r/docker

▲ 0 r/docker

What is Docker Compose and Volumes? What problem do they solve?

I am still learning , so if I am wrong anywhere or if there is something important that I should know, please let me know.

In a real application, we usually have multiple containers like a frontend, backend, database, Redis, etc.

Managing all these containers manually is very difficult. Also, Docker images are immutable, so whenever we change our code, we don't want to rebuild the image and recreate the container every single time during development.

This is where docker-compose.yml

It lets us define everything in one file. We can define which images to build, which ports to expose, environment variables, volumes, networks, and much more.

Then we can start the entire application with just one command:

\- docker compose up

and stop everything with:

\- docker compose down

One thing that confused me a lot was volumes.

Let's say I have a folder named backend on my system, and Docker builds an image where all the code is copied into /app.

Then in docker-compose.yml I write:

volumes:
- ./backend:/app

From what I understood, this bind mount hides (overrides) the /app folder inside the container and mounts my local ./backend folder there instead.

So now the container reads the files directly from my local machine instead of the files that were copied into the image. This is great because whenever I edit my code, I don't have to rebuild the image.

But this creates another problem.

Since the entire backend folder is mounted, it also mounts my local node\_modules.

That is not what we want because my local machine could be Windows or macOS, while the container is running Linux. The dependencies inside node\_modules are installed for the operating system they were built on, so using the host's node\_modules inside a Linux container can cause issues.

This is where a named volume comes in.

We add another volume:

volumes:
- ./backend:/app
- backend_node_modules:/app/node_modules

Here, backend\_node\_modules is just the name of a Docker managed volume.

If this named volume doesn't already exist, Docker creates it. Since the volume is initially empty, Docker copies the existing /app/node\_modules from the image into the named volume.

Now this named volume is mounted at /app/node\_modules. Since we already mounted ./backend:/app, the container was using the node\_modules from my local Windows/macOS machine. This new mount hides those host node\_modules and replaces them with the node\_modules stored in the backend\_node\_modules named volume, which contains the Linux dependencies copied from the image.

So the result is:

My application code comes directly from my local machine, so changes are reflected instantly.

node\_modules comes from the Linux container, so I don't have operating system compatibility issues.

reddit.com
u/No-Resolution-4054 — 7 hours ago
▲ 5 r/docker+5 crossposts

New Book - Using WordPress on AWS Lightsail

Sample Chapter - Desktop Docker

For Local Docker Development. We could use Docker Engine, which is the primary container runtime that runs directly on Linux and Windows servers. It is built for production use because it is lightweight, stable, and can be automated with command-line tools, system services, and CI/CD pipelines. This setup provides the performance and control necessary to run applications at scale. On the other hand, Docker Desktop is meant for development on macOS, Windows, and Linux desktops. It includes Docker Engine inside a small virtual machine and adds a graphical dashboard, resource controls, Docker Compose, and optional Kubernetes for local testing. In short, Docker Engine runs containers in production, while Docker Desktop provides the developer with an easy way to build, test, and debug containers locally before deploying them to production.

We will install Docker Desktop for our development work on either Windows, Linux, or macOS.

https://adamjohnston.me/sample-chapter-desktop-docker/

u/acj1971 — 12 hours ago
▲ 0 r/docker+1 crossposts

dd — VM-less native JIT containers for Mac

Blog Post | Repo | Web | MIT.

So I put some effort into building this thing, goal is to provide native runtime for macs.

Instead of runnings VMs this project emulates linux. There is many optimalizations underneeth to speed things up and for x86 so far seems like right move.

Key advantages:

  • You don't need root to run it
  • No pre-allocated disk/ram
  • Eventually (but today too) I think we can beat the VM at speed
  • We can run mac os containers (`ddcli mac` is true container)
  • Security is not bullet proof but already is good to make sure untrusted code doesnt do much of damage
  • We are slowly approaching arm-native speed

As for where this is going:

  • Lets be clear - its still alpha, many bugs will pop
  • We want to make complete interoperability between cuda and metal. Ideally if we could emulate cuda devices provide hardware accelerated workflows
  • We have in roadmap to build terminal emulator with direct capabilities for running dev environments.

I imagine one day having containers fully integrated into terminal so that any project I pick gets its own space with tools I need on platform I need in isolation. LLM agents will appreciate that.

FAIR WARNING - its alpha, things are expected not to work. And there is good amount of work to be done still.

I would mean world to me who can star on github.

Cheers.

u/call_me_richard_bro — 1 day ago
▲ 18 r/docker

What do you do with secrets in Git repo driven Docker servers?

