Show HN: Claity AI – An AI Aggregator with Smart Prompt Routing (Join Waitlist) (claity.netlify.app)

I share the author's sentiment completely. At my day job, I manage multiple Kubernetes clusters running dozens of microservices with relative ease. However, for my hobby projects—which generate no revenue and thus have minimal budgets—I find myself in a frustrating position: desperately wanting to use Kubernetes but unable to due to its resource requirements. Kubernetes is simply too resource-intensive to run on a $10/month VPS with just 1 shared vCPU and 2GB of RAM.

This limitation creates numerous headaches. Instead of Deployments, I'm stuck with manual docker compose up/down commands over SSH. Rather than using Ingress, I have to rely on Traefik's container discovery functionality. Recently, I even wrote a small script to manage crontab idempotently because I can't use CronJobs. I'm constantly reinventing solutions to problems that Kubernetes already solves—just less efficiently.

What I really wish for is a lightweight alternative offering a Kubernetes-compatible API that runs well on inexpensive VPS instances. The gap between enterprise-grade container orchestration and affordable hobby hosting remains frustratingly wide.

figmert · 2h ago

> What I really wish for is a lightweight alternative offering a Kubernetes-compatible API that runs well on inexpensive VPS instances. The gap between enterprise-grade container orchestration and affordable hobby hosting remains frustratingly wide.

Depending on how much of the Kube API you need, Podman is that. It can generate containers and pods from Kubernetes manifests [0]. Kind of works like docker compose but with Kubernetes manifests.

This even works with systemd units, similar to how it's outlined in the article.

Podman also supports most (all?) of the Docker api, thus docker compose, works, but also, you can connect to remote sockets through ssh etc to do things.

[0] https://docs.podman.io/en/latest/markdown/podman-kube-play.1...

[1] https://docs.podman.io/en/latest/markdown/podman-systemd.uni...

MyOutfitIsVague · 18m ago

> Kubernetes is simply too resource-intensive to run on a $10/month VPS with just 1 shared vCPU and 2GB of RAM.

That's more than what I'm paying for far fewer resources than Hetzner. I'm paying about $8 a month for 4 vCPUs and 8GB of RAM: https://www.hetzner.com/cloud

Note that the really affordable ARM servers are German only, so if you're in the US you'll have to deal with higher latency to save that money, but I think it's worth it.

sweettea · 16h ago

Have you seen k0s or k3s? Lots of stories about folks using these to great success on a tiny scale, e.g. https://news.ycombinator.com/item?id=43593269

acheong08 · 6h ago

I use k3s. With more than more master node, it's still a resource hog and when one master node goes down, all of them tend to follow. 2GB of RAM is not enough, especially if you also use longhorn for distributed storage. A single master node is fine and I haven't had it crash on me yet. In terms of scale, I'm able to use raspberry pis and such as agents so I only have to rent a single €4/month vps.

rendaw · 10h ago

I tried k3s but even on an immutable system dealing with charts and all the other kubernetes stuff adds a new layer of mutability and hence maintenance, update, manual management steps that only really make sense on a cluster, not a single server.

If you're planning to eventually move to a cluster or you're trying to learn k8s, maybe, but if you're just hosting a single node project it's a massive effort, just because that's not what k8s is for.

horsawlarway · 13h ago

I'm laughing because I clicked your link thinking I agreed and had posted similar things and it's my comment.

Still on k3s, still love it.

My cluster is currently hosting 94 pods across 55 deployments. Using 500m cpu (half a core) average, spiking to 3cores under moderate load, and 25gb ram. Biggest ram hog is Jellyfin (which appears to have a slow leak, and gets restarted when it hits 16gb, although it's currently streaming to 5 family members).

The cluster is exclusively recycled old hardware (4 machines), mostly old gaming machines. The most recent is 5 years old, the oldest is nearing 15 years old.

The nodes are bare Arch linux installs - which are wonderfully slim, easy to configure, and light on resources.

It burns 450Watts on average, which is higher than I'd like, but mostly because I have jellyfin and whisper/willow (self hosted home automation via voice control) as GPU accelerated loads - so I'm running an old nvidia 1060 and 2080.

Everything is plain old yaml, I explicitly avoid absolutely anything more complicated (including things like helm and kustomize - with very few exceptions) and it's... wonderful.

It's by far the least amount of "dev-ops" I've had to do for self hosting. Things work, it's simple, spinning up new service is a new folder and 3 new yaml files (0-namespace.yaml, 1-deployment.yaml, 2-ingress.yaml) which are just copied and edited each time.

Any three machines can go down and the cluster stays up (metalLB is really, really cool - ARP/NDP announcements mean any machine can announce as the primary load balancer and take the configured IP). Sometimes services take a minute to reallocate (and jellyfin gets priority over willow if I lose a gpu, and can also deploy with cpu-only transcoding as a fallback), and I haven't tried to be clever getting 100% uptime because I mostly don't care. If I'm down for 3 minutes, it's not the end of the world. I have a couple of commercial services in there, but it's free hosting for family businesses, they can also afford to be down an hour or two a year.

Overall - I'm not going back. It's great. Strongly, STRONGLY recommend k3s over microk8s. Definitely don't want to go back to single machine wrangling. The learning curve is steeper for this... but man do I spend very little time thinking about it at this point.

I've streamed video from it as far away as literally the other side of the world (GA, USA -> Taiwan). Amazon/Google/Microsoft have everyone convinced you can't host things yourself. Even for tiny projects people default to VPS's on a cloud. It's a ripoff. Put an old laptop in your basement - faster machine for free. At GCP prices... I have 30k/year worth of cloud compute in my basement, because GCP is a god damned rip off. My costs are $32/month in power, and a network connection I already have to have, and it's replaced hundreds of dollars/month in subscription costs.

For personal use-cases... basement cloud is where it's at.

Aachen · 5h ago

> It burns 450Watts on average

To put that into perspective, that's more than my entire household including my server that has an old GPU in it

Water heating is electric yet we still don't use 450W×year≈4MWh of electricity. In winter we just about reach that as a daily average (as a household) because we need resistive heating to supplement the gas system. Constantly 450W is a huge amount of energy for flipping some toggles at home with voice control and streaming video files

aftbit · 58m ago

Found the European :) With power as cheap as it is in the US, some of us just haven't had to worry about this as much as we maybe should. My rack is currently pulling 800W and is mostly idle. I have a couple projects in the works to bring this down, but I really like mucking around with old enterprise gear and that stuff is very power hungry.

Dell R720 - 125W

Primary NAS - 175W

Friend's Backup NAS - 100W

Old i5 Home Server - 100W

Cisco 2921 VoIP router - 80W

Brocade 10G switch - 120W

Various other old telecom gear - 100W

Kudos · 2m ago

I care about the cost far less than the environmental impact. I guess that's also a European tell?

tasuki · 1h ago

That's also only four and a half incandescent lightbulbs. Not enough to heat your house ;)

sheepscreek · 2h ago

I run a similar number of services on a very different setup. Administratively, it’s not idempotent but Proxmox is a delight to work with. I have 4 nodes, with a 14900K CPU with 24 cores being the workhorse. It runs a Windows server with RDP terminal (so multiple users can get access windows through RDP and literally any device), Jellyfin, several Linux VMs, a pi-hole cluster (3 replicas), just to name a few services. I have vGPU passthrough working (granted, this bit is a little clunky).

It is not as fancy/reliable/reproducible as k3s, but with a bunch of manual backups and a ZFS (or BTRFS) storage cluster (managed by a virtualized TrueNAS instance), you can get away with it. Anytime a disk fails, just replace and resilver it and you’re good. You could configure certain VMs for HA (high availability) where they will be replicated to other nodes that can take over in the event of a failure.

Also I’ve got tailscale and pi-hole running as LXC containers. Tailscale makes the entire setup accessible remotely.

It’s a different paradigm that also just works once it’s setup properly.

bvrmn · 3h ago

450W is ~£100 monthly. It's a luxury budget to host hobby stuff in a cloud.

selectodude · 1h ago

It’s $30 in my part of the US. Less of a luxury.

sureglymop · 3h ago

I have a question if you don't mind answering. If I understand correctly, Metallb on Layer 2 essentially fills the same role as something like Keepalived would, however without VRRP.

So, can you use it to give your whole cluster _one_ external IP that makes it accessible from the outside, regardless of whether any node is down?

Imo this part is what can be confusing to beginners in self hosted setups. It would be easy and convenient if they could just point DNS records of their domain to a single IP for the cluster and do all the rest from within K3s.

horsawlarway · 36m ago

Yes. I have configured metalLB with a range of IP addresses on my local LAN outside the range distributed by my DHCP server.

Ex - DHCP owns 10.0.0.2-10.0.0.200, metalLB is assigned 10.0.0.201-10.0.0.250.

