Should I move to Docker?

dude, im kinda you. i just jumped into docker over the summer... feel stupid not doing it sooner. there is just so much pre-created content, tutorials, you name it. its very mature.
i spent a weekend containering all my home services.. totally worth it and easy as pi[hole] in a container!.
- Well, that wasn't a huge investment :-) I'm in..
  I understand I've got LOTS to learn. I think I'll start by installing something new that I'm looking at with docker and get comfortable with something my users (family..) are not yet relying on.
  
  Forget docker run, docker compose up -d is the command you need on a server. Get familiar with a UI, it makes your life much easier at the beginning: portainer or yacht in the browser, lazy-docker in the terminal.
  
  If you are interested in a web interface for management check out portainer.
- As a guy who's you before summer.
  Can you explain why you think it is better now after you have 'contained' all your services? What advantages are there, that I can't seem to figure out?
  Please teach me Mr. OriginalLucifer from the land of MoistCatSweat.Com
  
  No more dependency hell from one package needing libsomething.so 5.3.1 and another service absolutely can only run with libsomething.so 4.2.0
  That and knowing that when i remove a container, its not leaving a bunch of cruft behind
  
  You can also back up your compose file and data directories, pull the backup from another computer, and as long as the architecture is compatible you can just restore it with no problem. So basically, your services are a whole lot more portable. I recently did this when dedipath went under. Pulled my latest backup to a new server at virmach, and I was up and running as soon as the DNS propagated.
  
  Modularity, compartmentalization, reliability, predictability.
  One software needs MySQL 5, another needs mariadb 7. A third service needs PHP 7 while the distro supported version is 8. A fourth service uses cuda 11.7 - not 11.8 which is what everything in your package manager uses. a fifth service's install was only tested on latest Ubuntu, and now you need to figure out what rpm gives the exact library it expects. A sixth service expects odbc to be set up in a very specific way, but handwaves it in the installation docs. A seventh program expects a symlink at a specific place that is on the desktop version of the distro, but not the server version. And then you got that weird program that insist on admin access to the database so it can create it's own user. Since I don't trust it with that, let it just have it's own database server running in docker and good riddance.
  And so on and so forth.. with docker not only is all this specified in excruciating details, it's also the exact same setup on every install.
  You don't have it not working on arch because the maintainer of a library there decided to inline a patch that supposedly doesn't change anything, but somehow causes the program to segfault.
  I can develop a service on windows, test it, deploy it to my Kubernetes cluster, and I don't even have to worry about which machine to deploy it on, it just runs it on a machine. Probably an Ubuntu machine, but maybe on that Gentoo node instead. And if my osx friend wants to try it out, then no problem. I can just give him a command, and it's running on his laptop. No worries about the right runtime or setting up environment or libraries and all that.
  If you're an old Linux admin... This is what utopia looks like.
  Edit: And restarting a container is almost like reinstalling the OS and the program. Since the image is static, restarting the container removes all file system cruft too and starts up a pristine new copy (of course except the specific files and folders you have chosen to save between restarts)

It just making things easier and cleaner. When you remove a container, you know there is no leftover except mounted volumes. I like it.
- It's also way easier if you need to migrate to another machine for any reason.
- I use LXC for all the reasons most people use Docker, it's easy to spin up a new service, there are no leftovers when I remove a service, and everything stays separate. What I really like about LXC though is that you can treat containers like VMs, you start it up, attach and install all your software as if it were a real machine. No extra tech to learn.
- Not completely true you probably have to prune some images, or volumes.

- For sure! Most seem to be random git repo level of reviewed instead of being seriously tested and hardened. I really wish we had more of an source for reliable audits of containers, and flatpaks. Just someone trusted or collectively running trivy, clair, sonarqube, etc, posting the results publicly, and having tools like podman/K3s/etc have sane defaults for checkibg it against containers on pull.

I would absolutely look into it. Many years ago when Docker emerged, I did not understand it and called it "Hipster shit". But also a lot of people around me who used Docker at that time did not understand it either. Some lost data, some had servicec that stopped working and they had no idea how to fix it.
Years passed and Containers stayed, so I started to have a closer look at it, tried to understand it. Understand what you can do with it and what you can not. As others here said, I also had to learn how to troubleshoot, because stuff now runs inside a container and you don´t just copy a new binary or library into a container to try to fix something.
Today, my homelab runs 50 Containers and I am not looking back. When I rebuild my Homelab this year, I went full Docker. The most important reason for me was: Every application I run dockerized is predictable and isolated from the others (from the binary side, network side is another story). The issues I had earlier with my Homelab when running everything directly in the Box in Linux is having problems when let´s say one application needs PHP 8.x and another, older one still only runs with PHP 7.x. Or multiple applications have a dependency of a specific library when after updating it, one app works, the other doesn´t anymore because it would need an update too. Running an apt upgrade was always a very exciting moment... and not in a good way. With Docker I do not have these problems. I can update each container on its own. If something breaks in one Container, it does not affect the others.
Another big plus is the Backups you can do. I back up every docker-compose + data for each container with Kopia. Since barely anything is installed in Linux directly, I can spin up a VM, restore my Backups withi Kopia and start all containers again to test my Backup strategy. Stuff just works. No fiddling with the Linux system itself adjusting tons of Config files, installing hundreds of packages to get all my services up and running again when I have a hardware failure.
I really started to love Docker, especially in my Homelab.
Oh, and you would think you have a big resource usage when everything is containerized? My 50 Containers right now consume less than 6 GB of RAM and I run stuff like Jellyfin, Pi-Hole, Homeassistant, Mosquitto, multiple Kopia instances, multiple Traefik Instances with Crowdsec, Logitech Mediaserver, Tandoor, Zabbix and a lot of other things.
- The backup and easy set up on other servers is not necessarily super useful for a homelab but a huge selling point for the enterprise level. You can make a VM template of your host with docker set up in it, with your Compose definitions but no actual data. Then spin up as many of those as you want and they'll just download what they need to run the images. Copying VMs with all the images in them takes much longer.
  And regarding the memory footprint, you can get that even lower using podman because it's daemonless. But it is a little more work to set things up to auto start because you have to manually put it into systemd. But still a great option and it also works in Windows and is able to parse Compose configs too. Just running Docker Desktop in windows takes up like 1.5GB of memory for me. But I still prefer it because it has some convenient features.
- It seems like docker would be heavy on resources since it installs & runs everything (mysql, nginx, etc.) numerous times (once for each container), instead of once globally. Is that wrong?
  