So I'm exploring taking my individual Docker compose files and stacks and pushing them out to a Git repo that I can pull from. However I'm unclear what I'm supposed to do with my .env secrets - I know about .gitignore and not pushing them but how do you manage them in this sort of server paradigm? I'm assuming there's some sort of self-hosted third party software that manages it for you but I'm not finding a lot of success in my research. (Not sure if it matters but this is on a Proxmox server.)

reddit.com
u/TXFlank — 4 days ago
▲ 2 r/docker

connection reset by peer on every Image

Hello,

fore some reason I cannot get docker to pull anything i get "connection reset by peer" every time. System is updated and connected to internet (its sitting in local net behind nat). Problem with TCP connections only affects docker as wget, curl, apt-get work without problems.

root@debian:~# uname -a
Linux debian 6.1.0-42-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.159-1 (2025-12-30) x86_64 GNU/Linux
root@debian:~# docker --version 
Docker version 29.6.1, build 8900f1d
root@debian:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Head "https://registry-1.docker.io/v2/library/hello-world/manifests/latest": Get "https://auth.docker.io/token?scope=repository%3Alibrary%2Fhello-world%3Apull&service=registry.docker.io": read tcp 192.168.4.124:54928->104.18.43.178:443: read: connection reset by peer
Run 'docker run --help' for more information
reddit.com
u/LookAtItGo_ — 4 days ago
▲ 5 r/docker+1 crossposts

What is the best way to make wireguard container work on multiple networks?

Hi, i have this situation:

Vmware server on which i plan to install Ubuntu 24.04 LTS with wireguard and other containers.

There are multiple networks in the office and i need this wireguard to have different certificates to access different networks.

Last time i had Proxmox and i made 2 lxc containers and assigned them to different linux bridges, one for each network.

Can i do the same with docker, if I assign 2 nics to the vm on different networks, can I the make a container that binds to one nic or the other?

Is there a better way?

reddit.com
u/Palova98 — 4 days ago
▲ 2 r/docker+1 crossposts

Help installing FreeSurfer (a medical imaging program) on windows using Docker Desktop

hello, i am a student trying to install freesurfer on my windows computer using docker desktop and the program found at this link: https://hub.docker.com/r/cgvalle/freesurfer\\\_vnc

freesurfer cannot be installed on windows from the official download page, so someone created a workaround as can be seen in the above link

to be honest, i have absolutely no clue what i’m doing and have no idea what to do after installing the file(?) found in the link. after i run the downloaded image, nothing happens. any help would be much appreciated with using docker desktop to install freesurfer.

here is the link to the freesurfer download page in case it helps: https://surfer.nmr.mgh.harvard.edu/fswiki/rel7downloads

thank you very much!

reddit.com
u/BuddyHardinHolley — 3 days ago
▲ 7 r/docker

Docker desktop networking questions

Hi, usually using Linux and learning how annoying windows networking is.

Here is what I want to do, I have 2 containers that need separate IPs, be able to communicate with the host and each other. On linux this works great with a bridge, but I'm learning it's not that easy on windows. I'm pinned to using hyperv. I've done some initial looking and I've found that I may need to create separate loopback adapters to get it to work, but I would be grateful for a windows docker desktop wizard to tell me exactly what I'm doing wrong

reddit.com
u/eliminator08742 — 6 days ago
▲ 4 r/docker

Running a container as non-root user - Security implications?

I was curious how running all my containers as a user who only has read and write (if necessary) permissions in attached volumes would improve security?

(by doing something like this in my compose files, where uid 1001 will be in gid 1002 which only has permissions in ./data):

services:
  mc:
    image: itzg/minecraft-server:latest
    container_name: minecraft-server
    user: "1001:1002"
    volumes:
      - ./data:/data

Right now, I just have them running how they normally do. Which, from what I understand, the containers are running as root on the host machine.

Im trying to learn, sorry if I have anything mixed up.

reddit.com
u/Augustman22 — 7 days ago
▲ 0 r/docker+1 crossposts

Homelab setup test (Suggestions)

---
title: "Final Network Connections - 20G LACP Reference"
aliases:
- "Final 20G Network Map"
- "UniFi LACP Final Reference"
- "Network Final Connection Baseline"
tags:
- network
- unifi
- lacp
- vlan
- homelab
- proxmox
- synology
- ai-server
- final-reference
created: "{{date}}"
status: final-reference
network_prefix: "10.10.0.0/16"
core_switch: "[[Device - USW Pro Aggregation]]"
gateway: "[[Device - UDM Pro Max]]"
---

# Final Network Connections - 20G LACP Reference

> [!important]
> This note is the finalized connection reference for the target network state.
> The reset baseline gets the network online first. This note shows the final 20G LACP topology after adoption, firmware updates, VLANs, and basic internet access are stable.

---

## Purpose

This note defines the final physical and logical connection plan for the UniFi network.

The target design is:

- `10.10.0.0/16` private network plan
- UniFi-managed routing, switching, Wi-Fi, and camera infrastructure
- USW Pro Aggregation as the high-speed core switch
- 20G LACP uplinks between core networking equipment
- 20G LACP links to major servers
- Clean VLAN segmentation
- Dedicated work VLAN for wife’s work-from-home equipment
- Future-ready structure for local AI agents, tools, services, and MCP servers

---

## Related Notes

### Core Network Notes

- [[Network Reset Baseline]]
- [[Project End State]]
- [[VLAN Plan]]
- [[Firewall Rules]]
- [[Wi-Fi Plan]]
- [[Cable Map]]
- [[Rack Layout]]
- [[IP Address Plan]]

### Device Notes To Create

- [[Device - UDM Pro Max]]
- [[Device - USW Pro Aggregation]]
- [[Device - USW Pro XG 10 PoE]]
- [[Device - USW Pro Max 24 PoE]]
- [[Device - Proxmox Server]]
- [[Device - Synology DS1823xs+]]
- [[Device - Puget AI Server]]
- [[Device - U7 Pro Max Downstairs]]
- [[Device - U7 Pro Max Upstairs]]
- [[Device - G4 Doorbell Pro]]
- [[Device - G5 Pro Camera]]
- [[Device - USW Flex Switches]]

---

# Final Topology Summary

## Core Design

The USW Pro Aggregation is the core switch.

