Docker in LXC on Proxmox: Risks, Tradeoffs, and Lessons

In the world of Proxmox-powered homelabs, there's a question that keeps coming up like clockwork: should you run Docker inside an LXC container, or play it safe and drop Docker into a virtual machine instead? It seems simple — LXCs are lighter, faster, and more resource-efficient. But under that lean surface, a few lurking risks have users second-guessing themselves. From blown-up hosts to kernel panics, the debate isn't just theoretical. It's rooted in experience. Dozens of homelabbers have shared what works, what fails, and what they wish they knew before betting their uptime on containers inside containers. Let's unpack the community's take on whether running Docker in an LXC is brilliant, dangerous, or both. ## **The Appeal: Speed, Simplicity, and Pure Efficiency** If there's one thing Proxmox users can agree on, it's that LXCs are nimble. They boot quickly, use fewer resources than a VM, and let you fine-tune resource allocation with surgical precision. That makes them attractive for running Docker. "I use multiple LXCs. Management is just easier for me. I know this one LXC will do one thing and that's it," said one user, summing up the 'one-container-per-service' mindset. Others run Docker inside a single LXC to keep services grouped together, especially when they're low-impact. For many, it's not just efficient—it's familiar. If you already know Docker and compose files, throwing it in an LXC feels natural. A few users even took it further: "I've got 50 LXCs and 1 Docker VM. It's not that hard to manage if you automate the normal things." Talk about scale. ## **The Pain Points: When Docker Inside LXC Bites Back** Now here's where things get messy. One user shared a cautionary tale: "A process inside my Docker LXC caused a kernel panic and it brought down my entire host. If it was a VM instead, it would have just crashed the VM." That's the nightmare scenario—and not just a fluke. LXC shares the Proxmox host's kernel, so if something inside the container goes sideways, it might impact the whole system. Some users discovered this the hard way. "You're combining two sets of security concerns," another explained. "LXC has holes. Docker has holes. Together, you've got extra attack vectors." Others found Docker-in-LXC simply didn't play nice with certain containers: "Not every Docker container works in LXC. My mail server didn't run properly, probably due to apparmor or something." There are also headaches with mounting NFS shares or passing through hardware like GPUs. Docker in a VM? Easy. Docker in an LXC? Sometimes it's a config nightmare. ## **Privileged vs. Unprivileged: Choose Your Fighter** A lot of the risk boils down to whether you run your LXC as privileged or unprivileged. Privileged LXCs act more like the host system and allow more direct access to hardware — which makes Docker happier, especially with GPU passthrough or mounting USB devices. But that also makes them more dangerous. If something goes rogue, it could break through and mess with your Proxmox host. Unprivileged LXCs are safer. They sandbox things more tightly, but Docker doesn't always run smoothly in them. One user tried to go the unprivileged route with rootless Podman as an alternative: "Was your LXC privileged? I went with an unprivileged LXC and rootless Podman. I don't see how that could happen in this config." But even then, it's not bulletproof. Another pointed out, "Not all things can run in unprivileged mode. Depends what you need your Docker to do." ## **The Middle Ground: Hybrid Approaches Are Gaining Ground** More and more Proxmox users are landing somewhere in between: use VMs for core or complex Docker stacks, and stick with LXCs for lighter, less critical services. One homelabber summarized it well: "I use LXC for my most important services, and I have a Docker VM for docker services that I don't care too much if they go down. Zero Docker on the LXCs." Another went the opposite route, running Docker in LXCs for minor services and keeping VMs for big apps like Frigate and Immich that needed GPU access or better isolation. A third shared: "I have one Docker-specific LXC that runs all my minor services. I've never had an issue running Docker in an LXC." It's clear the answer isn't black and white — it's about what matters most to you. Isolation? Portability? Simplicity? ## **The Case for VMs: Stability, Security, and Peace of Mind** Plenty of users—especially those who've hit weird bugs or crashed their Proxmox node—now swear by putting Docker in a VM instead. "As I understand it, LXC has some security holes and Docker has some security holes. Add them together and you get more trouble," one user wrote. Even Proxmox's own documentation quietly suggests that Docker should run in a full VM for better isolation. And when updates roll out to Proxmox, your containers inside a Docker VM keep humming. Try that with LXC? Might get spicy. Then there's the backup issue. "LXCs don't support dirty bitmaps for backups," one user warned. "That means every time your backup runs, the whole storage gets scanned. VMs are way more efficient." ## **Real-World Setups: What Users Actually Do** **User A:** VM with Docker, GPU passthrough for AI workloads. Keeps things modular. **User B:** 11 LXCs, one per service. Low power server, careful on resource use. **User C:** One LXC with all Docker-only services. Says it's easier than converting each app to an LXC-native install. **User D:** Runs Docker in LXCs for "non-critical" services and accepts the occasional hiccup as the price of lightweight hosting. **User E:** Went full Kubernetes across VMs. Ditched both LXC and Docker-in-LXC for something more scalable and modern. Every setup reflects personal preference, server specs, and how much pain you're willing to tolerate when things go sideways. ## **Final Word: It's Not a Bomb—But It's Definitely Wired** So, is Docker in an LXC a ticking time bomb? Let's say this: it's more like playing Jenga. You can build something tall, efficient, and beautiful — but if you pull the wrong block (update the wrong kernel, run the wrong container, misconfigure something), it can all come down harder than expected. If your setup is just for internal services, and you're comfortable tinkering, Docker in LXC can absolutely work. Just go in knowing the risks and plan for recovery. Snapshots, off-host backups, and security hardening are your friends. But if you're running services that matter—stuff exposed to the internet, involving authentication, media access, AI models, or public APIs—maybe put them in a VM. The overhead's worth the peace of mind. And remember: this is your homelab. You don't have to get it perfect from the start. Experiment, fail fast, and rebuild smarter.