How to design container workloads?

English Virtualization
1

Hi all!

I am trying to run a few containerized workloads on MicroOS, and I have a basic setup running. But I have the sneaking suspicion that I’m not doing it “the right way”. But at the same time I can’t seem to find any documentation about “the right way”.

I can find the usual basic docs on how to run podman, or about the MicroOS design, but no “this is a good pattern to run podman workloads and not miss something important”.

The questions I have so far are:

Rootless?

Podman can be run rootless, a feature that many people like… but MicroOS does not seem to come with a non-root worker account.

Am I supposed to run my containers as root, or am I supposed to set up a separate user?

Data drive?

I would assume that it’s a good idea to put all my volumes/bind mounts into a drive that’s separate from the host OS drive and partitions, so that I won’t destroy them if my MicroOS server breaks, that I can backup/snapshot them independently, or quickly bring them over into a different MicroOS instance.

MicroOS does not seem to think that way, and there is no documentation about what I should be doing here.

Am I supposed to use the /var subvolume and thereby throw it all into one drive, or should I manually set up my own drive&partition scheme?

2

My system is not optimal either, but maybe I can still give some input, since no one else chimed in.

Rootless – I did that with the intention of having a user per service. This can get tedious to maintain. Every time I had issues with a service, I had to switch to that user and check the podman logs or debug as that user.
While cockpit is nice to get a system overview and it has the ability to manage podman containers, it can only show containers of the system or the current user – containers of other users are sadly not visible.
Nonetheless, I do like that approach still.

Data – I keep it in the respective user homes, which is probably terrible. Since it should be btrfs, you could create separate subvolumes per user or service under /var or whereever you deem sensible. Each subvolume can be snapshotted independently and there are probably tools for backups around that as well.