Hi! I’m starting out with self-hosting. I was setting up Grafana for system monitoring of my mini-PC. However, I ran into issue of keeping credentials secure in my Docker Compose file. I ended up using Docker Swarm since it was the path of least resistance. I’ve managed to set up Grafana/Prometheus/Node stack and it’s working well.
However, before continuing with Docker Swarm, I want to check if this is a good idea or will I potentially dig myself into a corner? Some of the options I’ve found while searching:
-
Continue with Docker Swarm and look into automation of stack/swarm in future
- Ansible playbook has plugins for Docker Swarm.
-
Self-hosted vault: I want to avoid hosting my own secret/password manager at the moment.
-
Kubernetes (k8s / k3s) - I don’t wanna 😭
- More seriously, I’m actually learning this for work but don’t see the point of implementing it at home. The extra overhead doesn’t seem worth it for a single node cluster.
-
Live dangerously - Store crdentials in plaintext. Also useadminas password for everything
Edit: Most of the services I’m planning on hosting will likely be a single replica service.
I don’t have an answer for you but I have one instead. When I attempted to do swarm my biggest challenge was shared storage. I was attempting to run a swarm with shared storage on a NAS. Literally could not run apps, ran into a ton of problems running stacks (NAS share tried SMB and NFS). How did you get around this problem?
What are your reasons for using docker swarm instead normal docker if you don’t want to do replication?
To use Docker secrets so that the secrets are encrypted on the host. Using Docker Swarm was the path of least resistance to set up my system monitoring stack.
Docker Compose can use secrets without Swarm, but my understanding is that the those are in plaintext on the host.
Docker Swarm encryption doesn’t work for your use case. The documentation says that the secret is stored encrypted but can be decrypted by the swarm manager nodes and nodes running services that use the service, which both apply to your single node. If you’re not having to unlock Docker Compose on startup, that means that the encrypted value and the decryption key live next to each other on the same computer and anyone who has access to the encrypted secrets can also decrypt them.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System Git Popular version control system, primarily for code IP Internet Protocol NAS Network-Attached Storage NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency SMB Server Message Block protocol for file and printer sharing; Windows-native VPN Virtual Private Network k8s Kubernetes container management package
8 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #834 for this sub, first seen 27th Jun 2024, 04:45] [FAQ] [Full list] [Contact] [Source code]
I use swarm in my home lab, I don’t have any docker things at work so Kubernetes is way more then I want to manage.
All my stacks are in a git repo, I have an ansible playbook to update them if needed. I also have most things tracked on new releases (https://newreleases.io/) so I know when something needs an update, then I can either update the git repo by hand or use ansible.
Also have a look at docker contexts, you can manage your swarm from a remote location.
