The secure and efficient Docker
Flatcar Container Linux is tailored for one task, to run Docker in a scalable way. Flatcar is a container optimized OS with a minimal OS image. It has an immutable filesystem and includes automatic atomic updates. The security is enterprise-grade and it's Open-source.
Flatcar Container Linux is an open-source, community-driven Linux distribution purpose-built for container workloads. It offers enterprise-grade security, automated updates, and a minimal OS footprint, making it ideal for scalable deployments of Docker and/or Kubernetes.
It's a technical demonstration of using Flatcar on Proxmox VE.
Please refer to the official Flatcar documentation for full setup instructions.
Key Benefits of Flatcar
Benefits of running your Docker stacks using Flatcar
- Minimal footprint – only the bare minimum
- Ships only the tools required to run containers.
- No package manager is included.
- Immutable file system: nothing can be installed post-deployment.
- Enterprise-grade security – an immutable, read-only file system
- Read-only root filesystem.
- Minimal attack surface.
- Secure by default.
- Automatic, hands-free updates – ensures your systems security and performance.
- Auto-checks for updates hourly.
- Updates are written to a separate partition for safe rollback.
- You can disable auto-updates (not recommended).
Where Flatcar Runs
Cloud providers
Official support:
AWS EC2, Microsoft Azure, Google Compute Engine, Equinix Metal, VMware, DigitalOcean, Hetzner, OpenStack, Brightbox, Linode (Akamai), STACKIT
Community-supported:
Scaleway, OVHcloud
Virtualization platforms:
Official support:
QEMU, libvirt, KubeVirt, Proxmox VE
Community-supported:
VirtualBox, Vagrant, Hyper-V
Running Flatcar on Proxmox VE
Flatcar ships Proxmox-compatible images in qcow2 format. Since Proxmox only accepts ISO in the GUI, we’ll use the CLI to create and configure a VM. You might need/want to add other settings using the qm command, see References, The qm Command
Prerequisites
- Enable Snippets in Proxmox:
- Go to:
Datacenter → Storage → local → Edit - Add
Snippetsto the content types. - Snippets are stored at:
/var/lib/vz/snippets/
- Go to:
- Download a Flatcar Proxmox Image:
wget https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_proxmoxve_image.imgCreating the VM
We will use the CLI to create a VM using the downloaded image.
Step 1: Set VM ID
export VM_ID=20000The VM name and ID will be the same
Step 2: Create the VM
qm create $VM_ID --cores 2 --memory 4096 --net0 "virtio,bridge=vmbr0" --ipconfig0 "ip=dhcp"Replace vmbr0 with your actual bridge name if different and replace the IP settings
Step 3: Import the disk
qm disk import $VM_ID flatcar_production_proxmoxve_image.img local-zfsUse local-zfs, local-lvm, or another supported storage backend.
Step 4: Set boot disk
qm set $VM_ID --scsi0 local-zfs:vm-$VM_ID-disk-0 --boot order=scsi0Step 5: Create Cloud-Init drive
qm set $VM_ID --ide2 local-zfs:cloudinitStep 6: Create a Cloud-Init Snippet
Step 6.1: Create the file
nano /var/lib/vz/snippets/user-dataStep 6.2: Attach the Snippet to the VM
qm set $VM_ID --cicustom "user=local:snippets/user-data"Configuring the VM with a Cloud-Init config
The VM can be booted as-is, however you might want to add a OpenStack-style Cloud-Init configuration. What is supported: Setting hostname (hostname is always equal to $VM_ID), Writing SSH keys, Writing network configuration
Configuring Options
user-data file than the cloud-init config. This means that you cannot use both Ignition config and regular cloud-init. When setting up an Ignition config, expect the cloud-init services to fail during boot (but, this is harmless).
The Proxmox GUI does not support setting the custom user-data file. You’ll need to use the command line for this. We need to write the Ignition config as a snippet.
Write a file named user-data containing your Ignition config.
Here is an example
Create the file /var/lib/vz/snippets/user-data and edit it
{
"ignition": { "version": "3.0.0" },
"storage": {
"files": [{
"path": "/etc/someconfig",
"mode": 420,
"contents": { "source": "data:,example%20file%0A" }
}]
},
"passwd": {
"users": [
{
"name": "core",
"sshAuthorizedKeys": [
"ssh-ed25519 your-public-ssh-key"
]
}
]
}
}The file /var/lib/vz/snippets/user-data
Finally, tell the VM to use this file as user-data
qm set $VM_ID --cicustom "user=local:snippets/user-data"Finalize the installation
After the VM starts, you need to
Start the VM
qm start $VM_IDSet a password for the default user: core
sudo passwd coreUse a strong password!
Set up Portainer
As we need means to set up applications on our Docker VM.
Portainer is the web GUI to manage Docker containers.
- SSH into the VM
- Run:
mkdir portainer && cd portainerdocker run -d \
-p 8000:8000 -p 9443:9443 \
--name portainer \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ./portainer_data:/data \
portainer/portainer-ce:lts
Now, you can manage containers via Portainer’s GUI instead of using the CLI.
References
Flatcar [1] Butane [2] Ignition [3] The qm Command [4]
Flatcar Container Linux is a container optimized OS that ships a minimal OS image, which includes only the tools needed to run containers. The OS is shipped through an immutable filesystem and includes automatic atomic updates. homepage, Blog page, Documentation pages, Security, Installation,
GitHub, GitHub Demos ↩︎Butane (formerly the Fedora CoreOS Config Transpiler, FCCT) translates human readable Butane Configs into machine readable Ignition Configs. GitHub ↩︎
Ignition SCADA Software for Linux by Inductive Automation Homepage, Download ↩︎
The QEMU/KVM Virtual Machine Manager (qm) Documentation, man page ↩︎
