I can break one container without breaking all of them? I can run them in isolated container networks and even isolated cgroups if I want to. Docker hides a lot of the core reasons tools like jails and chroot and eventually LXC were created but containers absolutely can do the things you are using vms for if you are willing to learn how they work
I built my recommendation around the likelihood this person is already using docker and therefore already has containers that would be extremely easy to run without unraid. There would be less lift to use the same config files and volume mounting they are already using.
Operationally though I would never run vms and containers in the same orchestrated system. Look at what they are asking to do. Why would you run sonarr as a container and radarr as a vm. Obviously they are going to end up just doing one or the other
I legitimately don’t understand the trendiness of proxmox given that vms are overkill compared to containers. If you are migrating from unraid you are likely already using the docker version of all your arr services so going and spinning up vms feels like a step backwards.
You can either use the exact same containers and use systemd to run them as raw services or use something like docker compose or dozens of other tools to orchestrate them. I use k8s but can’t recommend it with a straight face after taking down VMs for being overkill (very different kinds of overkill but still)
I have no issues reading in general but I still have this experience. Like I read the entire goblet of fire in one sitting without sleeping or eating (my mom still talks about how much this freaked her out to this day) but simultaneously I have this issue all the time now as an adult when reading technical white papers for my job. Halfway in I suddenly realize I didn’t actually read the last several paragraphs.
Management: Our consultants don’t know what ebpf or what immutable filesystems are so obviously your wizard magic is not better than crowdstrike. Also IT will be in charge of that one component and clickops it bypassing the entire CICD pipeline and sanity checking system you have. It’s for compliance which is our word for shut up or we fire you.
One could argue the requirements have changed because the security and compliance part of the world finally caught up to modern software delivery concepts. Even the most dinosaur apps at compliant orgs are being dragged kicking and screaming into new CI/CD tools where applying governance and custody chains and permissions and approvals are all self documented automated hooks.
I was suggesting to do neither and run the container directly. Putting k8s on top of lxc is still completely stupid. Just run k8s bare metal to operate your containers.
Run docker within lxc within proxmox. This gave me an aneurism. You’ve lost the whole point of not actually virtualizing with containers by putting in two layers deep in virtualization. At this point your shit is so convoluted why don’t you just run kubernetes
Unless wealth is just their means to feel in control. All the wealth in the world apparently can’t stop war from happening and someone else being able to nuke them means they have to face the reality that they are not in control of all things. Vault tec gives them the psychological out of not facing their own lack of control by telling them they get to drop the bomb and control the vaults. If they drop the bomb, they take control back from chaos.
Averages are fun. It’s likely Opsy roles do have the highest average. But it’s also very true that devs have the highest ceilings. There’s just very few devs making 600+ and the majority at 120-150. Then there is an absolute shit load of opsys making 160-200. So in ops you hit the ceiling super fast while the occasional dev just keeps rocketing to bullshit pay but the averages are what they are
(Hiring manager for devops. I get the raw data through a corporate data broker)
VPN is inherently not zero trust. You really should be moving to ZTN based tools
Seconding the other comment, lots of orgs picked .lan and then over the last few years have moved things into the cloud and .lan has become a meaningless soup since half the shit isn’t even on local network. Now it just means “needs a vpn or ztn to talk to”
Luckily my last three orgs finally bought a second domain for private dns. It’s quickly becoming a pattern that myorg.com owns myorg.tech or whatever for private traffic. Domains are cheap as fuck compared to everything else a business spends money on, it’s really silly how many people are using hacks for this
I was replying specifically in the context of the original question. Unraid already has their services tooling built out over containers so this person already is probably using containerized versions of the arr services. It would be overkill to go build vms for these services specifically for what you said. They don’t need to be windows or osx, they don’t need hardware passthrough, they don’t need a full kernel.
That aside. You absolutely can run containers as a full isolated kernel and directly map hardware to them. CGroups absolutely allows for those use cases. You may not be using docker anymore but docker is more of a crutch for beginners who probably dont need those things.
One example of this in the real world are COS and Bottlerocket which are literally distributions of Linux where even core is components are individually running under different containers via cgroups. COS runs on every GKE cluster in the world and bottlerocket on most EKS clusters.