When a service requests a loadbalancer, metallb spins up a service on any given node, then uses ARP to announce to my LAN that that node's mac address is now that loadbalancer's ip. Internal traffic intended for that IP will now resolve to the node's mac address at the link layer, and get routed appropriately.

If that node goes down, metalLB will spin up again on a remaining node, and announce again with that node's mac address instead, and traffic will cut over.

It's not instant, so you're going to drop traffic for a couple seconds, but it's very quick, all things considered.

It also means that from the point of view of my networking - I can assign a single IP address as my "service" and not care at all which node is running it. Ex - if I want to expose a service publicly, I can port forward from my router to the configured metalLB loadbalancer IP, and things just work - regardless of which nodes are actually up.

---

Note - this whole thing works with external IPs as well, assuming you want to pay for them from your provider, or IPV6 addresses. But I'm cheap and I don't pay for them because it requires getting a much more expensive business line than I currently use. Functionally - I mostly just forward 80/443 to an internal IP and call it done.

rcarmo · 7h ago

How do you deal with persistent volumes for configuration, state, etc? That’s the bit that has kept me away from k3s (I’m running Proxmox and LXC for low overhead but easy state management and backups).

acheong08 · 6h ago

Longhorn.io is great.

rcarmo · 5h ago

Yeah, but you have to have some actual storage for it, and that may not be feasible across all nodes in the right amounts.

Also, replicated volumes are great for configuration, but "big" volume data typically lives on a NAS or similar, and you do need to get stuff off the replicated volumes for backup, so things like replicated block storage do need to expose a normal filesystem interface as well (tacking on an SMB container to a volume just to be able to back it up is just weird).

horsawlarway · 16m ago

Sure - none of that changes that longhorn.io is great.

I run both an external NAS as an NFS service and longhorn. I'd probably just use longhorn at this point, if I were doing it over again. My nodes have plenty of sata capacity, and any new storage is going into them for longhorn at this point.

I back up to an external provider (backblaze/wasabi/s3/etc). I'm usually paying less than a dollar a month for backups, but I'm also fairly judicious in what I back up.

Yes - it's a little weird to spin up a container to read the disk of a longhorn volume at first, but most times you can just use the longhorn dashboard to manage volume snapshots and backup scheduling as needed. Ex - if you're not actually trying to pull content off the disk, you don't ever need to do it.

If you are trying to pull content off the volume, I keep a tiny ssh/scp container & deployment hanging around, and I just add the target volume real fast, spin it up, read the content I need (or more often scp it to my desktop/laptop) and then remove it.

sciencesama · 13h ago

Do you have documentation somewhere, where you can share ?

risson · 12h ago

I do things somewhat similarly but still rely on Helm/customize/ArgoCD as it's what I know best. I don't have a documentation to offer, but I do have all of it publicly at https://gitlab.com/lama-corp/infra/infrastructure It's probably a bit more involved than your OP's setup as I operate my own AS, but hopefully you'll find some interesting things in there.

merb · 9h ago

You should look into fluxcd this stuff makes a lot of stuff even simpler.

DonHopkins · 4h ago

"Basement Cloud" sounds like either a dank cannabis strain, or an alternative British rock emo grunge post-hardcore song. As in "My basement cloud runs k420s, dude."

https://www.youtube.com/watch?v=K-HzQEgj-nU

mikepurvis · 16h ago

Or microk8s. I'm curious what it is about k8s that is sucking up all these resources. Surely the control plane is mostly idle when you aren't doing things with it?

mdaniel · 13h ago

There are 3 components to "the control plane" and realistically only one of them is what you meant by idle. The Node-local kubelet (that reports in the state of affairs and asks if there is any work) is a constantly active thing, as one would expect from such a polling setup. The etcd, or it's replacement, is constantly(?) firing off watch notifications or reconciliation notifications based on the inputs from the aforementioned kubelet updates. Only the actual kube-apiserver is conceptually idle as I'm not aware of any compute that it, itself, does only in response to requests made of it

Put another way, in my experience running clusters, in $(ps auwx) or its $(top) friend always show etcd or sqlite generating all of the "WHAT are you doing?!" and those also represent the actual risk to running kubernetes since the apiserver is mostly stateless[1]

1: but holy cow watch out for mTLS because cert expiry will ruin your day across all of the components

Seattle3503 · 15h ago

How hard is it to host a Postgres server on one node and access it from another?

jasonjayr · 11h ago

I deployed CNPG (https://cloudnative-pg.io/ ) on my basement k3s cluster, and was very impressed with how easy I could host a PG instance for a service outside the cluster, as well as good practices to host DB clusters inside the cluster.

Oh, and it handles replication, failover, backups, and a litany of other useful features to make running a stateful database, like postgres, work reliably in a cluster.

rad_gruchalski · 14h ago

It’s Kubernetes, out of the box.

Alupis · 16h ago

> Kubernetes is simply too resource-intensive to run on a $10/month VPS with just 1 shared vCPU and 2GB of RAM

I hate sounding like an Oracle shill, but Oracle Cloud's Free Tier is hands-down the most generous. It can support running quite a bit, including a small k8s cluster[1]. Their k8s backplane service is also free.

They'll give you 4 x ARM64 cores and 24GB of ram for free. You can split this into 1-4 nodes, depending on what you want.

[1] https://www.oracle.com/cloud/free/

lemoncucumber · 14h ago

One thing to watch out for is that you pick your "home region" when you create your account. This cannot be changed later, and your "Always Free" instances can only be created in your home region (the non-free tier doesn't have that restriction).

So choose your home region carefully. Also, note that some regions have multiple availability domains (OCI-speak for availability zones) but some only have one AD. Though if you're only running one free instance then ADs don't really matter.

dwood_dev · 41m ago

A bit of a nitpick. You get monthly credit for 4c/24gb on ARM, no matter the region. So even if you chose your home region poorly, you can run those instances in any region and only be on the hook for the disk cost. I found this all out the hard way, so I'm paying $2/month to oracle for my disks.

qwertycrackers · 1h ago

I don't know the details but I know I made this mistake and I still have my Free Tier instances hosted in a different region then my home. It's charged me a month of $1 already so I'm pretty sure it's working.

waveringana · 15h ago

the catch is: no commercial usage and half the time you try to spin up an instance itll tell you theres no room left

SOLAR_FIELDS · 15h ago

That limitation (spinning up an instance) only exists if you don't put a payment card in. If you put a payment card in, it goes away immediately. You don't have to actually pay anything, you can provision the always free resources, but obviously in this regard you have to ensure that you don't accidentally provision something with cost. I used terraform to make my little kube cluster on there and have not had a cost event at all in over 1.5 years. I think at one point I accidentally provisioned a volume or something and it cost me like one cent.

Alupis · 15h ago

> no commercial usage

I think that's if you are literally on their free tier, vs. having a billable account which doesn't accumulate enough charges to be billed.

Similar to the sibling comment - you add a credit card and set yourself up to be billed (which removes you from the "free tier"), but you are still granted the resources monthly for free. If you exceed your allocation, they bill the difference.

SOLAR_FIELDS · 14h ago

Honestly I’m surprised they even let you provision the resources without a payment card. Seems ripe for abuse

dizhn · 8h ago

A credit card is required for sign up but it won't be set up as a billing card until you add it. One curious thing they do is though, the free trial is the only entry way to create a new cloud account. You can't become a nonfree customer from the get go. This is weird because their free trial signup is horrible. The free trial is in very high demand so understandably they refuse a lot of accounts which they would probably like as nonfree customers.

mdaniel · 13h ago

I would presume account sign up is a loss leader in order to get ~spam~ marketing leads, and that they don't accept mailinator domains

SOLAR_FIELDS · 11h ago

They also, like many other cloud providers, need a real physical payment card. No privacy.com stuff. No virtual cards. Of course they don’t tell you this outright, because obscurity fraud blah blah blah, but if you try to use any type of virtual card it’s gonna get rejected. And if your naïve ass thought you could pay with the virtual card you’ll get a nice lesson in how cloud providers deal with fraud. They’ll never tell you that virtual cards aren’t allowed, because something something fraud, your payment will just mysteriously fail and you’ll get no guidance as to what went wrong and you have to basically guess it out.

This is basically any cloud provider by the way, not specific to Oracle. Ran into this with GCP recently. Insane experience. Pay with card. Get payment rejected by fraud team after several months of successful same amount payments on the same card and they won’t tell what the problem is. They ask for verification. Provide all sorts of verification. On the sixth attempt, send a picture of a physical card and all holds removed immediately

It’s such a perfect microcosm capturing of dealing with megacorps today. During that whole ordeal it was painfully obvious that the fraud team on the other side were telling me to recite the correct incantation to pass their filters, but they weren’t allowed to tell me what the incantation was. Only the signals they sent me and some educated guesswork were able to get me over the hurdle

fishtacos · 8h ago

>No privacy.com stuff. No virtual cards.