All high-speed devices connect back to the USW Pro Aggregation.

The final design uses 20G LACP for:

- USW Pro Aggregation to USW Pro XG 10 PoE
- USW Pro Aggregation to USW Pro Max 24 PoE
- USW Pro Aggregation to Proxmox Server
- USW Pro Aggregation to Synology NAS
- USW Pro Aggregation to Puget AI Server

The UDM Pro Max remains the gateway, firewall, DHCP controller, and UniFi console.

The UDM Pro Max should use a stable 10G SFP+ LAN uplink to the USW Pro Aggregation unless the final WAN layout leaves both SFP+ ports available and a 2x10G LACP gateway uplink is deliberately chosen later.

> [!note]
> 20G LACP means 2x10G aggregate bandwidth.
> It does not guarantee a single file transfer or single TCP session will run at 20G. Most single flows will still use one 10G member link. The value comes from multiple simultaneous clients, services, VM traffic, backups, and storage operations.

---

# Final Physical Connection Plan

## Primary Backbone

Link ID Source Device Source Ports Destination Device Destination Ports Link Type Final Speed Purpose
`CORE-GW-01` [[Device - UDM Pro Max]] SFP+ LAN [[Device - USW Pro Aggregation]] `AGG-P01` Trunk 10G Gateway to core
`CORE-XG-LAG-01` [[Device - USW Pro Aggregation]] `AGG-P09` + `AGG-P10` [[Device - USW Pro XG 10 PoE]] `XG-SFP11` + `XG-SFP12` LACP trunk 20G 10G workstation switch uplink
`CORE-ACCESS-LAG-01` [[Device - USW Pro Aggregation]] `AGG-P11` + `AGG-P12` [[Device - USW Pro Max 24 PoE]] `PM24-SFP25` + `PM24-SFP26` LACP trunk 20G PoE/access/AP/camera switch uplink

---

## Server Connections

Link ID Source Device Source Ports Destination Device Destination Ports Link Type Final Speed Primary VLAN
`CORE-PROXMOX-LAG-01` [[Device - USW Pro Aggregation]] `AGG-P03` + `AGG-P04` [[Device - Proxmox Server]] `PROX-SFP1` + `PROX-SFP2` LACP 20G VLAN 30
`CORE-SYNOLOGY-LAG-01` [[Device - USW Pro Aggregation]] `AGG-P05` + `AGG-P06` [[Device - Synology DS1823xs+]] `NAS-10G1` + `NAS-10G2` LACP 20G VLAN 30
`CORE-PUGET-LAG-01` [[Device - USW Pro Aggregation]] `AGG-P07` + `AGG-P08` [[Device - Puget AI Server]] `PUGET-SFP1` + `PUGET-SFP2` LACP 20G VLAN 30

> [!warning]
> The Synology 20G LACP plan assumes the NAS has two usable 10G interfaces.
> If the Synology only has one 10G port available, the NAS cannot run a true 20G LACP bond until a compatible dual-port 10G card or equivalent expansion path is installed.

---

# Final Port Assignment Map

## USW Pro Aggregation

Port Connected Device Link ID Mode Native VLAN Tagged VLANs Notes
`AGG-P01` [[Device - UDM Pro Max]] `CORE-GW-01` Trunk 1 All required VLANs Gateway uplink
`AGG-P02` Reserved TBD Disabled / spare TBD TBD Keep open for recovery or temporary admin
`AGG-P03` [[Device - Proxmox Server]] `CORE-PROXMOX-LAG-01` LACP member 30 Optional selected VM VLANs later Proxmox bond member 1
`AGG-P04` [[Device - Proxmox Server]] `CORE-PROXMOX-LAG-01` LACP member 30 Optional selected VM VLANs later Proxmox bond member 2
`AGG-P05` [[Device - Synology DS1823xs+]] `CORE-SYNOLOGY-LAG-01` LACP member 30 None initially NAS bond member 1
`AGG-P06` [[Device - Synology DS1823xs+]] `CORE-SYNOLOGY-LAG-01` LACP member 30 None initially NAS bond member 2
`AGG-P07` [[Device - Puget AI Server]] `CORE-PUGET-LAG-01` LACP member 30 Optional selected service VLANs later Puget bond member 1
`AGG-P08` [[Device - Puget AI Server]] `CORE-PUGET-LAG-01` LACP member 30 Optional selected service VLANs later Puget bond member 2
`AGG-P09` [[Device - USW Pro XG 10 PoE]] `CORE-XG-LAG-01` LACP trunk member 1 All required VLANs XG uplink member 1
`AGG-P10` [[Device - USW Pro XG 10 PoE]] `CORE-XG-LAG-01` LACP trunk member 1 All required VLANs XG uplink member 2
`AGG-P11` [[Device - USW Pro Max 24 PoE]] `CORE-ACCESS-LAG-01` LACP trunk member 1 All required VLANs Access uplink member 1
`AGG-P12` [[Device - USW Pro Max 24 PoE]] `CORE-ACCESS-LAG-01` LACP trunk member 1 All required VLANs Access uplink member 2

