Navigation section

Proxmox in Docker (Dockermox): A Lab Trick, Not Production-Ready

  • Thread Author
Proxmox can be run inside a Docker container — and yes, it actually works well enough to be useful for tinkering — but the method requires deliberate compromises, extra host privileges, and several manual workarounds that make it unsuitable for production and risky for anything beyond experimentation. (github.com)

A futuristic holographic data diagram displayed inside a glass chamber with a NOT PRODUCTION-READY warning.Background / Overview​

Proxmox VE (PVE) is a full-featured, Debian-based virtualization platform built for bare-metal installs. It blends KVM-based virtual machines and LXC containers under one management plane and exposes an intuitive web UI and APIs for orchestration. That design makes Proxmox lean enough to run on modest hardware, but also powerful enough to run multi-VM production workloads when deployed on a proper host. The official stance and common practice remain: install Proxmox on dedicated hardware or inside a full VM, not as a service inside a container. (proxmox.com)
Still, a DIY project and a community-maintained image called Dockermox (rtedpro-cpu / dockermox) package a PVE install inside a Docker container. The image and repo include a quick-start Docker command, a vmbr0 helper, and notes about limitations and troubleshooting — essentially packaging the Proxmox stack to run inside a privileged container. The repository demonstrates the idea is doable: the container boots Proxmox, exposes the web UI, and can create and run guests and containers in many cases. (github.com)
This article distills the how and why, verifies the technical steps against public documentation and community reports, highlights the necessary tweaks to make LXCs and VMs usable, and provides a practical risk/benefit analysis so readers can decide whether this is a curiosity or something to adopt.

How Dockermox packages Proxmox inside Docker​

What Dockermox provides​

  • A Docker image containing a Debian-based Proxmox VE installation and supporting packages.
  • A ready-made Docker run example that binds the web UI port (8006) and runs the container in privileged mode.
  • Helper files for creating a vmbr0 bridge and partial LXC support under containerized Proxmox. (github.com)
The canonical Docker example from the repository is a one-liner that is intentionally permissive:
  • docker run -itd --name proxmoxve --hostname pve -p 8006:8006 --privileged rtedpro/proxmox:<tag>
    This command maps the web UI, names the container, and grants the container broad privileges on the host (the --privileged flag). The README warns that vmbr0 is not created by default and suggests the vmbr0 helper folder for creating the bridge. (github.com)

What the container needs from the host​

Running Proxmox in Docker pulls the Proxmox control plane into a userspace process, but Proxmox still expects low-level kernel features that a container normally doesn’t provide:
  • Access to kernel modules and devices (e.g., /dev/fuse, /dev/kvm for nested virtualization experiments).
  • Networking support (a vmbr bridge is not created by the image automatically; you must provide or bind one).
  • Elevated privileges to manage namespaces, cgroups, and device nodes — hence the common use of --privileged. (github.com)
Because of this, the container is closer to a lightweight “host-in-a-container” than a confined microservice: it needs host-level trust and control.

Step-by-step: what the hands-on setup looks like​

Below is a distilled, practical reproduction of the steps used in community writeups and the Dockermox README with verified ops and caveats. Use this as a blueprint — not a production recipe.
  • Confirm host prerequisites:
  • Docker engine installed and functional.
  • Kernel features for fuse (/dev/fuse) present if you plan to use filesystem features.
  • If you need nested virtualization (KVM within guests), /dev/kvm and BIOS virtualization support must be enabled. (github.com)
  • Pull and start the Dockermox image:
  • Example: docker run -itd --name proxmoxve --hostname pve -p 8006:8006 --privileged rtedpro/proxmox:<tag>
  • The repo example uses a sample tag; community users have reported running different tags (the precise tag may vary over time). Treat image tags as mutable community artifacts and verify the tag you intend to run. (github.com)
  • Check for /dev nodes:
  • ls /dev/fuse and optionally ls /dev/kvm; if missing, either enable kernel modules on the host or adjust your plan.
  • Provide a bridge network:
  • Dockermox does not create vmbr0 automatically. Create a Docker network or host bridge, attach the container, then create the Linux bridge from inside PVE’s GUI or by editing the container’s network config.
  • Example Docker network create and connect:
  • sudo docker network create --driver bridge --subnet=192.168.1.0/24 eth2
  • sudo docker network connect eth2 proxmoxve
  • Log into the PVE web UI:
  • Default credentials in the image are often root / root (per the repo), so immediately rotate any default password if you plan to reuse the image. (github.com)
  • Create and test VMs:
  • Virtual machines can be created through the web UI and they run QEMU/KVM inside the containerized Proxmox — but performance and hardware passthrough capabilities will be limited compared to a bare-metal host or a fully nested KVM VM. Expect overhead and feature gaps.
  • Tackle LXC quirks (see below).
This sequence has been reproduced by enthusiasts and community posts; it reliably starts a functional PVE web UI and allows VM creation, albeit with restrictions and manual fixes for containers (LXCs). (github.com, forum.proxmox.com)