I used a privacy.com Mastercard linked to my bank account for Oracle's payment method to upgrade to PAYG. It may have changed, this was a few months ago. Set limit to 100, they charged and reverted $100.

gosub100 · 8h ago

> send a picture of a physical card and all holds removed immediately

So you're saying there's a chance to use a prepaid card if you can copy it's digits onto a real looking plastic card? Lol

SOLAR_FIELDS · 3h ago

Unironically yes. The (real) physical card I provided was a very cheap looking one. They didn’t seem to care much about its look but rather the physicality of it

mulakosag · 9h ago

I recenlty wrote a guide on how to create a free 3 node cluster in Oracle cloud : https://macgain.net/posts/free-k8-cluster . This guide currently uses kubeadm to create 3 node (1 control plane, 2 worker nodes) cluster.

rfl890 · 13h ago

There are tons of horror stories about OCI's free tier (check r/oraclecloud on reddit, tl;dr: your account may get terminated at any moment and you will lose access to all data with no recovery options). I wouldn't suggest putting anything serious on it.

jwrallie · 6h ago

They will not even bother sending you an email explaining why, and you will not be able to ask it, because the system will just say your password is incorrect when you try to login or reset it.

If you are on free tier, they have nothing to lose, only you, so be particular mindful of making a calendar note for changing your CC before expiration and things like that.

It’s worth paying for another company just for the peace of mind of knowing they will try to persuade you to pay before deleting your data.

SOLAR_FIELDS · 11h ago

Are all of those stories related to people who use it without putting any payment card in? I’ve been happily siphoning Larry Ellisons jet fuel pennies for a good year and a half now and have none of these issues because I put a payment card in

thegeekpirate · 1h ago

Nope, my payment method was already entered.

dijit · 8h ago

Be careful about putting a payment card in too.

https://news.ycombinator.com/item?id=42902190

which links to:

https://news.ycombinator.com/item?id=29514359 & https://news.ycombinator.com/item?id=33202371

SOLAR_FIELDS · 3h ago

Good call out. I used the machines defined here and have never had any sort of issue like those links describe: https://github.com/jpetazzo/ampernetacle

thegeekpirate · 13h ago

Can confirm (old comment of mine saying the same https://news.ycombinator.com/item?id=43215430)

rollcat · 6h ago

I've been using Docker swarm for internal & lightweight production workloads for 5+ years with zero issues. FD: it's a single node cluster on a reasonably powerful machine, but if anything, it's over-specced for what it does.

Which I guess makes it more than good enough for hobby stuff - I'm playing with a multi-node cluster in my homelab and it's also working fine.

thenewwazoo · 16h ago

> I'm constantly reinventing solutions to problems that Kubernetes already solves—just less efficiently.

But you've already said yourself that the cost of using K8s is too high. In one sense, you're solving those solutions more efficiently, it just depends on the axis you use to measure things.

randallsquared · 13h ago

The original statement is ambiguous. I read it as "problems that k8s already solves -- but k8s is less efficient, so can't be used".

AdrianB1 · 2h ago

That picture with the almost-empty truck seems to be the situation that he describes. He wants the 18 wheeler truck, but it is too expensive for just a suitcase.

nvarsj · 16h ago

Just do it like the olden days, use ansible or similar.

I have a couple dedicated servers I fully manage with ansible. It's docker compose on steroids. Use traefik and labeling to handle reverse proxy and tls certs in a generic way, with authelia as simple auth provider. There's a lot of example projects on github.

A weekend of setup and you have a pretty easy to manage system.

nicce · 16h ago

What is the advantage of traefik over oldschool Nginx?

c0balt · 14h ago

Traefik has some nice labeling for docker that allows you to colocate your reverse proxy config with your container definition. It's slightly more convenient than NGINX for that usecase with compose. It effectively saves you a dedicated vietualhost conf by setting some labels.

This obviously has some limits and becomes significantly less useful when one requires more complex proxy rules.

nvarsj · 3h ago

Basically what c0balt said.

It's zero config and super easy to set everything up. Just run the traefik image, and add docker labels to your other containers. Traefik inspects the labels and configures reverse proxy for each. It even handles generating TLS certs for you using letsencrypt or zerossl.

nicce · 19m ago

I thought this context was outside of Docker, because they used ansible as docker compose alternative. But maybe I misunderstood.

gonzo41 · 14h ago

There's very little advantage IMO. I've used both. I always end up back at Nginx. Traefik was just another configuration layer that got in the way of things.

nvarsj · 3h ago

Traefik is waaay simpler - 0 config, just use docker container labels. There is absolutely no reason to use nginx these days.

I should know, as I spent years building and maintaining a production ingress controller for nginx at scale, and I'd choose Traefik every day over that.

osigurdson · 12h ago

Podman is a fairly nice bridge. If you are familiar with Kubernetes yaml, it is relatively easy to do docker-compose like things except using more familiar (for me) K8s yaml.

In terms of the cloud, I think Digital Ocean costs about $12 / month for their control plane + a small instance.

JamesSwift · 2h ago

Just go with a cloud provider that offers free control plane and shove a bunch of side projects into 1 node. I end up around $50 a month on GCP (was a bit cheaper at DO) once you include things like private docker registry etc.

The marginal cost of an additional project on the cluster is essentially $0

mbreese · 1h ago

> I'm constantly reinventing solutions to problems that Kubernetes already solves

Another way to look at this is the Kubernetes created solutions to problems that were already solved at a lower scale level. Crontabs, http proxies, etc… were already solved at the individual server level. If you’re used to running large coordinated clusters, then yes — it can seem like you’re reinventing the wheel.

singron · 15h ago

NixOS works really well for me. I used to write these kinds of idempotent scripts too but they are usually irrelevant in NixOS where that's the default behavior.

lewo · 7h ago

And regarding this part of the article

> Particularly with GitOps and Flux, making changes was a breeze.

i'm writing comin [1] which is GitOps for NixOS machines: you Git push your changes and your machines fetch and deploy them automatically.

[1] https://github.com/nlewo/comin

404mm · 16h ago

I found k3s to be a happy medium. It feels very lean and works well even on a Pi, and scales ok to a few node cluster if needed. You can even host the database on a remote mysql server, if local sqlite is too much IO.

aequitas · 8h ago

I've ran K3s on a couple of Raspberry Pi's as a homelab in the past. It's lightweight and ran nice for a few years, but even so, one Pi was always dedicated as controller, which seemed like a waste.

Recently I switched my entire setup (few Pi's, NAS and VM's) to NixOS. With Colmena[0] I can manage/update all hosts from one directory with a single command.

Kubernetes was a lot of fun, especially the declarative nature of it. But for small setups, where you are still managing the plumbing (OS, networking, firewall, hardening, etc) yourself, you still need some configuration management. Might as well put the rest of your stuff in there also.

[0] https://colmena.cli.rs/unstable/

alex5207 · 8h ago

> I'm stuck with manual docker compose up/down commands over SSH

Out of curiosity, what is so bad about this for smaller projects?

czhu12 · 15h ago

This is exactly why I built https://canine.sh -- basically for indie hackers to have the full experience of Heroku with the power and portability of Kubernetes.

For single server setups, it uses k3s, which takes up ~200MB of memory on your host machine. Its not ideal, but the pain of trying to wrangle docker deployments, and the cheapness of hetzner made it worth it.

satvikpendem · 3h ago

How does it compare to Coolify and Dokploy?

pachevjoseph · 14h ago

I’ve been using https://www.coolify.io/ self hosted. It’s a good middle ground between full blown k8s and systemd services. I have a home lab where I host most of my hobby projects though. So take that into account. You can also use their cloud offering to connect to VPSs

CoolCold · 10h ago

6$/m - will likely bring you peace of mind - Netcup hosting VPS 1000 ARM G11

    6 vCore (ARM64)
    8 GB RAM
    256 GB NVMe

Jipazgqmnm · 5h ago

They also have regular promotions that offer e.g. double the disk space.

There you get

    6 vCore (ARM64)
    8 GB RAM
    512 GB NVMe

for 6 $ / m - traffic inclusive. You can choose between "6 vCore ARM64, 8 GB RAM" and "4 vCore x86, 8 GB ECC RAM" for the same price. And much more, of course.

https://www.netcup.com/en/server/vps

eigengrau · 8h ago

It’s been a couple of years since I’ve last used it, but if you want container orchestration with a relatively small footprint, maybe Hashicorp Nomad (perhaps in conjunction with Consul and Traefik) is still an option. These were all single binary tools. I did not personally run them on 2G mem VPSes, but it might still be worthwhile for you to take a look.

It looks like Nomad has a driver to run software via isolated fork/exec, as well, in addition to Docker containers.

jdsleppy · 3h ago

I really like `DOCKER_HOST=ssh://... docker compose up -d`, what do you miss about Deployments?

nullpoint420 · 13h ago

Have you tried nixOS? I feel like it solves the functional aspect you're looking for.

investa · 16h ago

SSH up/down can be scripted.

