How Virtual Machines Work
A hypervisor (Proxmox, VMware, Hyper-V) runs on bare metal and presents each VM with virtualized hardware. The VM boots its own kernel and OS independently — a Windows VM and a Linux VM can coexist on the same host without knowing about each other. This strong isolation means a kernel panic in one VM cannot affect other VMs or the host. VMs also let you run different operating systems: an OPNsense VM for your firewall, a Windows Server VM for Active Directory practice, and Ubuntu VMs for services, all on the same physical machine.
The cost of this isolation is overhead. Each VM needs its own OS installation (2–20 GB disk), its own kernel in memory (often 200–500 MB baseline RAM), and takes 20–60 seconds to boot. A machine with 32 GB RAM can comfortably run 8–12 medium VMs before RAM pressure becomes a constraint.
How Docker Containers Work
Docker containers share the host Linux kernel. Instead of virtualizing hardware, Docker uses Linux kernel namespaces (isolating process IDs, network stacks, mounts) and cgroups (limiting CPU and memory usage) to create isolated environments. A container starts in under a second, uses tens of megabytes of RAM overhead (not hundreds), and shares the OS with other containers.
The tradeoff is weaker isolation: all containers share the same kernel. A kernel exploit could theoretically escape container isolation. For homelab use this is an acceptable risk, but security-sensitive deployments use VMs or gVisor (a container sandbox with its own kernel). Docker also cannot run Windows applications on a Linux host — for that you need a Windows VM.
When to Use VMs vs Docker
Use VMs when: you need a different OS (Windows, BSD, OPNsense); you need strong isolation (test environment that might run untrusted code); you are running a network appliance that needs its own networking stack; or you are practicing skills that require a full OS (Active Directory, SQL Server, kernel configuration).
Use Docker when: running application-layer services (Plex, Nextcloud, Vaultwarden, Gitea, Immich, Uptime Kuma); you want to run many services on limited RAM; you need rapid deployment and easy updates (docker compose pull && docker compose up -d); or the application provides an official Docker image.
Docker vs Virtual Machines Side-by-Side
| Aspect | Docker Container | Virtual Machine |
|---|---|---|
| Startup time | <1 second | 20–60 seconds |
| RAM overhead per instance | ~10–50 MB | ~200–500 MB (OS kernel) |
| Disk per instance | ~100 MB–1 GB (shared layers) | 2–30 GB (full OS install) |
| Kernel isolation | Shared host kernel | Own kernel; full isolation |
| OS diversity | Linux only (on Linux host) | Any OS (Windows, BSD, etc.) |
| Security isolation | Namespace/cgroup separation | Hardware-level hypervisor isolation |
| Networking flexibility | Bridge, host, overlay networks | Full virtual NIC, VLAN tagging |
| Typical homelab use | Apps (Plex, Nextcloud, Pi-hole) | Firewalls, Windows, NAS OS, testing |
| Management tool | Docker Compose, Portainer | Proxmox web UI, vSphere |
| Update workflow | docker compose pull + up -d | OS package updates or snapshot + upgrade |
Frequently Asked Questions
Can I run Docker inside a Proxmox VM?
Yes — this is a common homelab pattern. You create a Debian or Ubuntu VM in Proxmox, install Docker inside it, and run your containers there. The VM provides OS-level isolation from your other VMs and lets you snapshot the entire Docker environment before updates. Alternatively, Proxmox LXC containers can run Docker if the LXC is unprivileged with nesting enabled.
What is Docker Compose and should I use it?
Docker Compose is a tool that lets you define multi-container applications in a YAML file (docker-compose.yml) and manage them with single commands. Instead of running long docker run commands with many flags, you write the configuration once and use docker compose up -d to start, docker compose down to stop, and docker compose pull to update. Almost all self-hosted app documentation provides a Docker Compose file — use it.
What is Portainer?
Portainer is a web-based management interface for Docker. It provides a visual dashboard for containers, images, volumes, and networks — useful if you prefer not to manage everything from the command line. Portainer itself runs as a Docker container. The Community Edition is free and handles most homelab needs.
Is LXC (Proxmox container) the same as Docker?
Both LXC and Docker use Linux namespaces and cgroups, but LXC provides a full Linux system environment (init process, systemd, etc.) while Docker wraps a single application process. Proxmox LXC containers are closer to lightweight VMs than Docker containers — they can run system services and package managers normally. Many homelabbers run Docker inside an LXC container to get both the density of LXC and the ecosystem of Docker images.