Should containers/apps be run directly on your NAS?

This is a very thorough and detailed guide but should it really be encouraged to run containers directly on your NAS appliance which implies sharing the same kernel and is a poor security boundary?

Think I’ll split your question into its own thread for better visibility, because…

I am wondering about the approach we should take with self-hosting guides in general here. Something that we’re considering is standardizing all of our basic self-hosting guides around TrueNAS, because the GUI management is more accessible to regular people. It’s also very commonplace already for people to host storage/media-related tools on their NAS devices from Synology, QNAP, etc.

When it comes to server applications only intended for personal usage (like the guide above) I’m not sure I see a substantial risk really. It’s strictly never worse than installing apps directly on the system, which people will do on a regular Linux server, and it makes it much easier to maintain and update going forward, which is IMO the biggest security risk regular people need to watch out for.

Won’t translate well to other OSes. Docker Compose might be better suited. Optimize compose files for least privilege and add gVisor as a runtime for important (non-database) containers. Also ZFS is quite resource hungry compared to other solutions, which might be a problem for people living in countries with high energy prices.

TrueNAS Apps are basically Docker Compose with a UI, and an app store to get you started with commonly used software.