
|
Perhaps the largest drawbacks of LXC containers when compared to Docker,
|
|
is the \"full Linux stack\" available in each container. While some
|
|
container templates (Alpine) are slimmer than others, most of my
|
|
containers run on Debian. There is work needed to keep them up-to-date,
|
|
so this perfectly sets up the environment for me to pick up more
|
|
advanced config management. Ansible Level 2, here I come.
|
|
|
|
------------------------------------------------------------------------
|
|
|
|
::: navbar
|
|
<div>
|
|
|
|
[Prev](blog-010.html)
|
|
|
|
</div>
|
|
|
|
<div>
|
|
|
|
[Next](blog-012.html)
|
|
|
|
</div>
|
|
:::
|
|
|
|
> Do not pity the dead, Harry, pity the living. And above all, those who
|
|
> live without love.\
|
|
> - Albus Dumbledore
|