Or maybe look into Kamal?

Or use Digital Ocean app service. Got integration, cheap, just run a container. But get your postgres from a cheaper VC funded shop :)

turtlebits · 11h ago

I'm a cheapskate too, but at some point, the time you spend researching cheap hosting, signing up and getting deployed is not worth the hassle of paying a few more $ on bigger boxes.

daitangio · 8h ago

I developed a tiny wrapper around docker compose which work on my use case: https://github.com/daitangio/misterio

It can manage multiple machine with just ssh access and docker install.

AdrianB1 · 2h ago

I am curious why your no revenue projects need the complexity, features and benefits of something like Kubernetes. Why you cannot just to it the archaic way of compiling your app, copy the files to a folder and run it there and never touch it for the next 5 years. If it is a dev environment with many changes, its on a local computer, not on VPS, I guess. Just curious by nature, I am.

vrosas · 14h ago

Why not just use something like Cloud Run? If you're only running a microVM deploying it there will probably be at or near free.

melodyogonna · 6h ago

For $10 you can buy VPS with a lot more resources than that on both Contabo and Ovh

BiteCode_dev · 6h ago

The solution to this is to not solve all the problems a billion dollar tech does on a personnal project.

Let it not be idempotent. Let it crash sometimes.

We lived without kubs for years and the web was ok. Your users will survive.

kartikarti · 16h ago

Virtual Kubelet is one step forward towards Kubernetes as an API

https://github.com/virtual-kubelet/virtual-kubelet

ClumsyPilot · 4h ago

> Kubernetes is simply too resource-intensive to run on a $10/month VPS with just 1 shared vCPU and 2GB of RAM

To put this in perspective, that’s less compute than a phone released in 2023, 12 years ago, Samsung Galaxy S4. To find this level of performance in a computer, we have to go to

The main issue is that Kubernetes has created good API and primitives for managing cloud stuff, and managing a single server is still kinda crap despite decades of effort.

I had K3S on my server, but replaced with docker + Traefik + Portainer - it’s not great, but less idle CPU use and fewer moving parts

rcarmo · 7h ago

What about Portainer? I deploy my compose files via git using it.

hkon · 16h ago

I've used caprover a bunch

godelski · 11h ago

Systemd gets a lot of hate but it really solves a lot of problems. People really shouldn't dismiss it. I think it really happened because when systemd started appearing on distros by default people were upset they had to change

Here's some cool stuff:

  - containers

    - machinectl: used for controlling:

      - nspawn: a more powerful chroot. This is often a better solution than docker. Super lightweight. Shares kernel

      - vmspawn: when nspawn isn't enough and you need full virtualization

    - importctl: download, import, export your machines. Get the download features in {vm,n}spawn like we have with docker. There's a hub, but it's not very active

  - homed/homectl: extends user management to make it easier to do things like encryption home directories (different mounts), better control of permissions, and more

  - mounts: forget fstab. Make it easy to auto mount and dismount drives or partitions. Can be access based, time, triggered by another unit (eg a spawn), sockets, or whatever

  - boot: you can not only control boot but this is really what gives you access to starting and stopping services in the boot sequence. 

  - timers: forget cron. Cron can't wake your machine. Cron can't tell a service didn't run because your machine was off. Cron won't give you fuzzy timing, do more complicated things like wait for X minutes after boot if it's the third Sunday of the month and only if Y.service is running. Idk why you'd do that, but you can!

  - service units: these are your jobs. You can really control them in their capabilities. Lock them down so they can only do what they are meant to do.

    - overrides: use `systemctl edit` to edit your configs. Creates an override config and you don't need to destroy the original. No longer that annoying task of finding the original config and for some reason you can't get it back even if reinstalling! Same with when the original config changes in an install, your override doesn't get touched!!

It's got a lot of stuff and it's (almost) all there already on your system! It's a bit annoying to learn, but it really isn't too bad if you really don't want to do anything too complicated. But in that case, it's not like there's a tool that doesn't require docs but allows you to do super complicated things.

gwd · 6h ago

> Systemd gets a lot of hate but it really solves a lot of problems.

From my perspective, it got a lot of hate in its first few years (decade?), not because the project itself was bad -- on the contrary, it succeeded in spite of having loads of other issues, because it was so superior. The problem was the maintainer's attitude of wantonly breaking things that used to work just fine, without offering any suitable fixes.

I have an old comment somewhere with a big list. If you never felt the pain of systemd, it's either because you came late to the party, or because your needs always happened to overlap with the core maintainer's needs.

gwd · 3h ago

Found my comment:

https://news.ycombinator.com/item?id=21897993

Aldipower · 4h ago

Full ack. Systemd broke a lot of things that just worked. Combined with the maintainer's attitude this produced a lot of anti reaction.

yc-kraln · 1h ago

Systemd is great if your use case is Linux on a modern Desktop or Server, or something which resembles that. If you want to do anything else that doesn't fit into the project view of what you should be doing, you will be met with scorn and resistance (ask the musl team...).

What isn't great, and where the hate comes from, is that it makes the life of a distribution or upstream super easy, at the expense of adding a (slowly growing) complexity at the lowest levels of your system that--depending your perspective--does not follow the "unix way": journalctl, timedatectl, dependencies on/replacing dbus, etc. etc. It's also somehow been conflated with Poettering (he can be grating in his correctness), as well as the other projects Poettering works on (Avahi, Pulse Audio).

If all you want to do is coordinate some processes and ensure they run in the right order with automatic activation, etc. it's certainly capable and, I'd argue, the right level of tool as compared to something like k8s or docker.

rollcat · 6h ago

The only issue I'm having with systemd is that it's taking over the role of PID 1, with a binary produced from an uncountable SLOC, then doing even more song and dance to exec itself in-place on upgrades. Here's a PID 1 program that does 100% of all of its duties correctly, and nothing else:

    #define _XOPEN_SOURCE 700
    #include <signal.h>
    #include <unistd.h>
    int main() {
        sigset_t set;
        int status;
        if (getpid() != 1) return 1;
        sigfillset(&set);
        sigprocmask(SIG_BLOCK, &set, 0);
        if (fork()) for (;;) wait(&status);
        sigprocmask(SIG_UNBLOCK, &set, 0);
        setsid();
        setpgid(0, 0);
        return execve("/etc/rc", (char *[]){ "rc", 0 }, (char *[]){ 0 });
    }

(Credit: https://ewontfix.com/14/)

You can spawn systemd from there, and in case anything goes wrong with it, you won't get an instant kernel panic.

zoobab · 3h ago

"You can spawn systemd from there"

Systemd wants PID1. Don't know if there are forks to disable that.

egorfine · 3h ago

> mounts: forget fstab. Make it easy to

never have your filesystem mounted at the right time, because their automount rules are convoluted and sometimes just plain don't work despite being 1:1 according to the documentation.

egorfine · 3h ago

> boot: you can not only control boot but

never boot into the network reliably, because under systemd you have no control over the sequence.

BTW, I think that's one of the main pros and one of the strongest features of systemd, but it is also what makes it unreliable and boot unreproducible if you live outside of the very default Ubuntu instance and such.

jraph · 3h ago

> never boot into the network reliably

What does this mean? Your machine boots and sometimes doesn't have network?

If your boot is unreliable, isn't it because some service you try to boot has a dependency that's not declared in its unit file?

egorfine · 2h ago

> Your machine boots and sometimes doesn't have network?

Sometimes it waits on the network to be available with network being available. No idea what causes this.

> some service you try to boot has a dependency that's not declared in its unit file

Nah, that would be an obvious and easy fix.

jraph · 2h ago

Haven't noticed this. This looks like a bug more than a fundamental issue.

egorfine · 2h ago

My feeling is that this is not exactly a bug but rather an obscure side effect of systemd being non-transparent.

egorfine · 3h ago

> forget cron

Sure. It worked for _50 years_ just fine but obviously it is very wrong and should be replaced with - of course - systemd.

MyOutfitIsVague · 40m ago

Timers are so much better than cron it's not even funny. Managing Unix machines for decades with teens of thousands of vital cron entries across thousands of machines, the things that can and do go wrong are painful, especially when you include more esoteric systems. The fact that timers are able to be synced up, backed up, and updated as individual files is alone a massive advantage.

Some of these things that "worked for 50 years" have also actually sucked for 50 years. Look at C strings and C error handling. They've "worked", until you hold them slightly wrong and cause the entire world to start leaking sensitive data in a lesser-used code path.

egorfine · 33m ago

> have also actually sucked for 50 years

I agree with you, that's exactly right.

Not sure I'm on the same page with you on the cron. I have a similar experience but I'd rather say that cron was something that never gave me headaches. Unlike obviously systemd.