  You would think so, yes. But to my surprise, my well over 60 Containers so far consume less than 7 GB of RAM, according to htop. Also, of course Containers can network and share services. For external access for example I run only one instance of traefik. Or one COTURN for Nextcloud and Synapse.

Another old school sysadmin that “retired” in the early 2010s.
Yes, use docker-compose. It’s utterly worth it.
I was intensely irritated at first that all of my old troubleshooting tools were harder to use and just generally didn’t trust it for ages, but after 5 years I wouldn’t be without.
- I'm a little younger but in the same boat. There is some friction having filesystems, ports and processes "hidden" from your hosts programs that you typically rely on. But I needed them sooooo much less now that all my services are in Docker with exactly matching dependencies instead of rolling my eyes about running two PostgreSQL servers in different versions or juggling Python / node / Ruby versions with ASDF.
  
  Yeah, so worth it! The first time I moved a service to a new box and realised all I had to do was copy the compose file and docker-compose up -d ... I was sold.
  Now I'm moving everything to Docker Swarm which is a new adventure. :-)

Docker is amazing, you are late to the party :)
It's not a fad, it's old tech now.

I’m gonna play devil’s advocate here.
You should play around with it. But I’ve been a Linux server admin for a long time and — this might be unpopular — I think Docker is unimportant for your situation. I use Docker daily at work and I love it. But I didn’t bother with it for my home server. I’ll never need to scale it or deploy anything repeatedly or where I need 100% uptime.
At home, I tend to try out new things and my old docker-compose files are just not that valuable. Docker is amazing at work where I have different use cases but it mostly just adds needless complexity on a home server.
- That's exactly how I feel about it. Except (as noted in my post..) the software availability issue. More and more stuff I want is "docker first" and I really have to go out of my way to install and maintain non docker versions. Case in point - I'm trying to evaluate Immich so I can move off Google photos. It looks really nice, but it seems to be effectively "docker only."
  
  The advantage of docker, as I see it for home labs, is keeping things tidy, ensuring compatibility, and easy to manage/backup setup configs, app configs, and app data. It is all very predictable and manageable. I can move my docker compose and data from one host to another in literal seconds. I can, likewise, spin up and down test environments in seconds too. Obviously the whole scaling thing that people love containers for is pointless in a homelab, but many of the things that make it scalable also make it easy to manage.
  
  Im probably the opposite of you! Started using docker at home after messing up my raspberry pi a few too many times trying stuff out, and not really knowing what the hell I was doing. Since moved to a proper nas, with (for me, at least) plenty of RAM.
  Love the ability to try out a new service, which is kind of self-documenting (especially if I write comments in the docker-compose file). And just get rid of it without leaving any trace if it's not for me.
  Added portainer to be able to check on things from my phone browser, grafana for some pretty metrics and graphs, etc etc etc.
  And now at work, it's becoming really, really useful, and I'm the only person in my (small, scientific research) team who uses containers regularly. While others are struggling to keep their fragile python environments working, I can try out new libraries, take my env to the on-prem HPC or the external cloud, and I don't lose any time at all. Even "deployed" some little utility scripts for folks who don't realise that they're actually pulling my image from the internal registry when they run it. A much, much easier way of getting a little time-saving script into the hands of people who are forced to use Linux but don't have a clue how to use it.
- This is kinda where I'm at as well. I have always run my home services each in their own VM. There's no fuss to set up a new one, if I want to move it to a different server I just copy the *.img file over and launch it. Sure I run a lot of internet services across my various machines but it all just works so I don't understand what purpose there would be to converting all the custom configurations over to docker. It might make sense if I was trying to run all my services directly on the bare metal, but who does that?
  
  VM's have much bigger overhead, for one. And VM's are less reproducible too. If you had to set up a VM again, do you have all the steps written down? Every single step? Including that small "oh right" thing you always forget? A Dockerfile is basically just a list of those steps, written in a way a computer can follow. And every time you build an image in docker, it just plays that list and gives you the resulting file system ready to run.
  It's incredibly practical in some cases, let's say you want to try a different library or upgrade a component to a newer version. With VM's you could do it live, but you risk not being able to go back. You could make a copy or make a checkpoint, but that's rather resource intensive. With docker you just change the Dockerfile slightly and build a new image.
  The resulting image is also immutable, which means that if you restart the docker container, it's like reverting to first VM checkpoint after finished install, throwing out any cruft that have gathered. You can exempt specific file and folders from this, if needed. So every cruft and change that have happened gets thrown out except the data folder(s) for the program.

