Thanks to their lightweight nature, minimal overhead, and fast startup times, Proxmox LXCs (Linux Containers) are a popular choice for many virtualization enthusiasts. However, in my journey building and managing various home lab setups, I've found myself going towards Virtual Machines (VMs) and Docker containers. While LXCs certainly have their place, this post will explore the top reasons why VMs and Docker, often in combination, offer a superior experience for my specific needs.
You can use Proxmox for your NAS, but be careful with your storage
You can use storage passthroughs for your NAS to avoid common pitfalls on Proxmox, but make sure to do it right.
3 VMs offer true isolation and security
Avoid security risks
This is the most crucial differentiation. By isolation, I am referring to separating one computing environment from another, and mainly, from the host system itself. Each VM runs its own completely independent operating system, complete with its own kernel, memory space, and virtualized hardware.
If a specific VM is compromised due to a security bug, it is difficult for an attacker to affect the host system or other VMs. It cannot directly access the host's kernel, file system, or other VMs without finding a flaw in the hypervisor itself.
On the flip side, LXC containers share the kernel with the host system. This is the fundamental difference. While it provides excellent process isolation, all the applications rely on the same Linux kernel of the Proxmox host. That means, if an attacker manages to find a kernel-level vulnerability within an LXC, they can gain access to the host system and all other LXCs running on that host.
Whenever I need to set up a new open-source software with a new codebase, I install the experimental web app on a VM. If it has a vulnerability that leads to a full system compromise, the malware would be trapped within the VM’s isolated environment. I can simply delete the compromised VM and start fresh.
2 Dedicated hardware passthrough
Enjoy native performance
Here is where VMs truly shine. Hardware passthrough is a capability that LXCs can’t match. With a VM, I can perform PCI passthrough. This means it allows a virtual machine to directly control a physical hardware device. VM interacts with the device as if it were directly plugged into its own motherboard. Such an approach offers a near-native performance. For example, with GPU passthrough, all the capabilities of a GPU are dedicated to that single VM.
In comparison, LXCs operate on a shared resource model. Here, the LXC is still accessing the device through the host’s kernel and drivers. If multiple LXCs try to use the same device, it often leads to performance issues and complex setups.
Let’s say you have created a dedicated VM (an Ubuntu Server VM) for a Jellyfin server. You can perform PCI passthrough of your Intel iGPU or a dedicated NVIDIA GPU directly to this VM. Now, when the service needs to transcode a 4K video to full-HD for my phone, it uses the VM’s assigned GPU directly. This results in high-quality performance without other services. After all, the GPU is entirely dedicated to the VM.
Technically, I can expose an integrated GPU to an LXC, but there would be performance degradation and stability issues. After all, iGPU is used both by the Proxmox host and Jellyfin when you run the latter in an LXC container.
5 reasons why I'm switching to Jellyfin after 7 years using Plex on my home NAS
As a Lifetime Plex Pass holder, it's finally time to jump ship.
1 Docker is excellent for application-level containerization
Virtual machines virtualize entire machines, and Docker focuses on packaging individual applications into isolated and portable units called containers. Even though these Docker containers offer isolation, they still share the underlying kernel of their host. Here is where I run Docker inside a VM and add an extra layer of security.
If, by some chance, a sophisticated attacker were to escape from one of my Docker containers, it would still be contained within the VM. They wouldn’t have direct access to my host’s kernel, file system, or other VMs.
Another advantage is that Docker containers within that VM can easily leverage the passed-through device. This creates a clean pathway for hardware acceleration without trying to expose complex hardware directly to LXCs. The VM gets the hardware, and Docker within that VM gets to use it effortlessly.
The power user’s playbook
For me, the clear benefits of VMs, such as offering complete hardware-level separation, dedicated resource allocation, and the ability to pass through critical devices like GPUs, make them the perfect option for demanding workloads and sensitive applications. At the same time, Docker excels at application-level packaging and portability.
This isn’t to say LXCs are obsolete. They are quite handy in specific scenarios where you need the lightweight nature, and the shared kernel isn’t a limitation.