Docker/Podman support

I’ve been looking for a way to implement containers with Virtualmin so I can give users access to their contianers and let them install node, php or whatever they want with no scurity risks for the rest of the server, they’re limited to their container. Mainly to run Node.js apps.

After some researches I found this post Cloudmin and Docker where devs/mods said that Podman support will come to Virtualmin soon, the post is from December 2023(± recent) and there is still no Podman or Docker support.

I just want to know if it’s still under developement or if it’s an abandoned feature.

If it’s under developement I hope too see it available soon, it sounds as an amazing idea if it’s well implemented lol

It’s still under development. It’ll be a Pro feature (or maybe an add-on product that can be purchased separately for GPL users, we haven’t decided yet) for some time, to fund development of it. It won’t be in GPL or available for free for…some time. Not sure how long. It’s a big project. And, usability is hard for this concept, which is mostly what we’ve been iterating on for a long time.

I still prefer the bare metal approach for php apps, like nextcloud and roundcube, or all the other apps that the virtualmin script installer offers.

But the whole container thing became big.

I have just recently started using some myself and found that portainer is a good interim solution.

In virtualmin I found that the “proxy paths” works nicely for the containers. I add the subdomain as a subserver and then use that functionality to give the containers ssl and a domain name.

But container management like portainer does sounds exciting.

Of course, I also continue to remind folks that nothing is stopping you from using containers on a Virtualmin server. You just proxy to it like any other web app running in an app server.

I think it will be a great pro feature.

Especially in hosting environments with clients/users.

In shared hosting a client might require a global setting change that you might now want to do.

So containers would solve this.

something to consider for the module is that I would only give clients a certain range of available external ports to expose for the containers. You would want to avoid clients trying to map main ports.

also might need to be able to create a custom bridge for the clients so those containers cannot talk to other clients containers.

I don’t see any reason a domain owner would need any external ports, at least not for web applications. We do have port protection features for web apps already in Virtualmin (when the app was installed via Install Scripts), but I recommend folks use UNIX file sockets instead of ports for both app servers and containers. Sockets can be owned by a user…ports have to be sort of actively monitored for squatting, which is much higher risk.

I don’t think we need/want private networks or meshes or anything along those lines for the kind of user deploying with Virtualmin. That’s too much complexity for Virtualmin users. We’re not trying to re-implement Kubernetes, our goal is to make it really easy to deploy an application in a container and expose it to the web under a domain. If you’re running a bunch of containers that need to talk to each other via something other than a regular web API, you’re well beyond the kind of deployment you’d do in Virtualmin, and you probably have staff that know how to go about orchestrating cloud services to make that happen.

I see this more like a way to deploy non PHP applications usong Virtualmin without giving the users full access to the server.

If you create a container where the user can have full access using FTP and SSH he can install and uninstall whatever he wants and you don’t have to worry about scurity, he’ll only break the container.

That was something I asked before, how to limit users with SSH to only see some directories and how to limit their commands… but for a node app for example each user will need one node version, one npm version and something like pm2. Configure jailkit for that is extremely hard as node needs root permisions to run things and you can already see the security risk here.

I thougt about Docker, users could loggin with ssh and then connect to their container console and do whatever they wanted… but they still have SSH permissions on the main server(where Virtualmin is) and I don’t what that, I want them to do “ssh” and connect to the container directly. Same for FTP. That way they can do everything they want. By default ports 80 and 443 will be open for the container so apache can reverse proxy the web inside that container.

That’s not at all what this is, and it’s not what Virtualmin is for. That’s what Cloudmin already does. But, it’s not how people are using containers. If you want VMs, create VMs. KVM has a huge array of features around sharing memory (so you don’t pay for multiple kernels as long as its the same kernel, and if the OS is the same in the VMs, you don’t pay for much of that either), there’s no reason to use containers if what you want is a virtualized OS.

You may note that almost all of the “full OS in a container” projects (of which there used to be about a dozen on Linux) are mostly defunct or close to it, and for good reason…all the reasons they were better/cheaper/lighter than VMs have mostly gone away. Containers in modern deployments are about containing and isolating applications and user processes, not about virtualizing a whole operating system.

but I recommend folks use UNIX file sockets instead of ports

Thanks I will look into that instead. Using ports now just because it seems to be the most prevalent in the install instructions from various container devs.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.