MyOutfitIsVague · 2m ago

Cron has given me a ton of headaches. Between skipped jobs on reboots and DST, inability to properly express some dates ("First Sunday of the Month" is a common one), and worst of all, complete inability to prevent the same job from running multiple times at once, it's been regular headaches for a shop who has leaned very heavily on it. Some cron daemons handle some of these things, but they're not standard, and AIX's cron daemon definitely doesn't have these features. Every job has to be wrapped in a bespoke script to manage things that systemd already does, but much worse.

systemd has given me many headaches, but as a whole, it has saved me far fewer headaches than it has given me.

egorfine · 3h ago

> homed/homectl: extends user management to make it

impossible to have a clear picture of what's up with home dir, where is now located, how to have access to it or whether it will suddenly disappear. Obviously, plain /home worked for like five decades and therefore absolutely has to be replaced.

jraph · 2h ago

> Obviously, plain /home worked for like five decades and therefore absolutely has to be replaced.

Five decades ago, people didn't have laptops that they want to put on sleep and can get stolen. Actually, five decades ago, the rare people using a computer logged into remote, shared computers. Five decades ago, you didn't get hacked from the internet.

Today, people mostly each have their computer, and one session for themselves in it (when they have a computer at all)

I have not looked into homed yet, needs are very different from before. "It worked five decades ago" just isn't very convincing.

It'd be better to understand what homed tries to address, and argue why it does it wrong or why the concerns are not right.

You might not like it but there usually are legitimate reasons why systemd changes things, they don't do it because they like breaking stuff.

egorfine · 2h ago

It is. Laptops are totally unusable without systemd, and most of these features are needed there indeed.

My rant is: why the f are they shoved down my throat on the server side then?

jraph · 2h ago

I'm quite happy with systemd on server side, it eases a lot of things there as well. And I haven't noticed homed on my servers. Did they shove homed down your throat on your servers?

egorfine · 2h ago

They did shove timers and mounts. So, homed and run0 are pending.

No comments yet

egorfine · 3h ago

> It's a bit annoying to learn

Learning curve is not the annoying part. It is kind of expected and fine.

systemd is annoying is parts that are so well described over the internet, that it makes it zero sense to repeat it. I am just venting and that comes from the experience.

holuponemoment · 9h ago

Nice list, I'd add run0 as the sudo replacement.

My only bugbear with it is that there's no equivalent to the old timeout default you could set (note that doas explicitly said they won't implement this too). The workaround is to run it in `sudo -i` fashion and not put a command afterwards which is reasonable enough even though it worked hard against my muscle memory + copypaste commands when switching over.

> Systemd gets a lot of hate

I'd argue it doesn't and is simply another victim of loud internet minority syndrome.

It's just a generic name at this point, basically all associated with init and service units and none of the other stuff.

https://man.archlinux.org/man/run0.1.en

egorfine · 3h ago

> run0 as the sudo replacement

Of course. We suffered with sudo for a couple of decades already! Obviously it's wrong and outdated and has to be replaced with whatever LP says is the new norm.

DonHopkins · 3h ago

I was dismayed at having to go from simple clean linear BSD 4.3 / SunOS 4.1.3 era /etc/rc /etc/rc.local init scripts to that tangled rat king abomination of symbolic links and rc.d sub-directories and run levels that is the SysV / Solaris Rube Goldberg device. So people who want to go back to the "good old days" of that AT&T claptrap sound insane to me. Even Slowlaris moved on to SMF.

godelski · 8h ago

Oh yes, please add more! I'd love to see what others do because frankly, sometimes it feels like we're talking about forbidden magic or something lol

And honestly, I think the one thing systemd is really missing is... people talking about it. That's realistically the best way to get more documentation and spread all the cool tricks that everyone finds.

  > I'd argue it doesn't

I definitely agree on loud minority, but they're visible enough that anytime systemd is brought up you can't avoid them. But then again, lots of people have much more passion about their opinions than passion about understanding the thing they opine about.

blueflow · 7h ago

Then you have that machine that only runs an sshd and apache2 and you still get all that stuff shoehorned into your system.

dsp_person · 5h ago

ooh i didn't know about vmspawn. maybe this can replace some of where I use incus

kaylynb · 13h ago

I've run my homelab with podman-systemd (quadlet) for awhile and every time I investigate a new k8s variant it just isn't worth the extra hassle. As part of my ancient Ansible playbook I just pre-pull images and drop unit files in the right place.

I even run my entire Voron 3D printer stack with podman-systemd so I can update and rollback all the components at once, although I'm looking at switching to mkosi and systemd-sysupdate and just update/rollback the entire disk image at once.

The main issues are: 1. A lot of people just distribute docker-compose files, so you have to convert it to systemd units. 2. A lot of docker images have a variety of complexities around user/privilege setup that you don't need with podman. Sometimes you need to do annoying userns idmapping, especially if a container refuses to run as root and/or switches to another user.

Overall, though, it's way less complicated than any k8s (or k8s variant) setup. It's also nice to have everything integrated into systemd and journald instead of being split in two places.

mati365 · 9h ago

Nice! I’ve been using a similar approach for years with my own setup: https://github.com/Mati365/hetzner-podman-bunjs-deploy. It’s built around Podman and systemd, and honestly, nothing has broken in all that time. Super stable, super simple. Just drop your units and go. Rock solid.

Touche · 12h ago

You can use podlet to convert compose files to quadlet files. https://github.com/containers/podlet

OJFord · 3h ago

Just a single (or bunch of independent) 'node'(s) though right?

To me podman/systems/quadlet could just as well be an implementation detail of how a k8s node runs a container (the.. CRI I suppose, in the lingo?) - it's not replacing the orchestration/scheduling abstraction over nodes that k8s provides. The 'here are my machines capable of running podman-systemd files, here is the spec I want to run, go'.

mufasachan · 4h ago

Same experience, my workflow is to run the container from a podman run command, check it runs correctly, podlet to create a base container file, edit the container file (notably with volume and networks in other quadet file) and done (theorically).

I believe the podman-compose project is still actively maintened and could be a nice alternative for docker-compose. But the podman's interface with systemd is so enjoyable.

goku12 · 1h ago

I don't know if podman-compose is actively developed, but it is unfortunately not a good alternative for docker-compose. It doesn't handle the full feature set of the compose spec and it tends to catch you by surprise sometimes. But the good news is, the new docker-compose (V2) can talk to podman just fine.

masneyb · 16h ago

The next step to simplify this even further is to use Quadlet within systemd to manage the containers. More details are at https://www.redhat.com/en/blog/quadlet-podman

al_borland · 14h ago

This was touched on at the end of the article, but the author hadn't yet explored it. Thanks for the link.

> Of course, as my luck would have it, Podman integration with systemd appears to be deprecated already and they're now talking about defining containers in "Quadlet" files, whatever those are. I guess that will be something to learn some other time.

rsolva · 16h ago

This us the way! Quadlets is such a nice way to run containers, really a set and forget experience. No need to install extra packages, at least on Fedora or Rocky Linux. I should do a write up of this some time...

overtone1000 · 16h ago

I came to the comments to make sure someone mentioned quadlets. Just last week, I migrated my home server from docker compose to rootless podman quadlets. The transition was challenging, but I am very happy with the result.

sureglymop · 15h ago

Seems very cool but can it do all one can do with compose? In other words, declare networks, multiple services, volumes, config(maps) and labels for e.g. traefik all in one single file?

To me that's why compose is neat. It's simple. Works well with rootless podman also.

grimblee · 7h ago

Look into podlet, it's a tool made to convert compose files, kube manfiests, running containers and maybe other stuff, into quadlets.

I'm using this tonspeedup my quadlet configs whenever I want to deploy a new service that invariably has a compose file.

0xC0ncord · 14h ago

You can if you convert your docker-compose.yaml into Kubernetes YAML and deploy that as a quadlet with a .kube extension.

sureglymop · 7h ago

That is indeed really nice. However, kubernetes resource definitions are way more complicated than compose files so I still wish one could do the same by just adding a .compose extension to easily migrate.

lstolcman · 8h ago

I encourage you to look into this blog post as well; it helped me greatly with seamlessly switching into quadlets in my homelab: https://news.ycombinator.com/item?id=43456934

mbac32768 · 49m ago

Reading the comments here makes me feel old.

Doesn't anyone just use ssh and nginx anymore? Cram everything onto one box. Back the box up aggressively. Done.

I really don't need microservices management for my home stuff.

AndrewStephens · 1m ago

I do (nginx plus a couple of custom services) but my needs are very minimal. As soon as you need something a little complex or redundancy by spinning up multiple nodes then containers start to make a huge amount of sense.

byrnedo · 17h ago

I created skate (https://github.com/skateco/skate) to be basically this but multihost and support k8s manifests. Under the hood it’s podman and systemd

woile · 2h ago

This looks awesome!

teleforce · 13h ago

The article is more than one year old, systemd now even has specialized officially supported OS distro for immutable workflow namely ParticleOS [1],[2].