---

## USW Pro XG 10 PoE

Port Connected Device Mode Native VLAN Tagged VLANs Notes
`XG-RJ45-01` Primary workstation Access 10 None Main trusted workstation
`XG-RJ45-03` Lab workstation Access or trunk 30 Optional selected VLANs Use only if needed
`XG-RJ45-02` Secondary workstation Access 10 None Secondary trusted workstation
`XG-RJ45-04` Reserved AI workstation Access 30 None For local AI / server-adjacent workstation
`XG-RJ45-05` Spare Disabled TBD TBD Enable only when assigned
`XG-RJ45-06` Spare Disabled TBD TBD Enable only when assigned
`XG-RJ45-07` Spare Disabled TBD TBD Enable only when assigned
`XG-RJ45-08` Spare Disabled TBD TBD Enable only when assigned
`XG-RJ45-09` Spare Disabled TBD TBD Enable only when assigned
`XG-RJ45-10` Spare Disabled TBD TBD Enable only when assigned
`XG-SFP11` [[Device - USW Pro Aggregation]] LACP trunk member 1 All required VLANs Uplink member 1
`XG-SFP12` [[Device - USW Pro Aggregation]] LACP trunk member 1 All required VLANs Uplink member 2

---

## USW Pro Max 24 PoE

Port Connected Device Mode Native VLAN Tagged VLANs Notes
`PM24-P01` [[Device - U7 Pro Max Downstairs]] AP trunk 1 10, 20, 40, 50, 60 Downstairs AP
`PM24-P02` [[Device - U7 Pro Max Upstairs]] AP trunk 1 10, 20, 40, 50, 60 Upstairs AP
`PM24-P03` [[Device - G4 Doorbell Pro]] Access 50 None Camera VLAN
`PM24-P04` [[Device - G5 Pro Camera]] Access 50 None Camera VLAN
`PM24-P05` [[Device - USW Flex Switches]] Trunk or access 1 Selected VLANs only Do not LACP Flex switches
`PM24-P06` Wife work dock / work device Access 20 None Stable work VLAN
`PM24-P07` Home wired device Access 10 None Trusted home VLAN
`PM24-P08` Home wired device Access 10 None Trusted home VLAN
`PM24-P09` IoT wired device Access 40 None IoT VLAN
`PM24-P10` IoT wired device Access 40 None IoT VLAN
`PM24-P11` Spare Disabled TBD TBD Enable only when assigned
`PM24-P12` Spare Disabled TBD TBD Enable only when assigned
`PM24-P13` Spare Disabled TBD TBD Enable only when assigned
`PM24-P14` Spare Disabled TBD TBD Enable only when assigned
`PM24-P15` Spare Disabled TBD TBD Enable only when assigned
`PM24-P16` Spare Disabled TBD TBD Enable only when assigned
`PM24-P17` Spare Disabled TBD TBD Enable only when assigned
`PM24-P18` Spare Disabled TBD TBD Enable only when assigned
`PM24-P19` Spare Disabled TBD TBD Enable only when assigned
`PM24-P20` Spare Disabled TBD TBD Enable only when assigned
`PM24-P21` Spare Disabled TBD TBD Enable only when assigned
`PM24-P22` Spare Disabled TBD TBD Enable only when assigned
`PM24-P23` Spare Disabled TBD TBD Enable only when assigned
`PM24-P24` Spare Disabled TBD TBD Enable only when assigned
`PM24-SFP25` [[Device - USW Pro Aggregation]] LACP trunk member 1 All required VLANs Uplink member 1
`PM24-SFP26` [[Device - USW Pro Aggregation]] LACP trunk member 1 All required VLANs Uplink member 2

---

# VLAN Baseline

## Active VLANs

VLAN ID Name Subnet Gateway Purpose Status
1 `MGMT` `10.10.1.0/24` `10.10.1.1` UniFi console, switches, AP management Active
10 `HOME` `10.10.10.0/24` `10.10.10.1` Trusted household devices Active
20 `WORK` `10.10.20.0/24` `10.10.20.1` Wife work-from-home devices Active
30 `SERVERS` `10.10.30.0/24` `10.10.30.1` Proxmox, Synology, Puget AI, storage Active
40 `IOT` `10.10.40.0/24` `10.10.40.1` Smart home and untrusted devices Planned
50 `CAMERAS` `10.10.50.0/24` `10.10.50.1` UniFi Protect cameras and doorbell Planned
60 `GUEST` `10.10.60.0/24` `10.10.60.1` Guest Wi-Fi Planned

---

## Reserved VLANs

VLAN ID Name Subnet Gateway Purpose Status
70 `AI-SERVICES` `10.10.70.0/24` `10.10.70.1` Local AI agents, tools, MCP servers, inference APIs Reserved
80 `LAB` `10.10.80.0/24` `10.10.80.1` Experimental VMs, temporary services, testing Reserved
90 `BACKUP` `10.10.90.0/24` `10.10.90.1` Backup-only network if needed later Reserved

> [!note]
> Do not create every reserved VLAN immediately.
> Start with MGMT, HOME, WORK, and SERVERS. Add IOT, CAMERAS, GUEST, AI-SERVICES, LAB, and BACKUP only when each has a defined device list and firewall purpose.