I started using docker myself for stuff at home and I really liked it. You can create a setup that's easy to reproduce or just download.
Easy to manage via docker CLI, one liner to run on startup unless stopped, tons of stuff made for docker becomes available. For non docker things you can always login to the container.
Tasks such as running, updating, stopping, listing active servers, finding out what ports are being used and automation are all easy imo.
You probably have something else you use for some/all of these tasks but docker makes all this available to non-sysadmin people and even has GUI for people who like clicking their mouse.
I think next time you find something that provides a docker compose file you should try it. :)

I'm a VMware and Windows admin in my work life. I don't have extensive knowledge of Linux but I have been running Raspberry Pis at home. I can't remember why but I started to migrate away from installed applications to docker. It simplifies the process should I need to reload the OS or even migrate to a new Pi. I use a single docker-compose file that I just need to copy to the new Pi and then run to get my apps back up and running.
linuxserver.io make some good images and have example configs for docker-compose
If you want to have a play just install something basic, like Pihole.

Why not jumping directly to Podman if you want more resilent system from beginning? Just my opinion
- Why not? Because I've never heard of it until this thread - lots of people mentioning it so obviously I'll look into it.

No. (Of course, if you want to use it, use it.) I used it for everything on my server starting out because that's what everyone was pushing. Did the whole thing, used images from docker hub, used/modified dockerfiles, wrote my own, used first Portainer and then docker-compose to tie everything together. That was until around 3 years ago when I ditched it and installed everything normally, I think after a series of weird internal network problems. Honestly the only positive thing I can say about it is that it means you don't have to manually allocate ports for those services that can't listen on unix sockets which always feels a bit yucky.
A lot of images comes from some random guy you have to trust to keep their images updated with security patches. Guess what, a lot don't.
Want to change a dockerfile and rebuild it? If it's old and uses something like "ubuntu:latest" as a base and downloads similar "latest" binaries from somewhere, good luck getting it to build or work because "ubuntu:latest" certainly isn't the same as it was 3 years ago.
Very Linux- and x86_64-centric. Linux is of course not really a problem (unless on Mac/Windows developer machines, where docker runs a Linux VM in the background, even if the actual software you're working on is cross-platform. Lmao.) but I've had people complain that Oracle Free Tier aarch64 VMs, which are actually pretty great for a free VPS, won't run a lot of their docker containers because people only publish x86_64 builds (or worse, write dockerfiles that only work on x86_64 because they download binaries).
If you're using it for the isolation, most if not all of its security/isolation features can be used in systemd services. Run systemd-analyze security UNIT.
I could probably list more. Unless you really need to do something like dynamically spin up services with something like Kubernetes, which is probably way beyond what you need if you're hosting a few services, I don't think it's something you need.
If I can recommend something instead if you want to look at something new, it would be NixOS. I originally got into it because of the declarative system configuration, but it does everything people here would usually use Docker for and more (I've seen it described it as "docker + ansible on steroids", but uses a more typical central package repository so you do get security updates for everything you have installed, and your entire system as a whole is reproducible using a set of config files (you can still build Nix packages from the 2013 version of the repository I think, they won't necessarily run on modern kernels though because of kernel ABI changes since then). However, be warned, you need to learn the Nix language and NixOS configuration, which has quite a learning curve tbh. But on the other hand, setting up a lot of services is as easy as adding one line to the configuration to enable the service.

Welcome to the party 😀
If you want a good video tutorial that explains the inner workings of docker so you understand what's going on beneath the surface(without drowning in the details), let me know and I'll paste it tomorrow. Writing from bed atm 😴
- I'd like that please
  
  Check out my previous comment: https://lemmy.ml/comment/6629930
  (sorry, haven't learned how to tag users on Lemmy yet!)
- Not OP, but, yes please.
  
  Here you go: https://www.youtube.com/playlist?list=PLTk5ZYSbd9Mg51szw21_75Hs1xUpGObDm
  LearnCantrill does a good job at being straightforward and clear in his courses. His networking fundamentals is also pretty good.
  Check also out this resource where you can fool around and get a feel for Docker in a virtual enviorment: https://labs.play-with-docker.com/
- I'm also interested in that, please

Hi, also used to be a sysadmin and I like things that are simple and work. I like Docker.
Besides what you already noticed (that most software can be found packaged for Docker) here are some other advantages:
It's much lighter on resources and efficient than virtual machines.
It provides a way to automate installs (docker compose) that's (much) easier to get started with than things like Ansible.
It provides a clear separation between configuration, runtime, and persistent data and forces you to get organized.
You can group related services.
You can control interdependencies, privileges, shared access to resources etc.
You can define simple or complex virtual networking topologies between containers as you like.
It adds extra security (for whatever that's worth to you).
A brief description of my own setup, for ideas, feel free to ask questions:
Router running OpenWRT + server in a regular PC.
Server is 32 MB of RAM (bit overkill for now, black Friday upgrade, ran with 4 GB for years), Intel CPU with embedded GPU, OS on M.2 SSD, 8 HDD bays in Linux software RAID (MD).
OS is Debian stable barebones, only Docker, SSH and NFS are installed on the host directly. Tip: use whatever Linux distro you know and like best.
Docker is installed from their own repository, not from Debian's.
Everything else runs from docker containers, including things like CUPS or Samba.
I define all containers with compose, and map all persistent data to host storage. This way if I lose a container or even the whole OS I just re-provision from compose definitions and pick up right where I left off. In fact destroying and recreating containers cleanly is common practice with docker.
Learning docker and compose is not very hard esp. if you were on the job.
If you have specific requirements eg. storage, exposing services over internet etc. please ask.
Note: don't start with Podman or rootless Docker, start with regular Docker. It will be 10x easier. You can transition to the others later if you want.
- I'm basically the same here, used to be a sysmin too. Docker compose is running a couple of complicated inter-dependent services at my job as a first try for me, it's been quite stable and clear on what's happening within the containers.
  I really like how the docker setup files also become a source of truth documentation wise, particularly when paired with git.
  P.s. I know it's a typo, but imagine a 'black Friday upgrade' for your server being a move from 4gb ram to 32mb. Return to ~~monke~~ 1998.
  
