I have exploring containerized applications & have been playing around with Docker & some of the awesome LinuxServer.io images. It is been a mix of excitement & confusion at times, especially when it comes to managing volumes, handling updates without breaking stuff & keeping everything secure.
I am not from a hardcore sysadmin background — more of a tech enthusiast trying to level up my skills. I have also been juggling some project management stuff on the side & just wrapped up a CSM Training, which got me thinking about how containerization workflows can be better streamlined in teams.
So, I want to know if you all have any go-to practices, tools or even personal workflows that help make the most of LinuxServer images? such as—do you follow any checklist before deploying new containers or updating them? Also, how do you stay on top of breaking changes or deprecated images?
To piggy back off Aptalca, i leverage docker’s extensive logging features to send container logs to a centralized logging server and monitor for keywords (such as error or container specific things I know to watch for) and then alert me when they’re seen.
Another thing is always check twice when you are exposing something to the WAN. I generally do NOT expose anything, but if I need to, i have a checklist
do I have some form of strong authentication on the app
a) plex has authentication and it’s strong (mfa)
b) webtop doesn’t have strong authentication, so this i put behind something like authelia which adds MFA
then turn wifi off on my phone and check all newly deployed containers to see if they are mistakenly accessible (they shouldn’t be because I do not create external DNS records unless it’s a thing needing external access)
then I turn off authelia to make sure the app doesn’t “fail open”
once i finish this, i go on about my day. not doing these steps is a great way to start mining crypto for strangers on the internet.
avoid exposing applications directly, use a robust reverse proxy, like traefik
keep your services in separate docker networks, service A does not need access to service B’s database
let the proxy handle all SSL certificates
before updating any images, stop the conteiner and backup the data
for critical services, like the proxy or an IDP (authentik or Authelia) do not use the latest tag, but specific version tags to avoid breaking the basics
use a something like Dozzle to help monitor live logs
I have used these images for while now, add they are well built. My last project was to setup nextcloud for a client on the home network.
Using the nextcloud image nextcloud - LinuxServer.io I setup this up on a ubuntu host. The container sits behind pfsense with SSL offloading using HA Proxy.
Always make sure you read the documentation of each the images your using. They tend to follow the same setup steps.
Updating the image is simple, make a backup of the deployment folder which is normally consits of the docker-compose.yml file and the config directory, then run docker compose down and then docker compose up -d --build this will pull the latest image for you. There is also documentation within the the image section to show you how to do this.
I have a small article I wrote on our Linkedin page that explains abit more on a simple rig you can build locally.