[1] ParticleOS:

https://github.com/systemd/particleos

[2] Systemd ParticleOS:

https://news.ycombinator.com/item?id=43649088

egorfine · 3h ago

Nice. The next logical step is to replace the Linux kernel with "systemd-kernel" and that will make it complete.

noisy_boy · 56m ago

Not deep enough; we need systemd to replace the BIOS and preferably the CPU microcodes too.

abhisek · 8h ago

I think you are only looking at Kubernetes for running and updating container images. If that’s the use-case then I guess it’s overkill.

But Kubernetes does much more in terms of providing the resources required for these containers to share state, connect to each other, get access to config or secrets etc.

That’s where comes the CPU and memory cost. The cost of managing your containers and providing them the resources they need.

> basically acts as a giant while loop

Yep. That’s the idea of convergence of states I guess. In a distributed system you can’t always have all the participating systems behave in the desired way. So the manager (or orchestrator) of the system continuously tries to achieve the desired state.

jpc0 · 3h ago

> But Kubernetes does much more in terms of providing the resources required for these containers to share state, connect to each other, get access to config or secrets etc.

This was OPs argument, and mine as well. My side project which is counting requests per minute or hour really doesn’t need that, however I need to eat the overhead of K8s just to have the nice dx of being able to push a container to a registry and it gets deployed automatically with no downtime.

I don’t want to pay to host even a K3s node when my workload doesn’t even tickle a 1vCPU 256mb ram instance, but I also don’t want to build some custom scaffold to so the work.

So I end up with SSH and SCP… quadlets and podman-systemd solves those problems I have reasonably well and OPs post is very valuable because it builds awareness of a solution that solves my problems.

NTARelix · 2h ago

A couple years ago I upgraded my desktop hardware, which meant it was time to upgrade my homelab. I had gone through various operating systems and methods of managing my services: systemd on Ubuntu Server, Docker Compose on CentOS, and Podman on NixOS.

I was learning about Kubernetes at work and it seemed like such a powerful tool, so I had this grand vision of building a little cluster in my laundry room with nodes net booting into Flatcar and running services via k3s. When I started building this, I was horrified by the complexity, so I went the complete opposite direction. I didn't need a cluster, net booting, blue-green deployments, or containers. I landed on NixOS with systemd for everything. Bare git repos over ssh for personal projects. Git server hooks for CI/CD. Email server for phone notifications (upgrade failures, service down, low disk space etc). NixOS nightly upgrades.

I never understood the hate systemd gets, but I also never really took the time to learn it until now, and I really love the simplicity when paired with NixOS. I finally feel like I'm satisfied with the operation and management of my server (aside from a semi frequent kernel panic that I've been struggling to resolve).

mdeeks · 15h ago

From what I read, I think you can replace this all with a docker compose command and something like Caddy to automatically get certs.

It's basically just this command once you have compose.yaml: `docker compose up -d --pull always`

And then the CI setup is this:

  scp compose.yaml user@remote-host:~/
  ssh user@remote-host 'docker compose up -d --pull always'

The benefit here is that it is simple and also works on your development machine.

Of course if the side goal is to also do something fun and cool and learn, then Quadlet/k8s/systemd are great options too!

rollcat · 5h ago

Do this (once):

    docker context create --docker 'host=ssh://user@remote-host' remote-host

Then try this instead:

    docker -c remote-host compose -f compose.yaml up -d --pull always
           ^^^^^^^^^^^^^^         ^^^^^^^^^^^^^^^

No need to copy files around.

Also, another pro tip: set up your ~/.ssh/config so that you don't need the user@ part in any ssh invocations. It's quite practical when working in a team, you can just copy-paste commands between docs and each other.

    Host *.example.com
        User myusername

jdsleppy · 2h ago

Do what the sibling comment says or set DOCKER_HOST environment variable. Watch out, your local environment will be used in compose file interpolation!

fpoling · 8h ago

At some point I tried to run a few small websites dedicated for activism (couple of Wordpress instances, a forum and custom PHP code) using docker. It was time sink as updating and testing the images turned out to be highly non-trivial.

Eventually I replaced everything with a script that generated systemd units and restarted the services on changes under Debian using the Wordpress that comes with it. Then I have a test VM on my laptop and just rsync changes to the deployment host and run the deployment script there. It reduced my chores very significantly. The whole system runs on 2GB VPS. It could be reduced to 1GB if Wordpress would officially support SQLite. But I prefer to pay few more euros per month and stick to Mariadb to minimize support requirements.

stavros · 13h ago

I am of the opinion that deploying stuff to a single server shouldn't be this complicated, and I wrote a tool to deploy the way I wanted:

https://harbormaster.readthedocs.io/

Harbormaster uses a YAML file to discover repositories, clones and updates them every so often, and runs the Docker Compose files they contain. It also keeps all state in a single directory, so you can easily back everything up. That's it.

It's by far the easiest and best tool for container orchestration I've come across, if all you need is a single server. I love how the entire config is declared in a repo, I love how all the state is in one directory, and I love how everything is just Compose files, nothing more complicated.

I know I'm tooting my own horn, I just love it so much.

goku12 · 2h ago

Well, if you're planning to run a single-node container server, then K8s is probably an overkill compared to Podman Quadlets. You just choose the lightest solution that meets your requirement. However, there was a noteworthy project named Aurae [1]. It was an ambitious project intended to replace systemd and kubelets on a server. Besides running containerized and baremetal loads, it was meant to take authenticated commands over an API and had everything that was expected on K8s worker nodes. It could work like K8s and like Docker with appropriate control planes. Unfortunately, the project came to an abrupt end when its main author Kris Nova passed away in an unfortunate accident.

[1] https://aurae.io/

LelouBil · 10h ago

I don't know if someone knows a better stack for my fleet of self hosted applications, maybe moving to quadlet would simplify stuff ?

Right now I have an Ansible playbook responsible for updating my services, in a git repo.

The playbook stops changed services, backups their configs and volumes, applies the new docker-compose.yml and other files, and restarts them.

If any of them fail to start, or aren't reachable after 3 minutes, it rolls back everything *including the volumes* (using buttervolume, docker volumes as btrfs subvolumes to make snapshots free).

I am looking into Kubernetes, but I didn't find a single stack/solution that would do all that this system does. For example I found nothing that can auto rollback on failure *including persistent volumes*.

I found Argo Rollback but it doesn't seem to have hooks that would allow me to add the functionality.

rollcat · 4h ago

YMMV, no warranty, IMHO, etc. Disclaimer: I haven't used k8s in a long while, mostly because I don't really have a good use case for it.

You'd need to slightly rethink rollbacks, express them in terms of always rolling forward. K8s supports snapshots directly (you'd need a CSI driver; https://github.com/topolvm/topolvm, https://github.com/openebs/zfs-localpv, or similar). Restores happen by creating a new PVC (dataSource from a VolumeSnapshot). So in case rollout to version N+1 fails, instead of a rollback to N you'd roll forward to N+2 (which itself would be a copy of N, but referencing the new PVC/PV). You'd still have to script that sequence of actions somehow - perhaps back to Ansible for that? Considering there might be some YAML parsing and templating involved.

Of course this looks (and likely is) much more complicated, so if your use case doesn't justify k8s in the first place, I'd stick to what already works ;)

mattbillenstein · 14h ago

I never moved to containers and seeing the churn the community has went through with all of this complicated container tooling, I'm happy orchestrating small-scale systems with supervisord and saltstack-like chatops deployments - it's just stupid simple by comparison and provides parity between dev and prod environments that's nice.

cydmax · 14h ago

It looks like supervisord had it last release in December 2022. GitHub issue for a new release are not answered: https://github.com/Supervisor/supervisor/issues/1635#issue-2... The original author seems to have moved on to NixOS.

mardifoufs · 11h ago

What churn? For 95% of users, the way to use containers hasn't changed in the past decade. It's just a combination of docker CLI, maybe some docker compose for local testing and then pushing that image somewhere.

baggy_trough · 14h ago

try the built-in systemd containers - via nspawn. Underrated tool!

candiddevmike · 14h ago

Too many gaps around image management. It seems like an unfinished feature that wasn't completely thought out IMO. Podman is what systemd-nspawns OCI interface should've become.

MrDrMcCoy · 8h ago

The incomplete resource controls compared with other units is also annoying. Probably the biggest reason for me that I haven't used nspawn much.

zokier · 17h ago

Why on earth would you run services on a server with --user and then fiddle with lingering logins instead of just using the system service manager?

phoronixrly · 16h ago

I'll answer this for you. You want rootless podman because docker is the defacto standard way of packaging non-legacy software now including autoupdates. I know, sad... Podman still does not offer convenient and mature way for systemd to run it with an unprivileged user. It is the only gripe I've had with this approach...

ggpsv · 14h ago

This is no longer true as of Podman 5 and Quadlet?