LXCs: the awkward child of containerized Proxmox​

Running LXC guests inside a Proxmox instance that itself runs in a container introduces friction. Two recurring issues appear in community reports:
  • lxcfs.service can be disabled by systemd when the system detects it is running inside a container. The typical workaround is to remove or comment out the ConditionVirtualization line in /lib/systemd/system/lxcfs.service and then run systemctl daemon-reload and restart the service. This enables lxcfs inside the containerized Proxmox. Community threads and bug reports document the same exact file edit as the common fix. (forum.proxmox.com)
  • AppArmor — modern Linux distributions rely on AppArmor to confine container processes. LXC inside PVE expects certain capabilities, and AppArmor restrictions can block operations. The documented Proxmox approach for problematic LXC containers is to set lxc.apparmor.profile = unconfined in the container’s config file, but this weakens confinement and increases risk. Proxmox documentation explicitly notes that disabling AppArmor for a container is not recommended for production. (pve.proxmox.com, forum.proxmox.com)
A practical summary:
  • To run LXCs reliably in Dockermox you will likely need to disable ConditionVirtualization for lxcfs and set lxc.apparmor.profile=unconfined for each LXC, or add equivalent Docker security_opt settings on container startup. Those changes create a less secure environment, and some LXC functionality may still be impaired. (forum.proxmox.com, pve.proxmox.com)

Virtual machines in Dockermox: surprisingly competent​

Community reports and hands-on tests indicate that user-space Proxmox running inside Docker can create and host QEMU/KVM virtual machines. In practical terms:
  • Simple VMs (Linux desktops and servers) boot and run with acceptable responsiveness for testing and light workloads.
  • You may experience reduced disk and I/O performance, and any hardware passthrough (PCIe, GPUs) is limited or impossible unless you explicitly expose the device to the containerized environment and the host supports nested passthrough patterns.
  • Users commonly run several small VMs concurrently without catastrophic failure; however, the overall responsiveness is consistently worse than a bare-metal PVE host. This matches community consensus that containerized hypervisors are good for learning and experimentation but not for production workloads. (github.com, forum.proxmox.com)
One practical inconvenience: network behavior frequently needs manual static IP assignment or DHCP run from inside the guest, because the container-hosted PVE instance lacks a standard NIC/bridge setup unless the operator provisioned one on the Docker host and connected it properly.

Security, stability, and upgrade concerns​

Running a virtualization orchestrator inside a container comes with pronounced trade-offs.
  • Large attack surface: The container must be started with broad host privileges (often --privileged), which grants the container almost full access to the host kernel and devices. That removes many of Docker’s containment benefits and exposes the host to greater risk if the Proxmox stack is compromised. (github.com)
  • AppArmor and LXC weakening: Fixes that make LXCs work (lxc.apparmor.profile=unconfined, apparmor:unconfined in Docker’s security options) explicitly reduce isolation and should be considered a compromise. Proxmox’s documentation warns about disabling AppArmor for containers. (pve.proxmox.com, forum.proxmox.com)
  • Fragile upgrades: Proxmox upgrades expect a full Debian-based host layout. In a container, package upgrades or kernel-dependent changes can break the image or leave the container in a partially upgraded state. Community repositories warn that containerized PVE instances are community projects without official support; exercise caution before applying automatic upgrades. (github.com)
  • Unsupported configuration: Vendor support and many community guides assume Proxmox runs on dedicated hardware or in a full VM. Running PVE in Docker is a DIY pattern and is therefore unsupported by Proxmox Server Solutions. Use it for learning and experimentation only. (proxmox.com, forum.proxmox.com)

When (if ever) this makes sense — practical use cases​

Running Proxmox in Docker is not a recommended long-term architecture, but there are legitimate short-term use cases:
  • Learning and UI exploration: Quickly spin up a PVE UI to learn the web console, storage configuration, and VM creation workflows without dedicating hardware or creating a VM.
  • Testing configuration changes: Validate Proxmox UI workflows or third-party scripts in an isolated lab before applying to a production node.
  • Demonstrations and workshops: Provide a transient, shareable demonstrator (e.g., a workshop VM image) so attendees can inspect PVE without complex provisioning.
  • Lightweight self-hosting (experimental): If you accept the security and manageability trade-offs, a persistent Dockermox instance can serve as a compact “test bench” for low-risk services.
However, the right long-term choices for actual home-lab or production use remain:
  • Bare-metal Proxmox for full feature set and performance.
  • A dedicated VM for Proxmox when sharing a host with other services.
    Community guidance widely favors full VMs over running Docker on the hypervisor host for operational clarity and safety. (forum.proxmox.com, reddit.com)

Troubleshooting checklist and practical tips​

  • Verify device nodes before starting:
  • ls /dev/fuse and ls /dev/kvm; load needed modules on the host with modprobe if missing.
  • When LXCs fail to start, check lxcfs:
  • Inspect /lib/systemd/system/lxcfs.service for ConditionVirtualization and comment it out if the service refuses to run inside the container; then systemctl daemon-reload && systemctl restart lxcfs. Community posts document this exact edit. (forum.proxmox.com)
  • If AppArmor blocks operation:
  • Add lxc.apparmor.profile = unconfined in the LXC config, or start the container with Docker’s security_opt: - apparmor:unconfined. Beware the security implications. (pve.proxmox.com, forum.proxmox.com)
  • Networking:
  • Create a Docker bridge and connect the container, or expose host network mode, then create vmbr0 inside the PVE GUI. The dockermox repo explicitly calls out that vmbr0 is not created by default. (github.com)
  • Back up before experimenting:
  • Export VM configs and any important data from the image layer before attempting Proxmox package upgrades inside the container. Upgrades may fail or leave state inconsistent.