---

# Port Profiles

## Core Trunk Profile

Use for:

- UDM Pro Max to USW Pro Aggregation
- USW Pro Aggregation to USW Pro XG 10 PoE
- USW Pro Aggregation to USW Pro Max 24 PoE

Settings:

Field Value
Profile Name `TRUNK-CORE-ALL`
Native VLAN `MGMT / VLAN 1`
Tagged VLANs `10, 20, 30, 40, 50, 60`
Reserved VLANs Add `70, 80, 90` only when needed
STP Enabled
LACP Enabled only on LAG links

---

## AP Trunk Profile

Use for:

- U7 Pro Max Downstairs
- U7 Pro Max Upstairs

Settings:

Field Value
Profile Name `TRUNK-AP-MGMT-WIFI`
Native VLAN `MGMT / VLAN 1`
Tagged VLANs `10, 20, 40, 50, 60`
Purpose AP management plus Wi-Fi VLANs

---

## Server Access Profile

Use for:

- Synology NAS initial configuration
- Proxmox initial management
- Puget AI Server initial management

Settings:

Field Value
Profile Name `ACCESS-SERVERS-V30`
Native VLAN `SERVERS / VLAN 30`
Tagged VLANs None initially
Purpose Server management and storage network

---

## Proxmox Trunk Profile

Use only after Proxmox is stable on VLAN 30.

Settings:

Field Value
Profile Name `TRUNK-PROXMOX-SELECTED`
Native VLAN `SERVERS / VLAN 30`
Tagged VLANs `10, 40, 50, 60, 70, 80` as needed
Purpose VM, container, AI agent, MCP, lab, and service VLANs

> [!warning]
> Do not trunk every VLAN to Proxmox by default.
> Only tag VLANs that a VM, container, local AI service, or MCP server actually needs.

---

## Work VLAN Access Profile

Use for:

- Wife’s wired work dock
- Wife’s work laptop if wired
- Work-only access port

Settings:

Field Value
Profile Name `ACCESS-WORK-V20`
Native VLAN `WORK / VLAN 20`
Tagged VLANs None
Purpose Stable work-from-home network

---

# LACP Groups

## `CORE-XG-LAG-01`

Field Value
Devices [[Device - USW Pro Aggregation]] to [[Device - USW Pro XG 10 PoE]]
Aggregation Ports `AGG-P09`, `AGG-P10`
XG Ports `XG-SFP11`, `XG-SFP12`
Mode LACP
Speed 20G aggregate
Port Profile `TRUNK-CORE-ALL`
Purpose High-speed workstation switch uplink

---

## `CORE-ACCESS-LAG-01`

Field Value
Devices [[Device - USW Pro Aggregation]] to [[Device - USW Pro Max 24 PoE]]
Aggregation Ports `AGG-P11`, `AGG-P12`
Pro Max 24 Ports `PM24-SFP25`, `PM24-SFP26`
Mode LACP
Speed 20G aggregate
Port Profile `TRUNK-CORE-ALL`
Purpose PoE access, APs, cameras, Flex switches

---

## `CORE-PROXMOX-LAG-01`

Field Value
Devices [[Device - USW Pro Aggregation]] to [[Device - Proxmox Server]]
Aggregation Ports `AGG-P03`, `AGG-P04`
Proxmox Ports `PROX-SFP1`, `PROX-SFP2`
Mode LACP
Speed 20G aggregate
Initial Profile `ACCESS-SERVERS-V30`
Later Profile `TRUNK-PROXMOX-SELECTED`
Purpose VM host, containers, AI services, lab services

---

## `CORE-SYNOLOGY-LAG-01`

Field Value
Devices [[Device - USW Pro Aggregation]] to [[Device - Synology DS1823xs+]]
Aggregation Ports `AGG-P05`, `AGG-P06`
Synology Ports `NAS-10G1`, `NAS-10G2`
Mode LACP
Speed 20G aggregate
Port Profile `ACCESS-SERVERS-V30`
Purpose NAS storage, backups, shared datasets, AI model storage

---

## `CORE-PUGET-LAG-01`

Field Value
Devices [[Device - USW Pro Aggregation]] to [[Device - Puget AI Server]]
Aggregation Ports `AGG-P07`, `AGG-P08`
Puget Ports `PUGET-SFP1`, `PUGET-SFP2`
Mode LACP
Speed 20G aggregate
Initial Profile `ACCESS-SERVERS-V30`
Later Profile Optional selected service VLANs
Purpose AI workstation/server, GPU workloads, local inference, model services

