Thanks to their lightweight nature, minimal overhead, and fast startup times, Proxmox LXCs (Linux Containers) are a popular choice for many virtualization enthusiasts. However, in my journey building and managing various home lab setups, I've found myself going towards Virtual Machines (VMs) and Docker containers. While LXCs certainly have their place, this post will explore the top reasons why VMs and Docker, often in combination, offer a superior experience for my specific needs.

3 VMs offer true isolation and security

Avoid security risks

This is the most crucial differentiation. By isolation, I am referring to separating one computing environment from another, and mainly, from the host system itself. Each VM runs its own completely independent operating system, complete with its own kernel, memory space, and virtualized hardware.

If a specific VM is compromised due to a security bug, it is difficult for an attacker to affect the host system or other VMs. It cannot directly access the host's kernel, file system, or other VMs without finding a flaw in the hypervisor itself.

On the flip side, LXC containers share the kernel with the host system. This is the fundamental difference. While it provides excellent process isolation, all the applications rely on the same Linux kernel of the Proxmox host. That means, if an attacker manages to find a kernel-level vulnerability within an LXC, they can gain access to the host system and all other LXCs running on that host.

Whenever I need to set up a new open-source software with a new codebase, I install the experimental web app on a VM. If it has a vulnerability that leads to a full system compromise, the malware would be trapped within the VM’s isolated environment. I can simply delete the compromised VM and start fresh.

2 Dedicated hardware passthrough

Enjoy native performance

Here is where VMs truly shine. Hardware passthrough is a capability that LXCs can’t match. With a VM, I can perform PCI passthrough. This means it allows a virtual machine to directly control a physical hardware device. VM interacts with the device as if it were directly plugged into its own motherboard. Such an approach offers a near-native performance. For example, with GPU passthrough, all the capabilities of a GPU are dedicated to that single VM.

In comparison, LXCs operate on a shared resource model. Here, the LXC is still accessing the device through the host’s kernel and drivers. If multiple LXCs try to use the same device, it often leads to performance issues and complex setups.

Let’s say you have created a dedicated VM (an Ubuntu Server VM) for a Jellyfin server. You can perform PCI passthrough of your Intel iGPU or a dedicated NVIDIA GPU directly to this VM. Now, when the service needs to transcode a 4K video to full-HD for my phone, it uses the VM’s assigned GPU directly. This results in high-quality performance without other services. After all, the GPU is entirely dedicated to the VM.

Technically, I can expose an integrated GPU to an LXC, but there would be performance degradation and stability issues. After all, iGPU is used both by the Proxmox host and Jellyfin when you run the latter in an LXC container.