  That typo made me chuckle way harder than it should've, too.
- As someone who just started their container adventure by setting up rootless podman on arch, it wasn't terrible but I think I agree. I think I'm going to go check out some vanilla-ass docker until I can understand everything better.
- It seems like docker would be heavy on resources since it installs & runs everything (mysql, nginx, etc.) numerous times (once for each container), instead of once globally. Is that wrong?
  
  There's nothing stopping you from using a single instance of those and only adding databases and config. The configs that come with projects set them up individually because they need to offer full examples but those configs are only meant as a guideline.
  Also keep in mind that the overhead of just running multiple instances isn't very big. The resources are consumed when you start having connections and using CPU and storing data and so on, and those are going to be the same no matter how many instances you have.

Learn it first.
I almost exclusively use it with my own Dockerfiles, which gives me the same flexibility I would have by just using VM, with all the benefits of being containerized and reproducible. The exceptions are images of utility stuff, like databases, reverse proxy (I use caddy btw) etc.
Without docker, hosting everything was a mess. After a month I would forget about important things I did, and if I had to do that again, I would need to basically relearn what I found out then.
If you write a Dockerfile, every configuration you did is either reflected by the bash command or adding files from the project directory to the image. You can just look at the Dockerfile and see all the configurations made to base Debian image.
Additionally with docker-compose you can use multiple containers per project with proper networking and DNS resolution between containers by their service names. Quite useful if your project sets up a few different services that communicate with each other.
Thanks to that it's trivial to host multiple projects using for example different PHP versions for each of them.
And I haven't even mentioned yet the best thing about docker - if you're a developer, you can be sure that the app will run exactly the same on your machine and on the server. You can have development versions of images that extend the production image by using Dockerfile stages. You can develop a dev version with full debug/tooling support and then use a clean prod image on the server.

Docker is great. I learned it from aetting up an Openmediavault server that had a built in docker extension, so now lots of servers running off that one server. Also portainer can be very handy for working with containers , basically a gui for the command line stuff or compose files you'd normally use in docker cli
- I couldn't get used to Docker at all before using Portainer. GUIs are great if you can't use CLI.
  
  That's how I "onboarded" to docker. Portainer acted like a stepping stone, as I got familiar with how docker worked.

Similar story to yours. I was a HP-UX and BSD admin, at some point in the 00s, I stopped self-hosting. Felt too much like the work I was paid to do in the office.
But then I decided to give it a go in the mid-10s, mainly because I was uneasy about my dependence on cloud services.
The biggest advantage of Docker for me is the easy spin-up/tear-down capability. I can rapidly prototype new services without worrying about all the cruft left behind by badly written software packages on the host machine.

Yes

It's very, very useful.
For one thing, its a ridiculously easy way to get cross-distro support working for whatever it is you're doing, no matter the distro-specific dependency hell you have to crawl through in order to get it set up.
For another, rather related reason, it's an easy way to build for specific distros and distro versions, especially in an automated fashion. Don't have to fuck around with dual booting or VMs, just use a Docker command to fire up the needed image and do what you gotta do.
Cleanup is also ridiculously easy too. Complete uninstallation of a service running in Docker simply involves removal of the image and any containers attached to it.
A couple of security rules you should bear in mind:
expose only what you need to. If what you're doing doesn't need a network port, don't provide one. The same is true for files on your host OS, RAM, CPU allocation, etc.
never use privileged mode. Ever. If you need privileged mode, you are doing something wrong. Privileged mode exposes everything and leaves your machine ripe for being compromised, as root if you are using Docker.
consider podman over docker. The former does not run as root.

As a casual self-hoster for twenty years, I ran into a consistent pattern: I would install things to try them out and they’d work great at first; but after installing/uninstalling other services, updating libraries, etc, the conflicts would accumulate until I’d eventually give up and re-install the whole system from scratch. And by then I’d have lost track of how I installed things the first time, and have to reconfigure everything by trial and error.
Docker has eliminated that cycle—and once you learn the basics of Docker, most software is easier to install as a container than it is on a bare system. And Docker makes it more consistent to keep track of which ports, local directories, and other local resources each service is using, and of what steps are needed to install or reinstall.

My vote: not if you can avoid it.
For casual home admins docker containers are mysterious black boxes that are difficult to configure and even worse to inspect and debug.
I prefer lightweight VMs hosting one or more services on an OS I understand and control (in my case Debian stable), and only use docker images as a way to quickly try out something new before commiting time to deploying it properly.
- I found they were easier to config. somebody has a yaml file or via portainer to setup ports etc. and you can always bash into a docker to lurk inside the black box
  
  I think they’re easier to debug as well IMO. Logs can be spread out across the filesystem on something like a Debian VM. Whereas with Docker they’re all in one feed you can easily follow the output from, with different services colour-coded. You can also easily increase the verbosity by editing the compose file.