---

# Final IP Assignment Baseline

## Infrastructure

Device Note VLAN Suggested IP
UDM Pro Max [[Device - UDM Pro Max]] 1 `10.10.1.1`
USW Pro Aggregation [[Device - USW Pro Aggregation]] 1 `10.10.1.2`
USW Pro XG 10 PoE [[Device - USW Pro XG 10 PoE]] 1 `10.10.1.3`
USW Pro Max 24 PoE [[Device - USW Pro Max 24 PoE]] 1 `10.10.1.4`
U7 Pro Max Downstairs [[Device - U7 Pro Max Downstairs]] 1 `10.10.1.11`
U7 Pro Max Upstairs [[Device - U7 Pro Max Upstairs]] 1 `10.10.1.12`

---

## Servers

Device Note VLAN Suggested IP
Proxmox Server [[Device - Proxmox Server]] 30 `10.10.30.10`
Synology DS1823xs+ [[Device - Synology DS1823xs+]] 30 `10.10.30.20`
Puget AI Server [[Device - Puget AI Server]] 30 `10.10.30.30`

---

## Future AI Services

Service Type Suggested VLAN Suggested Range Notes
Local AI agents 70 `10.10.70.10-10.10.70.49` Use if agents need isolation from server management
MCP servers 70 `10.10.70.50-10.10.70.99` Use for tool-facing service endpoints
Inference APIs 70 `10.10.70.100-10.10.70.149` Ollama, vLLM, text-generation services, etc.
Web UIs 70 `10.10.70.150-10.10.70.199` Open WebUI, dashboards, admin panels
Temporary lab services 80 `10.10.80.10-10.10.80.199` Experimental only

---

# Wi-Fi Baseline

## Initial SSIDs

SSID VLAN Purpose Status
`Home` 10 Trusted home devices Active
`Work` 20 Wife work-from-home devices Active

---

## Later SSIDs

SSID VLAN Purpose Status
`IoT` 40 Smart home devices Planned
`Guest` 60 Guest internet only Planned
`Cameras` 50 Only if Wi-Fi camera devices require it Optional

---

# Firewall Baseline

## Address Groups

Group Name Members
`RFC1918` `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`
`LOCAL_NETWORKS` `10.10.0.0/16`
`INFRASTRUCTURE` `10.10.1.0/24`
`SERVERS` `10.10.30.0/24`
`AI_SERVICES` `10.10.70.0/24`

---

## Rule Intent

Source Destination Action Notes
MGMT All local VLANs Allow Admin control
HOME SERVERS Allow initially Tighten later
HOME AI-SERVICES Allow selected services later Do not open everything permanently
WORK Internet Allow Keep wife’s work connection stable
WORK Local VLANs Block Allow only DHCP/DNS/NTP to gateway
IOT Internet Allow Limit local access
IOT Local VLANs Block Add exceptions only as needed
CAMERAS UniFi Protect / UDM Allow Required for Protect
CAMERAS Internet Block later Allow temporarily for updates if needed
GUEST Internet Allow Guest-only access
GUEST Local VLANs Block No LAN access
LAB Local VLANs Block by default Temporary exceptions only

