Chapter 8

Containers vs VMs

When Docker wins, when full VM wins.

Learning objectives

  • Explain how containers differ from full VMs at the OS level
  • Use Proxmox LXC for lightweight services
  • Choose VM vs container for Workshop Co. workloads

VMs vs containers — the core difference

A VM runs a complete guest operating system with its own kernel. A container shares the host kernel but isolates processes with namespaces and cgroups — it behaves like a lightweight Linux box without booting a second kernel.

VM (KVM)Container (LXC/Docker)
Boot timeMinutes (full OS)Seconds
IsolationStrong — separate kernelStrong for Linux; shared kernel
DensityHeavier per instanceMany containers on one host
Windows guestYesNo (Linux containers only on Linux host)
Proxmox supportQEMU/KVM VMsBuilt-in LXC

Worked example — Workshop Co. reverse proxy

Marcus runs Traefik as an LXC container (CT 200) on Proxmox instead of a full VM:

  • CT 200: 512 MB RAM, 1 vCPU, Debian template
  • Terminates TLS for www.workshopco.ca, staging.workshopco.ca, files.workshopco.ca
  • Routes to VM 110 (web), VM 111 (staging), VM 130 (Nextcloud)
# Create LXC on Proxmox — CT ID 200
pct create 200 local:vztmpl/debian-12-standard_12.0-1_amd64.tar.zst \
  --hostname traefik --memory 512 --cores 1 --rootfs local-lvm:8 \
  --net0 name=eth0,bridge=vmbr0,ip=192.168.10.10/24,gw=192.168.10.1

pct start 200
pct enter 200
# Install traefik inside container...
When LXC wins

Single-purpose Linux services with low resource needs — reverse proxies, DNS forwarders, monitoring agents. Keep PostgreSQL and the main app in VMs for stronger isolation and familiar backup tools.

When to stay with VMs

  • Database (VM 120) — I/O tuning, kernel params, vendor support assumes VM
  • Web app (VM 110) — PHP-FPM stack, multiple packages, easier snapshot whole disk
  • Windows — always VM; no LXC option
  • Untrusted multi-tenant — VM boundary if container escape is a concern

Docker on the host vs LXC

Marcus could run Docker on the Proxmox host directly — discouraged. Docker on a dedicated VM or LXC keeps the hypervisor clean. Proxmox LXC integrates with the backup scheduler and resource limits in the same UI as VMs.

Privileged containers

Unprivileged LXC (default on Proxmox) maps UIDs safely. Avoid privileged containers unless you understand the host-kernel exposure — not needed for Traefik.

Try it yourself

Classify each Workshop Co. component as VM, LXC, or either:

  1. Redis cache for session storage
  2. PostgreSQL 16 booking database
  3. Small SMTP relay (postfix forwarding to Google)
  4. Legacy Windows app for CNC toolpath (hypothetical shop equipment)
Sample answers
  1. LXC or VM — LXC fine if bound to localhost only
  2. VM — data integrity and isolation priority
  3. LXC — minimal footprint
  4. VM — Windows requires KVM VM

Check your understanding

  1. Do LXC containers on Proxmox need a separate kernel image?
  2. Why might Marcus avoid running Docker directly on the Proxmox host OS?
Answers
  1. No — they share the host's Linux kernel (Proxmox node's kernel).
  2. Blurs support boundaries, increases attack surface, and complicates upgrades — dedicated CT/VM is cleaner.