You can define rootless containers to run under systemd services as unprivileged users. You can use machinectl to login as said user and interact with systemctl.

phoronixrly · 5h ago

Can you please link the docs for this?

jcgl · 14h ago

Quadlet debuted with Podman 4.4 iirc.

chaz6 · 5h ago

I really like rootless podman, but there is one quirk in that if you want to preserve the original source IP address (e.g. for web server logs), you have to use a workaround which has a performance penalty.

https://github.com/containers/podman/issues/10884

https://github.com/containers/podman/pull/9052

https://github.com/containers/podman/pull/11177

phoronixrly · 4h ago

Correct me if I'm wrong but doesn't pasta solve this?

soraminazuki · 13h ago

It appears that systemd User= and DynamicUser= is incompatible with Podman so --user is being used as a replacement. Looks messy.

https://github.com/containers/podman/discussions/20573

egorfine · 3h ago

You will have many similar questions with systemd once you start doing a bit more complicated things outside of simple services.

thebeardisred · 14h ago

Funny, because when we built Fleet (https://github.com/coreos/fleet/) Kubernetes didn't exist.

arjie · 16h ago

I also use systemd+podman. I manage the access into the machine via an nginx that reverse proxies the services. With quadlets things will probably be even better but right now I have a manual flow with `podman run` etc. because sometimes I just want to run on the host instead and this allows for me to incrementally move in.

sureglymop · 15h ago

I do this with traefik as the reverse proxy. To host something new, all I need to do is add a label to the new container for traefik to recognize. It's neat with a wildcard cert that traefik automatically renews. I've also heard good things about caddy, a similar alternative.

arjie · 13h ago

Yeah, I've heard that these new reverse proxies are great like that. I have to run certbot (which I do) and I should have created wildcard certs but I didn't. I use traefik on k3s and it's good there for other stuff.

Aldipower · 4h ago

Whoever thought running your personal blog on Kubernetes is a good idea? Kubernetes is good for large scale applications. Nothing else. I do not get why even mid-sized companies take the burden of Kubernetes although they have low infrastructur needs.

JamesSwift · 2h ago

Its a tool that lets you punch way above your weight resource wise. As long as you dont manage the control plane, if you already know k8s there is very little reason not to use it. Otherwise you end up replicating what it does piecemeal.

Aldipower · 1h ago

There are a lot of reasons not to use a complex additional layer, like k8s, even if _you_ know it inside out. Long-term maintainability for example. This is especially important for low traffic sites, where it does not pay out to maintain them every 1-2 years. And it adds an additional point of failure. Trust me, I've maintained some applications running on k8s. They did always fail due to the k8s setup, not the application itself.

JamesSwift · 1h ago

Why do I need to trust you when I can trust myself and the clusters Ive maintained : D

Until something better comes I will start with k8s 100% of the time for production systems. The minor one time pains getting it stood up are worth it compared to the migration later and everything is in place waiting to be leveraged.

forty · 7h ago

I do that too, I run everything in rootless podman managed by systemd units it's quite nice. With systemd network activation I could even save the cost of user space networking, though for my single user use case, it's not really needed and for now I could not bother.

I also have Quadlet on my backlog, I'm waiting the release of next stable version of Debian (which I think should be released sometimes this year) as the current version of Debian has a podman slightly too old which doesn't include Quadlet

klooney · 17h ago

https://github.com/coreos/fleet I feel like fleet deserved more of a shot than it ultimately got.

thebeardisred · 14h ago

Well, it's funny you mention that because I started working on a PoC of running vLLM atop Fleet this morning. :grin:

klooney · 9h ago

I'm glad to hear it still works!

pa7ch · 16h ago

agreed, coreos pivoted to k8s almost immediately after releaseing fleet and didn't really get the chance to use and develop it much.

llarsson · 4h ago

That's also where etcd came from. It really felt, to me, like the precursor to Kubernetes.

strangus · 11h ago

I just deployed a couple containers this way, was pretty easy to port the docker-compose. However, I then tried to get them to run rootless, and well, that turned out to be headache after headache. Went back to rootful, other than I'm pretty happy with the deployment.

zoobab · 3h ago

Soon back to chroot with a busybox cgi shell script as an API.

I am working on proot-docker:

https://github.com/mtseet/proot-docker

OK it does not need process namespaces, but that's good enough for most containers.

grimblee · 7h ago

For anyone interested in quadlet, I've discovered a very usefull tool to convert compose files and manifests into quadlets: podlet.

It dramatically speeds up the process of converting the usual provided files into quadlets.

https://github.com/containers/podlet

arevno · 15h ago

This is cool, but it doesn't address the redundancy/availability aspect of k8s, specifically, being able to re-schedule dead services when a node (inevitably) dies.

psviderski · 11h ago

Generally speaking, redundancy/availability could also be achieved through replication rather than automatic rescheduling, where you deploy multiple replicas of the service across multiple machines. If one of them dies, the other one still continues service traffic. Like in good old days when we didn't have k8s and dynamic infra.

This trades off some automation for simplicity. Although, this approach may requires manual intervention when a machine fails permanently.

pphysch · 14h ago

I like to look at Kubernetes as "distributed systemd".

"What if I could define a systemd unit that managed a service across multiple nodes" leads naturally to something like k8s.

acanavan · 16m ago

be a man, use k8s

mattrighetti · 14h ago

Do you actually need the container at that point?

I host all of my hobby projects on a couple of raspi zeros using systemd alone, zero containers. Haven’t had a problem since when I started using it. Single binaries are super easy to setup and things rarely break, you have auto restart and launch at startup.

All of the binaries get generated on GitHub using Actions and when I need to update stuff I login using ssh and execute a script that uses a GitHub token to download and replace the binary, if something is not okay I also have a rollback script that switches things back to its previous setup. It’s as simple as it gets and it’s been my go-to for 2 years now.

bbkane · 11h ago

I do this too; but I'm looking to try the container approach when I can't use a single binary (i.e. someone else's Python project).

mrbluecoat · 10h ago

How does your rollback work without containers?

eitland · 7h ago

If it is a single binary, replace the current with the previous.

If it is deployed as folders, install new versions as whatever.versionnumber and upgrade by changing the symlink that points to the current version to point to the new one.

Tabular-Iceberg · 3h ago

Couldn’t it be argued that this is a bug in Kubernetes?

Most of what it does is run programs with various cgroups and namespaces, which is what systemd does, so should it really be any more resource intensive?

dullcrisp · 16h ago

I’m here just doing docker compose pull && docker compose down && docker compose up -d and it’s basically fine.

Aluminum0643 · 11h ago

I believe you can skip the "down" :)

chupasaurus · 8h ago

docker-compose had very unfun mechanism of detecting image updates so it depends (I haven't dug deep into V2).

dullcrisp · 11h ago

Good to know

jdsleppy · 2h ago

You also skip the docker compose pull if you configure it to always pull in the compose file or in the up command.

maxclark · 17h ago

I know some large AWS environments that run a variation of this

Autoscaling fleet - image starts, downloads container from registry and starts on instance

1:1 relationship between instance and container - and they’re running 4XLs

When you get past the initial horror it’s actually beautiful

dpbriggs · 4h ago

I've had a really great experience with docker compose and systemd units. I use a generic systemd unit and it's just as easy as setting up users then `systemctl enable --now docker-compose@service-name`.

kgeist · 14h ago

When a service is updated like this:

- is there downtime? (old service down, new service hasn't started yet)

- does it do health checks before directing traffic? (the process is up, but its HTTP service hasn't initialized yet)

- what if the new process fails to start, how do you rollback?

Or it's solved with nginx which sits in front of the containers? Or systemd has a builtin solution? Articles like this often omit such details. Or no one cares about occasional downtimes?

LinuxAmbulance · 12h ago

Hobbyists care not for such things. Sure does matter at the enterprise level though.

sph · 8h ago

I remember seeing a project in development that built k8s-like orchestration on top of systemd a couple years ago, letting you control applications across nodes and the nodes themselves with regular systemd config files and I have been unable to find it again. IIRC it was either a Redhat project or hosted under github.com/containers and looked semi-official.

Anyone knows what I’m talking about? Is it still alive?

EDIT: it’s not CoreOS/Fleet, it’s something much more recent, but was still in early alpha state when I found it.

stryan · 15m ago

Maybe you're thinking of BlueChi[0]? It used to be Red Hat project called 'hirte' and was renamed[1] and moved to the Eclipse foundation for whatever reason. It lets you control systemd units across nodes and works with the normal systemd tools (D-bus etc).

[0] https://github.com/eclipse-bluechi/bluechi

[1] https://www.redhat.com/en/blog/hirte-renamed-eclipse-bluechi

VWWHFSfQ · 16h ago

We went back to just packaging debs and running them directly on ec2 instances with systemd. no more containers. Put the instances in an autoscaling group with an ALB. A simple ansible-pull installs the debs on-boot.

really raw-dogging it here but I got tired of endless json-inside-yaml-inside-hcl. ansible yaml is about all I want to deal with at this point.

secabeen · 16h ago

I also really like in this approach that if there is a bug in a common library that I use, all I have to do is `apt full-upgrade` and restart my running processes, and I am protected. No rebuilding anything, or figuring out how to update some library buried deep a container that I may (or may not) have created.