---

# Final Topology Diagram

```mermaid
flowchart TD
ISP[ISP ONT / Modem] --> UDM[UDM Pro Max<br/>Gateway / Firewall / UniFi Console<br/>10.10.1.1]

UDM -- "10G SFP+ trunk<br/>CORE-GW-01" --> AGG[USW Pro Aggregation<br/>Core Switch<br/>10.10.1.2]

AGG -- "20G LACP<br/>CORE-XG-LAG-01" --> XG[USW Pro XG 10 PoE<br/>10G Workstation Switch<br/>10.10.1.3]

AGG -- "20G LACP<br/>CORE-ACCESS-LAG-01" --> PM24[USW Pro Max 24 PoE<br/>PoE Access Switch<br/>10.10.1.4]

AGG -- "20G LACP<br/>CORE-PROXMOX-LAG-01" --> PROX[Proxmox Server<br/>10.10.30.10<br/>VLAN 30]

AGG -- "20G LACP<br/>CORE-SYNOLOGY-LAG-01" --> NAS[Synology DS1823xs+<br/>10.10.30.20<br/>VLAN 30]

AGG -- "20G LACP<br/>CORE-PUGET-LAG-01" --> PUGET[Puget AI Server<br/>10.10.30.30<br/>VLAN 30]

XG --> WS1[Primary 10G Workstation<br/>VLAN 10]
XG --> WS2[AI / Lab Workstation<br/>VLAN 30 or 70]

PM24 --> AP1[U7 Pro Max Downstairs<br/>10.10.1.11]
PM24 --> AP2[U7 Pro Max Upstairs<br/>10.10.1.12]
PM24 --> WORK[Wife Work Dock / Laptop<br/>VLAN 20]
PM24 --> CAMS[UniFi Cameras / Doorbell<br/>VLAN 50]
PM24 --> FLEX[USW Flex Switches<br/>Single uplink only]

AP1 --> HOME[Home SSID<br/>VLAN 10]
AP1 --> WORKSSID[Work SSID<br/>VLAN 20]
AP2 --> HOME
AP2 --> WORKSSID

reddit.com
u/Luck1775 — 8 days ago
▲ 9 r/docker

How to fix the subnet configuration

Hi everyone, I have an issue with some containers due to the subnet changing the scope and I'm not sure how to handle it. Last friday after an update all the subnet changed broking my services.

The first issue is with Home Assistant: to reach it from WAN I had to set in the configuration file the allowed proxy IPs. I set the subnet of the network that it shares with Cloudflared, if this last container changes IP there is no problem, but when the scope went from 172.16.0.0/16 to 172.20.0.0/16 I couldn't reach it anymore.

The second issue is with Tailscale's docker, I use it with the SERVE function to reach other containers. With the containers I use the name of the services and it works even if the subnet change, but to reach the host I need to set the gateway IP, which went from 172.18.0.1 to 172.23.0.1

I added this section in the compose file under the network section:

networks
  cloudflared_net
    [...]
    IPAM:
      configuration:
        - subnet: 172.16.0.0/16

Now the networks are created everytime with the same subnet, but I'm not sure if there is a better way to handle it. Is it possible that docker now assignes the same subnet to one of the other networks and this create other problems? How would you manage it?

Thank you

SOLUTION(?): Following the comments I edit the file /etc/docker/daemon.json adding this 2 sections:

  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.16.0.0/16",
      "size": 24
    }
  ]

I got crazy and lost a couple of hours because after the change docker didn't start anymore, I found that for the default bridge you have to write the IP of the gateway (172.17.0.1) and not of the network (172.17.0.0) like in the second section and it's not specified in the docker wiki, fml.

reddit.com
u/Wild_Paramedic6641 — 7 days ago
▲ 8 r/docker+1 crossposts

Best way to access multiple Docker services over Tailscale without ports or buying a domain?

Hi everyone,

I’m running a Raspberry Pi 5 hosting several Docker containers, and I’m trying to find the cleanest way to access them securely over Tailscale from my iPhone.

Current services include:
Paperless-ngx
Open WebUI
Home Assistant
Portainer
Uptime Kuma
Calibre-Web
Pi-hole
I’m using:

Docker Compose
Caddy as a reverse proxy
Tailscale with MagicDNS
Tailscale HTTPS certificates

I can successfully access everything using different HTTPS ports, for example:
https://raspberrypi.tailxxxx.ts.net:8441
https://raspberrypi.tailxxxx.ts.net:8442

However, this causes practical problems with Safari and iCloud Keychain. Because every service uses the same hostname, Safari often suggests the wrong username and password.

I also tried path-based routing, for example:
/paperless
/openwebui
but some applications don’t work correctly behind a subpath without additional configuration.

I then looked at Tailscale Services using:
tailscale serve --service=svc:paperless
but received: service hosts must be tagged nodes

I’m not looking to buy my own domain.
Ideally I’d like URLs such as:
paperless.raspberrypi.tailxxxx.ts.net
openwebui.raspberrypi.tailxxxx.ts.net
kuma.raspberrypi.tailxxxx.ts.net

My questions are:
Is this possible using only Tailscale and Docker?
Is there a way to create separate HTTPS hostnames on a personal tailnet?

Is there a better approach than using different ports?

How are other people exposing multiple self-hosted services over Tailscale while avoiding browser password conflicts?

I’m looking for the approach that is generally considered best practice rather than just something that works.

Thanks

reddit.com
u/Gloomy_Loquat8805 — 8 days ago
▲ 20 r/docker+3 crossposts

Jabali Panel: Open-source GPL web hosting panel now with Docker support

Hi everyone,

I’m building Jabali Panel, a free and open-source web hosting control panel for Debian servers.

The project is still young, but the community is slowly growing, and I’m now looking for testers and early users who want to try it, give feedback, report bugs, and help shape the direction of the panel.

Jabali now also supports Docker, so it can be used not only as a traditional web hosting panel, but also as a standalone Docker proxy server, mail server, DDNS server, DNS server, and more — depending on what you want to run.

It’s focused on WordPress hosting, small hosting providers, freelancers, and sysadmins who want a modern self-hosted alternative without license fees or vendor lock-in.

For testers who seriously try the panel and give feedback, I’ll provide full support during the testing period to help with installation, setup, issues, and questions.

GitHub: https://github.com/shukiv/jabali-panel

Demo: https://demo.jabali-panel.com

Thanks — any feedback, testing, or GitHub issues would help a lot.

u/apunker — 9 days ago
▲ 0 r/docker

i made a tiny wrapper for docker compose that can exclude services

i made a tiny wrapper around docker compose ; i kept running into the same annoyance - let's say i have multiple services defined in a single docker-compose.yaml, but you only want to start everything except one (or multiple).