Alternative approaches and recommended best practices​

If the goal is to learn Proxmox or operate a small homelab, here are safer and more maintainable options:
  • Install Proxmox on bare metal — best performance and full feature set.
  • Run Proxmox inside a full VM (VirtualBox, VMware Workstation, or another PVE node) with nested virtualization enabled — safer than containerizing the control plane.
  • For Docker-based workflows, use a dedicated VM host for Docker containers rather than installing Docker on a production PVE host.
Community consensus and forum guidance reinforce that while containerized Proxmox is clever, the canonical and supported deployment paths remain physical installs or full VMs. This avoids the privilege and networking workarounds that weaken security. (forum.proxmox.com, reddit.com)

Strengths, weaknesses, and final verdict​

Strengths​

  • Extremely quick to boot and experiment with the Proxmox web UI.
  • Lightweight approach for quick demos and labs.
  • Community-maintained Docker images and scripts make the setup straightforward for experienced users. (github.com)

Weaknesses / Risks​

  • Requires elevated host privileges and device access, which negates many container security guarantees.
  • LXC in Proxmox requires manual modifications (systemd lxcfs edits, AppArmor adjustments) that reduce container isolation and raise security concerns. (forum.proxmox.com, pve.proxmox.com)
  • Upgrades and kernel-dependent features are fragile in a container, risking breakage during standard package updates.
  • Unsupported and not recommended for production or public-facing workloads. (proxmox.com, forum.proxmox.com)

Verdict​

Running Proxmox inside Docker is a legitimate lab trick and a compact way to learn the platform — but it is not a replacement for proper deployment. The approach is perfect for tinkering, demos, or temporary testbeds. For anything requiring reliability, security, or sustained uptime, choose a bare-metal install or a full VM host.

Quick reference: commands and edits (practical cheatsheet)​

  • Start Dockermox (example):
  • docker run -itd --name proxmoxve --hostname pve -p 8006:8006 --privileged rtedpro/proxmox:<tag>
  • Caution: --privileged opens extensive host access. Only run on trusted hosts.
  • Create Docker bridge and attach container:
  • sudo docker network create --driver bridge --subnet=192.168.1.0/24 eth2
  • sudo docker network connect eth2 proxmoxve
  • Fix lxcfs (if disabled by ConditionVirtualization):
  • Edit /lib/systemd/system/lxcfs.service and comment out ConditionVirtualization line.
  • systemctl daemon-reload
  • systemctl restart lxcfs
  • Allow LXC to run without AppArmor enforcement:
  • Add lxc.apparmor.profile = unconfined to /var/lib/lxc/<CTID>/config (or /etc/pve/lxc/<CTID>.conf).
  • Alternatively use Docker’s security opt: --security-opt apparmor:unconfined when starting the Dockermox container.
  • Warning: These changes lower security boundaries. Use only for isolated test hosts. (forum.proxmox.com, pve.proxmox.com)

Closing analysis​

The Dockermox approach is a creative example of community ingenuity: packaging a full virtualization orchestration stack inside a container is clever and useful for labs. The repository and community instructions make it straightforward, and many users report success running VMs and learning the PVE UI in minutes. (github.com)
That said, the method trades off the very benefits of containers — strong isolation and minimal privilege — for convenience. The common fixes (disabling ConditionVirtualization for lxcfs and relaxing AppArmor constraints) are explicit acknowledgements that the container boundary is being eroded to make Proxmox function. For production workloads, security-sensitive environments, or systems that require high reliability and proper hardware passthrough, the recommended and supported routes (bare-metal installs or nested VMs) remain superior. (forum.proxmox.com, pve.proxmox.com)
For hobbyists and homelab tinkerers who want a no-commitment way to poke at Proxmox, Dockermox is a valid entry point: fast to spin up, easy to tear down, and excellent for learning. But treat anything built on top of it as ephemeral until you migrate to a proper Proxmox host.
Proxmox’s official releases and the Dockermox repository continue to evolve; verify image tags and recent changes before running in production. The experiments and fixes described above are drawn from the Dockermox README and multiple community threads documenting identical workarounds and behavior. (github.com, forum.proxmox.com, pve.proxmox.com, proxmox.com)
Source: xda-developers.com I tried running Proxmox inside a Docker container
 

Click to expand...
You must log in or register to reply here.
Back
Top