Yes. Containers are awesome in that they let you use an application inside a sandbox, but beyond that you can deploy it anywhere.
If you're in the sysadmin world you should not only embrace Docker but I'd recommend learning k8s, too, if you still enjoy those things.
- K8s is awesome.

You should try it.

Also consider Nix/NixOS, I have used Docker, Kubernetes, LXC and prefer Nix the most. Especially for home use not requiring any scaling.

Yes, you should. I would look into docker compose as it makes deployments very easy.

If you decide to use docker-compose.yml files, which I do recommend, then I'd also highly recommend this script for updating the docker containers.
It checks each container for updates and then let's you select the containers you would like to update. I just keep it in the main directory with all the other docker container directories.
https://github.com/mag37/dockcheck/blob/main/dockcheck.sh
- The preferred filename is now compose.yaml, see https://docs.docker.com/compose/compose-file/03-compose-file/
  
  Compose also supports docker-compose.yaml and docker-compose.yml for backwards compatibility of earlier versions.
  I doubt they’re going to remove support for the previous filename anytime soon. It would break way too many things.
- Why not just run a watchtower container? Combined with a diun one to send gotify messages to my phone if you're into that. (I am!)
  
  Sometimes automated updates are not desirable. I also prefer the simplicity of a bash script over a full container.

Yes! Well, kinda. You can skip Docker and go straight to Podman, which is an open source and more integrated solution. I configure my containers as systemd services (as quadlets).
- Hold up, does Podman replace Docker entirely?
  
  There are still edge cases, but things have improved rapidly the last year or two, to the point that most docker-compose.yaml files can be run unmodified with podman-compose.
  I have however moved away from compose in favor of running containers and pods as systemd services, which I really like. If you want to try it, make sure your distro has a reasonably new version of Podman, at least v4.4 ot newer. Debian stable has an older version, so I had to use the testing repos to get quadlets working.
  
  I'm no expert, but as far as I can tell yes. It also seems a bit easier to have a rootless setup.
  
  It depends on what you do with Docker. Podman can replace many of the core docker features, but does not ship with a Docker Desktop app (there may be one available). Also, last I checked, there were differences in the docker build command.
  That being said, I'm using podman at home and work, doing development things and building images must fine. My final images are built in a pipeline with actual Docker, though.
  I jumped ship from Docker (like the metaphor?) when they started clamping down on unregistered users and changed the corporate license. It's my personal middle finger to them.
  
  I, too, need to know..

Docker is a QoL improvement over plain VMs/LXCs if you want easy-to-go content/FOSS applications bubdled into a system.
I would personally use Podman since Docker uses root by default, and Podman doesn't (there's options for both, just FYI), and Ansible/Terraform have made IaC a breeze (ah, the good days of orchestration), but I will never use Docker because of the company behind them and because of convoluted Docker networking that I can't be arsed to learn. Other than that, have fun! This is just my opinion anyway

LXC with cloud-init and ansible on proxmox gives you docker features without the docker headache.

Are you familiar with lxc or chroots or bsd jails by any chance? If you are, you probably won't find docker that much different to use other than a bigger selection of premade images.
It is kind of sad that some projects are trending towards docker first, but I think learning how to make packages for package managers is also becoming less popular :(
- I think learning how to make packages for package managers is also becoming less popular :(
  Even learning how to do the simplest thing possible that is easy to package by anybody - something like a tarball or zip - is becoming less popular :(
  
  I learned "creating a zip" the hard way when I submitted an exam but forgot the -r on creation, meaning all the to-review code was gone.

IMO, yes. Docker (or at least OCI containers) aren't going anywhere. Though one big warning to start with, as a sysadmin, you're going to be absolutely aghast at the security practices that most docker tutorials suggest. Just know that it's really not that hard to do things right (for the most part[^0]).
I personally suggest using rootless podman with docker-compose via the podman-system-service.
Podman re-implements the docker cli using the system namespacing (etc.) features directly instead of through a daemon that runs as root. (You can run the docker daemon rootless, but it clearly wasn't designed for it and it just creates way more headaches.) The Podman System Service re-implements the docker daemon's UDS API which allows real Docker Compose to run without the docker-daemon.
[^0]: If anyone can tell me how to set SELinux labels such that both a container and a samba server can have access, I could fix my last remaining major headache.
- I don't know if this is what you are looking for but I used :z with podman mounting and it Just Works*.
  podman run -d -v /dir:/var/lib/dir:z image
  From the documentation :z or :Z relabels volumes for host and container usage depending.
  
  Unfortunately, no. Samba needs a different label. Doing that relabels things so that only containers (and anything unrestriced) can access those files.

Ive worked in enterprise and government as a software engineer and docker has been the defacto standard everywhere since at least 5 years now. It's not going away soon.

It's quite easy to use once you get the hang of it. In most situations, it's the prefered option because you can just have your docker container, choose where relevant files are allowing you to properly isolate your applications. Or on single purpose servers, it makes deployment of applications and maintaining dependencies significantly easier.
At the very least, it's a great tool to add to your toolbox to use as needed.

Learning docker is always a big plus. It's not hard. If you are comfortable with cli commands, then it should be a breeze. Even if you are not comfortable, you should get used to it very fast.