SvenL · 16h ago

Yes, I also have gone this route for a very simple application. Systemd was actually delightful, using a system assigned user account to run the service with the least amount of privileges is pretty cool. Also cgroup support does really make it nice to run many different services on one vps.

r3trohack3r · 14h ago

The number of human lifetimes wasted on the problem domain of "managing YAML at scale"...

OptionOfT · 9h ago

Wrt to the updates: Does it mean it maintains the original environment variables you passed in separate from the ones set by the container?

E.g. when updating a container with watchtower:

You deploy a container 'python-something'.

The container has PYTHON=3.11.

Now, the container has an update which sets PYTHON=3.13.

Watchtower will take the current settings, and use them as the settings to be preserved.

So the next version will deploy with PYTHON=3.11, even though you haven't set those settings.

xwowsersx · 12h ago

FYI the link to Flux in

> Particularly with GitOps and [Flux](https://www.weave.works/oss/flux/?ref=blog.yaakov.online), making changes was a breeze.

appears to be broken.

EDIT: oh, I hadn't realized the article was a year old.

dorongrinstein · 14h ago

At https://controlplane.com we give you the power of Kubernetes without the toil of k8s. A line of code gets you a tls terminated endpoint that is geo routed to any cloud region and on-prem location. We created the Global Virtual Cloud that let's you run compute on any cloud, on premises hardware or vm's and any combination. I left vmware to start the company because the cognitive load on engineers was becoming ridiculous. Logs, metrics, tracing, service discovery, TLS, DNS, service mesh, network tunnels and much more - we made it easy. We do to the cloud what vmware did to hardware - you don't care what underlying cloud you're on. Yet you can use ANY backing service of AWS, GCP and Azure - as if they merged and your workloads are portable - they run unmodified anywhere and can consume any combination of services like RDS, Big Query, Cosmos db and any other. It is as if the cloud providers decided to merge and then lower your cost by 60-80%.

Check it out. Doron

nwellinghoff · 9h ago

Why / how is it 60% cheaper?

Iwan-Zotow · 11h ago

Interesting, thanks

dgan · 5h ago

why does it require so much RAM, can someone more knowledgeable explain? what does it store un such quantities ?

TZubiri · 14h ago

Looking forward to the follow up "replacing systemd with init and bash scripts."

egorfine · 3h ago

That will cut down memory usage by half, again.

No, just kidding. As much as I'd like to, reverting back to a sane initsystem is not possible and not an option anymore.

lrvick · 15h ago

Or drop all brittle c code entirely and replace systemd with kubernetes: https://www.talos.dev/

weikju · 15h ago

Just replace the battle tested brittle C code with a brittle bespoke yaml mess!

sepositus · 15h ago

To suggest that Kubernetes doesn't fall under the scope of "battle tested" is a bit misleading. As much as systemd? Of course not. But it's not 2016 anymore and we have billions of collective operational hours with Kubernetes.

Just the other day I found a cluster I had inadvertently left running on my macBook using Kind. It literally had three weeks of uptime (running a full stack of services) and everything was still working, even with the system getting suspended repeatedly.

djhn · 9h ago

I once discovered that I had left a toy project postgres instance running on my macbook for two and a half years. Everything was working perfectly, and this was more than a decade ago, on an intel mac.

sepositus · 51m ago

Ha, I figured someone was going to come with a retort like that. Fair, but it would be better to compare it to running a distributed postgres cluster on your local mac.

nullpoint420 · 13h ago

+1, easiest bare-metal installation of k8s ever.

malteg · 13h ago

What about using nomad?

https://developer.hashicorp.com/nomad

jcgl · 7h ago

I ran it for a couple years. While it had some quirks at the time, it (and the rest of the Hashi stack) were lightweight, nicely integrated, and quite pleasant.

However, it’s no longer open source. Like the rest of Hashicorp’s stuff.

tgz · 8h ago

... or (maybe) incus.

iAm25626 · 15h ago

on the resource part - try running k8s on Talos linux. much less overhead.

IAmNotACellist · 14h ago

That's the most disgusting sentence fragment I've ever heard. I wish it could be sent back in a localized wormhole and float across the table when Systemd was being voted on to become the next so-called init system.

Edit: Nevermind, I misunderstood the article from just the headline. But I'm keeping the comment as I find the reference funny

lstodd · 14h ago

was actually fun running crypto traders without all this container bullshit. one service is one service. and so much simpler.

it helped of course that people writing them knew what they were doing.

Show HN: Real-time AI Voice Chat at ~500ms Latency (github.com)

Show HN: FileKey – Encrypt files with passkeys, locally. No servers or accounts (github.com)

Show HN: VectorVFS, your filesystem as a vector database (vectorvfs.readthedocs.io)

Show HN: Outpost – OSS infra for outbound webhooks and event destinations (github.com)

Show HN: TextQuery – Query CSV, JSON, XLSX Files with SQL (textquery.app)

Show HN: I built a 7-day calendar app – no months or years, just the next 7 days (weeklong.life)

Show HN: Tkintergalactic - Declarative Tcl/Tk UI Library for Python (github.com)

Show HN: Klavis AI – Open-source MCP integration for AI applications (github.com)

Show HN: ProcASM – A general purpose, visual programming lanugage (procasm.temware.site)

Show HN: Bracket – selfhosted tournament system (github.com)

Show HN: Storage Buddy – For efficient storage organization and retrieval (apps.apple.com)

Show HN: My AI Native Resume (ai.jakegaylor.com)

Show HN: Journelly for iOS: like tweeting but for your eyes only (in plain text) (xenodium.com)

Show HN: Driverless print server for legacy printers, profit goes to open-source (printserver.ink)

Show HN: CodeCafé – A real-time collaborative code editor in the browser (github.com)

Show HN: API Testing and Security with AI (qodex.ai)

Show HN: Pinggy – A free RSS reader for the web (pinggy.com)

Show HN: Free, in-browser PDF editor (breezepdf.com)

Show HN: Tired of bloated time trackers? Here's a dead-simple, free one I built (apps.apple.com)

Show HN: I taught AI to commentate Pong in real time (github.com)

Show HN: Claity AI – An AI Aggregator with Smart Prompt Routing (Join Waitlist) (claity.netlify.app)

Show HN: OpenRouter Model Price Comparison (compare-openrouter-models.pages.dev)

Show HN: McPoogle: Search Engine for MCP Servers (mcpoogle.com)

Show HN: Use Third Party LLM API in JetBrains AI Assistant (github.com)

Show HN: Low Fidelity Wireframe Powered by AI for Dashboard and UI Mockups (wireframes.org)

Show HN: Automate your workflows with screen recordings and AI agents (nutix.ai)

Show HN: I built a synthesizer based on 3D physics (anukari.com)

Show HN: X-Terminate, a Chrome extension to remove politics from your X feed

Show HN: MP3 File Editor for Bulk Processing (cjmapp.net)

Show HN: Reverse Pac-Man (reverse-pacman.staticrun.app)

Show HN: OSle – A 510 bytes OS in x86 assembly (github.com)

Show HN: Pipask – safer pip without compromising convenience (github.com)

Show HN: I built a mini macOS app to reveal my yearly subscription spending (appps.od.ua)

Show HN: VoltAgent – Open-Source Observability-First TS AI Agent Framework (github.com)

Show HN: DistilKitPlus, a distillation framework between any LLMs (github.com)

Show HN: Kubetail – Real-time log search for Kubernetes (github.com)

Show HN: GPT-2 implemented using graphics shaders (github.com)

Show HN: Roons – Mechanical Computer Kit (whomtech.com)

Show HN: Create your own finetuned AI model using Google Sheets (promptrepo.com)

Show HN: Oci2git – Convert OCI container images into Git repositories (github.com)

Show HN: I built a hardware processor that runs Python (runpyxl.com)

Show HN: Hyperparam: OSS tools for exploring datasets locally in the browser (hyperparam.app)

Show HN: Open-source AI web parser lib & TUI (github.com)

Show HN: Ridvay Code – An AI Coding Assistant for VS Code (ridvay.com)

Show HN: ART – a new open-source RL framework for training agents (github.com)

Show HN: Sim Studio – Open-Source Agent Workflow GUI (github.com)

Show HN: An open-source low-code platform (flowcentralplatform.com)

Show HN: Reno, React and Vite and Hono Starter with Auth and E2E Type Safety (github.com)

Show HN: EZ-TRAK Satellite Hand Tracking Suite (github.com)

Show HN: Blast – Fast, multi-threaded serving engine for web browsing AI agents (github.com)

Replacing Kubernetes with systemd (2024)

Comments (227)