this post was submitted on 20 Nov 2025
26 points (100.0% liked)
Proxmox
1496 readers
11 users here now
Proxmox VE is a complete, open-source server management platform for enterprise virtualization. It tightly integrates the KVM hypervisor and Linux Containers (LXC), software-defined storage and networking functionality, on a single platform. With the integrated web-based user interface you can manage VMs and containers, high availability for clusters, or the integrated disaster recovery tools with ease.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
OCI images is very exciting. But, I don't see any way to keep them updated. You don't normally do an update on the applications inside an OCI container, you usually rebuild the container on a new image.
Sounds like they're used as a template and it's now a regular LXC that you can treat like a running distro.
Right, but these containers are usually not designed to be updated like that. It totally defeats the nature of the OCI image and delivering something that has been tested to work. I'm sure there is a use case for this, but it seems more like a gimmick than a useful feature.
Actually, I could see myself using this for development if there were an easy way to package it back into a container image.
Back into an OCI image? I don't know if lxc can do that, but podman can. I think it is
podman savethat allows you to save your current container as an image. Or, even better would be to use buildah. With buildah your expected workflow is to kind of run a container, run a script against that container, then save it at the end. In fact I'm specifically thinking of images I've created with buildah as being almost completely useless with this LXC technique. I've used the RHEL UBI micro image before and it doesn't even have a package manager. You actually mount the container to the host and use the host's package manager to install what is needed and then unmount it to save. It makes a super slim image with as little attack surface as possible.That last is interesting. I'm going to play with that some.
With buildah you can take it even farther and build a container "from scratch." So, no packages at all. Then use your package manager to install the bare minimum to get things done.
My reading of it makes it sound like a local container repo. So if you have 5 containers using nginx:latest it pulls from the template not an online repo each time.
But I could be wrong, I haven't played with PVE LXCs yet.
Yes, but then you're on that specific version of nginx. A lot of containers are built using a multi stage build process where the first stage uses a container with build tooling to build the application, then a second stage installs the result. So your end image doesn't have the build tooling and no way to update. That's intentional for security reasons. Images are meant to be immutable.
My thoughts exactly. I wonder if they'll make it easy to re-create with a newer image. The compiled app binaries are usually copied into the image via Containerfile with no way to update it from inside the container.
Edit: it's addressed in the Proxmox board:
https://forum.proxmox.com/threads/proxmox-virtual-environment-9-1-available.176255/