Why wouldn't you want to use containers? I'm curious. What do you use now? Ansible? Puppet? Chef?
- Currently no virtualisation at all - just my OS on bare metal with some apps installed. Remember, this is a single machine sitting in my basement running Samba and a couple of other things - there's not much to orchestrate :-)
  
  Oh, I thought you had multiple machines.
  I use docker because each service I use requires different libraries with different versions. With containers, that doesn't matter. It also provides some rudimentary security. If an attacker gets in, they'll have to break out of the container first to get at the rest of the system. Each container can run with a different user, so even if they do get out of the container, at worst they'll be able to destroy the data they have access to - well, they'll still see other stuff in the network, but I think it's better than being straight pwned.
  
  It makes deployments a lot easier once you have the groundwork laid (writing your compose files). If you ever need to nuke the OS reinstalling and configuring 20+ apps can only take a few minutes (assuming you still have the config data, which should live outside of the container).
  For example, setting up my mediaserver, webserver, SQL server, and usenet suit of apps can take a few hours to do natively. Using Docker Compose it takes one command and about 5-10 minutes. Granted, I had to spend a few hours writing the compose files and testing everything, along with storing the config data, but just simply backing up the compose files with git means I can pull everything down quickly. Even if I don't have the config files anymore it probably only takes like an hour or less to configure everything.
- Not OP, but, seriously asking, why should I? I usually still use VMs for every app i need. Much more work I assume, but besides saving time (and some overhead and mayve performance) what would I gain from docker or other containers?
  
  One of the things I like about containers is how central the IaC methodology is. There are certainly tools to codify VMs, but with Docker, right out of the gate, you'll be defining your containers through a Dockerfile, or docker-compose.yml, or whatever other orchestration platform. With a VM, I'm always tempted to just make on the fly config changes directly on the box, since it's so heavy to rebuild them, but with containers, I'm more driven to properly update the container definition and then rebuild the container. Because of that, you have an inherent backup that you can easily push to a remote git server or something similar. Maybe that's not as much of a benefit if you have a good system already, but containers make it easier imo.
  
  what would I gain from docker or other containers?
  Reproducability.
  Once you've built the Dockerfile or compose file for your container, it's trivial to spin it up on another machine later. It's no longer bound to the specific VM and OS configuration you've built your service on top of and you can easily migrate containers or move them around.
  
  VMs have a ton of overhead compared to Docker. VMs replicate everything in the computer while Docker just uses the host for everything, except it sandboxes the apps.
  In theory, VMs are far more secure since they're almost entirely isolated from the host system (assuming you don't have any of the host's filesystems attached), they are also OS agnostic whereas Docker is limited to the OS it runs on.
  
  Saves time, minimal compatibility, portability and you can update with 2 commands There's really no reason not to use docker

I am running all my software services with docker. It's stupid simple to manage and I have all of my running services in one paradigm.

I was like you and avoided it for a long time. Dedicated use, lean VMs for each thing I was running. I decided to learn it, mostly out of curiosity and I'll be honest, I like the convenience of it a lot. They're easier to deploy and tend to have lower overhead than a single purpose VM running the same software.
Around the same time I switched my VM server over to Proxmox and learned about LxC containers. Those are also pretty nifty and a nice middle ground between full VM and docker container.
Currently I have a mixed environment because I like to use my homelab to learn, but most new stuff I deploy tends to go in this order: Docker > LxC > full VM.

It's convenient. Can't hurt to get used to it, for sure, in that it's useful to not have to go through dependency hell installing things sometimes. It's based on kernel features I don't see Linus pulling out, so I think you'll only see it more.
As someone who runs nix-only at home, I mostly use its underlying tech in the form of snaps/flatpaks, though. I use docker itself at work constantly, but at home, snaps/flatpaks tend to do the "minimize thinking about dependencies and building" bit but in a workflow more convenient for desktop applications.
- Yeah. Docker for servers.
  Flatpak for Desktops/Laptops.
  Although I currently run my Docker stack on my desktop because my NAS server broke down. But its on servers Docker really shines.

Yes. Let me give you an example on why it is very nice: I migrated one of my machines at home from an old x86-64 laptop to an arm64 odroid this week. I had a couple of applications running, 8 or 9 of them, all organized in a docker compose file with all persistent storage volumes mapped to plain folders in a directory. All I had to do was stop the compose setup, copy the folder structure, install docker on the new machine and start the compose setup. There was one minor hickup since I forgot that one of the containers was built locally but since all the other software has arm64 images available under the same name, it just worked. Changed the host IP and done.
One of the very nice things is the portability of containers, as well as the reproducibility (within limits) of the applications, since you divide them into stateless parts (the container) and stateful parts (the volumes), definitely give it a go!

Welcome to Docker! It's fucking awesome! One thing to remember is:
PLEASE setup root-less Docker. It's safer, easier [no sudo all the fking time.], and literally zero downsides other than the initial configuration -- but the Docker docs are amazing and they have every distro on there. It's only a few more steps and you can sleep secure in the fact that even in the WORST case scenario [compromised to root], they still only have a container running in userspace.