with plain docker compose, you have to list every service you do want to start. so instead of:

docker compose up service1 service2 service3 ... (except service4 and service5)

i wanted to be able to do:

docker compose up --exclude service4 service5

without --exclude flag, it behaves exactly like normal docker compose.

it's written in go; and the binary size is very small.

here's the link to the repo - https://github.com/0xN1nja/dockexclude

ps: a star to the repo would be highly appreciated

u/0xN1nja — 8 days ago
▲ 1 r/docker

After updating to v4.79 "Ransomware" detected...

After updating to v4.79, "Ransomware" was detected by Acronis Active Protection.

Is Docker v4.79 safe?

I need help, I'm not sure what to do... I'm just looking at my screen and don't know what to do...

Should I trust Docker or Acronis Active Protection?
Should I recover files as suggested by Acronis Active Protection?
Should I uninstall Docker or should I uninstall Acronis Active Protection?

reddit.com
u/Ak-Amit — 11 days ago
▲ 3 r/docker

Question- What's the best practice for connecting services in and out of docker containers?

Hi, relatively new to docker.
I found myself in a bit of a pickle, and I'm trying to get advice. I use a SWAG container to reverse-proxy a few services on my NAS via a user defined bridge network between the containers. However, I want to be able to integrate a few other services; the problem is that those services are currently running on separate devices on my LAN, (game servers and home assistant), and moving them onto my nas isn't really... practical (it would fry the thing).

Is there a way to expose JUST the swag container via a Macvlan or something so it can reverse-proxy to devices on my 10.x.x.x LAN while ALSO staying connected to the dockers on the bridge. Or should I have two swag instances?? I'm just trying to figure out a solution without publishing all my ports to the web on accident.

reddit.com
u/RowFit1060 — 8 days ago
▲ 5 r/docker

Docker Compose 5min tutorial

Wondering if there is a short tutorial on Docker Compose? Have been looking around and can't really find anything...

Something that tells me things like: Where to put files, both config + data, and specifically storing LARGE amounts of data if using something like Nextcloud/Zoneminder etc ; running multiple apps using compose ie where to keep the yaml, correct way to name the yaml, permissions on directory/files... etc.

Just basically, the basics to get up and running with compose inititally, and maybe learn some of its workings.. Looking at maybe running up Jellyfin/Nextcloud/Zoneminder/HomeAssistant, to start...?

Thanks.

reddit.com
u/hornetster — 11 days ago
▲ 7 r/docker

ELI5 Can selinux policies be applied inside a docker container?

My understanding is that you can apply policies from the host to the container to protect the host from the container and protect other containers. However, it is not possible to run selinux inside a docker container. Is that correct?

Questions:

  1. It is not possible to enforce selinux policies inside a container. Is that correct?

  2. getenforce/sestatus will always return disabled inside a container. There is no way to change to permissive or enforced mode.

Please, do not just give me an answer from AI. It seems like AI returns slightly different answers each time. I would appreciate it if someone can explain this! Thank you :)

reddit.com
u/SpaceExplorers- — 9 days ago
▲ 9 r/docker

iptables MASQUERADE not working in Docker Compose NAT Gateway simulator

I created two services one is api which is internal to that network bridge and another nat-gateway which is both public and private facing. I am using iptables to translate my packets to MASQUERADE but it is not happening. When I tcpdump the logs in my nat-gateway, I am able to see the api container's ip as OUT which should actually be nat-gateway's ip.

services:
  nat-gateway:
    image: alpine:3.23.5
    privileged: true
    sysctls:
      - net.ipv4.ip_forward=1
    volumes:
      - ./nat-init.sh:/usr/local/bin/nat-init.sh:ro
    command: /usr/local/bin/nat-init.sh
    networks:
      - private-vpc
      - public-vpc
  api:
    image: alpine:3.23.5
    command: sleep infinity
    network_mode: "service:nat-gateway"
    depends_on:
      - nat-gateway


networks:
  private-vpc:
    internal: true
  public-vpc:

nat-init.sh
#!/bin/sh


set -e
echo "Starting NAT Gateway Initialization..."


echo "Initializing iptables dependencies..."


apk add --no-cache iptables


echo "Applying iptables MASQUERADE on eth1..."
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


echo "NAT Gateway configuration completed successfully..."
exec sleep infinity

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
15:08:46.803180 eth1  Out IP 172.19.0.2 &gt; 142.251.43.78: ICMP echo request, id 8, seq 0, length 64
15:08:46.821930 eth1  In  IP 142.251.43.78 &gt; 172.19.0.2: ICMP echo reply, id 8, seq 0, length 64
15:08:47.805822 eth1  Out IP 172.19.0.2 &gt; 142.251.43.78: ICMP echo request, id 8, seq 1, length 64
15:08:47.824262 eth1  In  IP 142.251.43.78 &gt; 172.19.0.2: ICMP echo reply, id 8, seq 1, length 64
15:08:48.809430 eth1  Out IP 172.19.0.2 &gt; 142.251.43.78: ICMP echo request, id 8, seq 2, length 64
reddit.com
u/0x6461726B — 12 days ago
▲ 0 r/docker

Please help! Cannot load library libgssapi_krb5.so.2 when starting, no such file or directory .NET application docker container

I have scraped the internet for answers, but I cannot seem to find a solution.

I have read in the microsoft website that this library is not automatically installed in .NET images anymore, and to do it myself I have to add :

RUN apt update && apt -y upgrade libkrb5-3
to my dockerfile.

Well I did that and it doesnt work! I dont know what to do and I have been stuck for three days on this. This is my .net dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
WORKDIR /PortfolioWebsite


COPY *.sln .
COPY *.csproj ./
RUN dotnet restore
COPY . .
EXPOSE 5142
RUN apt update &amp;&amp; apt -y upgrade libkrb5-3
RUN dotnet publish -o out


FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS final
WORKDIR /PortfolioWebsite
COPY --from=build /PortfolioWebsite/out .
ENTRYPOINT ["dotnet", "PortfolioWebsite.dll"]
reddit.com
u/CodMore3394 — 11 days ago