If you have homelab and not using containers - you are missing out A LOT! Docker-compose is beautiful thing for homelab. <3
- It took me a while to convert to Docker, I was used to installing packages for all my Usenet and media apps, along with my webserver. I tried Docker here and there but always had a random issue pop up where one container would lose contact with the other, even though they were in the same subnet. Since most containers only contain the bare minimum, it was hard to troubleshoot connectivity issues. Frustrated, I would just go back to native apps.
  About a year or so ago, I finally sat down and messed around with it a lot, and then wrote a compose file for everything. I've been gradually expanding upon it and it's awesome to have my full stack setup with like 20 containers and their configs, along with an SSL secured reverse proxy in like 5-10 minutes! I have since broken out the compose file into multiple smaller files and wrote a shell script to set up the necessary stuff and then loop through all the compose files, so now all it takes is the execution of one command instead of a few hours of manual configuration!

Docker is nice for things that have complex installations and I want a very specific implementation that I don't plan to tweak very much. Otherwise, it's more hassle than it's worth. There are lots of networking issues like limited/experimental support for IPv6, and too much is hidden and preconfigured, making it difficult to make adjustments that would otherwise just be a config file change.
So it is good for products like a mail server where you want to use the exact software they use like let's say postfix + dovecot + roundcube + nginix + acme + MySQL + spam assassin + amavisd, etc. But you want to use an existing reverse proxy and cert it setup, or want to use a different spam filter or database and it becomes a huge hassle.
- Can you recommend a mail server docker image like that? I have a hand cranked iredmail server that I've been babying for 5 years but I want to move it to either docker or an LXC.
  
  I use Mailcow and like it a lot.
  I use a mail service (MXRoute) as an outbound SMTP relay though, since I don't want to have to deal with deliverability, especially to picky services like Microsoft Hotmail/Outlook. It's a trade off. Other relays like SMTP2Go and Amazon SES work well too.
  So I'm self-hosting the mailboxes, but when I send mail through my server, it sends them via MXRoute.
  
  Mailcow or Mailu have pretty good setups if you don't want to do anything too different and don't need to keep resource usage to a minimum.
  
  https://github.com/docker-mailserver/docker-mailserver
- I haven't had any issues with IPv6. If you want to, you can just use a macvlan network and rely on SLAAC. I manually assigned ULA addresses to some containers and it's working well.
  Also as a side note, it's not common for mail servers to use SpamAssassin any more. Most have moved to rspamd which is more powerful and much more efficient.

As someone who is not a former sysadmin and only vaguely familiar with *nix, I’ve been able to turn my home NAS (bought strictly to hold photos and videos backed up from our phones) into a home media sever by installing Docker, learning how the yml files work, how containers network, etc, and it’s been awesome.

Nixos, nixos, nixos 🤌
- Does Docker still give a security benefit over NixOS, because of the sandboxing?
  
  Not familiar with nixOS but there's probably still isolation benefits to Docker. If you care a lot about security, make sure Docker is running in rootless mode.
- Both! Sandboxing from containers and configuration control from nix go well together!
  
  You can use the sandboxing of nixos
  You get better performance, nixos level reproducibility, and it's not docker which is not foss and running with root

I think it's a good tool to have on your toolbelt, so it can't hurt to look into it.
Whether you will like it or not, and whether you should move your existing stuff to it is another matter. I know us old Unix folk can be a fussy bunch about new fads (I started as a Unix admin in the late 90s myself).
Personally, I find docker a useful tool for a lot of things, but I also know when to leave the tool in the box.

Definitely not a fad. It's used all over the industry. It gives you a lot more control over the environment where your hosted apps run. There may be some overhead, but it's worth it.

Try other container technologies lie LXC or go right side and play with FreeBSD jails. Quality of dockers you can find around is horrendous, giving that Docker itself build for convenience not security. It is not something I will trust.
- There's nothing wrong with OCI Images. If you're concerned about the security of Docker (which, imo, you should be) there are other container runtimes that don't have its security tradeoffs (e.g. podman).
- Once I got to the point where I was running a ton of containers I'd occasionally have issues where a maintainer wouldn't resolve issues fast enough for my liking so I started building more containers myself which was a lot easier than I'd anticipated.

No. Docker is proprietary
- Podman ftw!
  
  Concur, podman doesn't (have to) have root, and has autoupdate and podman-compose to use docker files. Containers are cool, Docker less so.
  
  I've regrettably only heard of Podman in passing. At work we use docker containers with kubernetes, is this something we could easily transition to without friction?

Some people seem to hate on it, but I love Docker, it works well for what it has to do and has relatively low overhead as far as I can tell. I personally virtualize a Debian server on Proxmox for my containers just so as to keep everything even more compartmentalized, but it takes more work than it's worth to set up.
And if you don't like Docker for whatever reason, you can also try Podman which is API compatible with Docker for the most part.

I hate it very much. I am sure it is due to my limited understanding of it, but I've been stuck on some things that were very easy for me using VM.
We have two networks, one of which has very limited internet connectivity, behind proxy. When using VMs, I used to configure everything: code, files, settings on a machine with no restrictions; shut it down; move the VM files to the restricted network; boot and be happily on my way.
I'm unable to make this work with docker. Getting my Ubuntu server fetch its updates behind proxy is easy enough; setting it for python Pip is another level; realising the specific python libraries need special keys to work around proxies is yet another; figuring out how to get it done for Docker and python under it is when I gave up. Why can it not be as simple as the VM!
Maybe I'm not looking using the right terms or maybe I should go and learn docker "properly", but there is no doubt that using Docker is much more difficult for my use case than using VMs.
- You are right. Either you are using docker very wrong, or docker is not meant for this use case.
  You say "getting ubuntu server to fetch it's updated behind proxy". You shouldn't be updating Ubuntu from inside of docker. Instead, the system should be somewhat immutable. You should configure the version you want to use as part of the Docker file.
  Same with python and keys. You likely want to install python dependencies in the Dockerfile, so that you can install them once and it becomes bundled into the container image. Then you don't need to use pip behind the proxy.
  
  I'm not much into new year resolutions, but I think I'll make a conscious effort to learn Docker in the coming months. Any suggestions for good guides for someone coming from VM end will be appreciated.
- Huh? Your docker container shouldn't be calling pip for updates at runtime, you should consider a container immutable and ephemeral. Stop thinking about it as a mini VM. Build your container (presumably pip-ing in all the libraries you require) on the machine with full network access, then export or publish the container image and run it on the machine with limited access. If you want updates, you regularly rebuild the container image and repeat.
  Alternatively, even at build time it's fairly easy to use a proxy with docker, unless you have some weird proxy configuration. I use it here so that updates get pulled from a local caching proxy, reducing my internet traffic and making rebuilds quicker.
  
  I think I'm not aware of the exporting/publishing part and that's the cause of my woes. I get everything running on the machine with unrestricted access, move to the machine with restricted access go "docker compose up" and get stuck. I'll read up on exporting/publishing, thank you.

I would never go back installing something without docker. Never.
- For a lot of smaller things I feel that Docker is overkill, or simply not feasible (package management, utilities like screenfetch, text editors, etc...) but for larger apps it definitely makes it easier once you wrap your head around containerization.
  For example, I switched full-time to Jellyfin from Plex and was attempting to use caddy-docker-proxy to forward the host network that Jellyfin uses to the Caddy server, but I couldn't get it to work automatically (explicitly defining the reverse proxy in the Caddyfile works without issue). I thought it would be easier to just install it natively, but since I hadn't installed it that way in a few years I forgot that it pulls in like 30-40 dependencies since it's written in .Net (or would that be C#?) and took a good few minutes to install. I said screw that and removed all the deps and went back to using the container and just stuck with the normal version of Caddy which works fine.

i use it for gitea, nextcloud, redis, postgres, and a few rest servers and love it!, super easy
it can suck for things like homelab stablediffusion and things that require gpu or other hardware.
- As someone who does AI for a living: GPU+docker is easy and reliable. Especially if you compare it to VMs.
  
  good to hear. maybe I should try again
- postgres
  I never use it for databases. I find I don't gain much from containerizing it, because the interesting and difficult bits of customizing and tayloring a database to your needs are on the data file system or in kernel parameters, not in the database binaries themselves. On most distributions it's trivial to install the binaries for postgres/mariadb or whatnot.
  Databases are usually fairly resource intensive too, so you'd want a separate VM for it anyway.
  
  Very good points.
  In my case I just need to for a couple users with maybe a few dozen transactions a day; it's far from being a bottleneck and there's little point in optimizing it further.
  Containerizing it also has the benefit of boiling all installation and configuration into one very convenient dockercompose file... Actually two. I use one with all the config stuff that's published to gitea and one that has sensitive data.

There are teachings I have read/ discovered through YouTube (can't remember exactly where) about the reasons and the philosophy behind moving to docker, or having it as a state machine.
Have you considered looking into dockers alternatives, also ?
Here is 1 of the sources that may give you insights:
https://www.cloudzero.com/blog/docker-alternatives/
-- There has been some concerns over docker's licensing and, as such, some people have started preferring solutions such as podman and containerd.
Both are good in terms of compatibility and usability, however I have not used them extensively.
Nonetheless, I am currently using docker for my own hyperserver [Edit2: oops, I meant hypervisor ✓, not hyperserver] purposes. And I am also a little concerned about the future of docker, and would consider changing sometime in the future.
[Edit1: I am using docker because it is easy to make custom machines, with all files configurations, and deploy them that way. It is a time saver. But performance wise, I would not recommend it for major machines that contain major machine processes and services. And that's just the gist of it].

Don't learn Docker, learn containers. Docker is merely one of the first runtimes, and a rather shit one at that (it's a bunch of half-baked projects - container signing as one major example).
Learn Kubernetes, k3s is probably a good place to start. Docker-compose is simply a proprietary and poorly designed version of it. If you know Kubernetes, you'll quickly be able to pick up docker-compose if you ever need to.
You can use buildah bud (part of the Podman ecosystem) to build containerfiles (exactly the same thing as dockerfiles without the trademark). Buildah can also be used without containerfiles (your containerfiles simply becomes a script in the language of your choice - e.g. bash), which is far more versatile. Speaking of Podman, if you want to keep things really simple you can manually create a bunch of containers in a pod and then ask Podman to create a set of systemd units for you. Podman supports nearly all of what docker does (with exception to docker's bjorked signing) and has identical command line syntax. Podman can also host a docker-compatible socket if you need to use it with something that really wants docker.
I'm personally a big fan of Podman, but I'm also a fan of anything that isn't Docker: LXD is another popular runtime, and containerd is (IIRC) the runtime underpinning docker. There's also firecracker or kubevirt, which go full circle and let you manage tiny VMs like containers.
- All that makes sense - except that I'm taking about 1or 2 physical servers at home and my only real motivation for looking into containers at all is that some software I've wanted to install recently has shipped as docker compose scripts. If I'm going to ignore their packaging anyway, and massage them into some other container management system, I would be happier just running them of bare metal like I've done with everything else forever.