I can break one container without breaking all of them? I can run them in isolated container networks and even isolated cgroups if I want to. Docker hides a lot of the core reasons tools like jails and chroot and eventually LXC were created but containers absolutely can do the things you are using vms for if you are willing to learn how they work
I built my recommendation around the likelihood this person is already using docker and therefore already has containers that would be extremely easy to run without unraid. There would be less lift to use the same config files and volume mounting they are already using.
Operationally though I would never run vms and containers in the same orchestrated system. Look at what they are asking to do. Why would you run sonarr as a container and radarr as a vm. Obviously they are going to end up just doing one or the other
I legitimately don’t understand the trendiness of proxmox given that vms are overkill compared to containers. If you are migrating from unraid you are likely already using the docker version of all your arr services so going and spinning up vms feels like a step backwards.
You can either use the exact same containers and use systemd to run them as raw services or use something like docker compose or dozens of other tools to orchestrate them. I use k8s but can’t recommend it with a straight face after taking down VMs for being overkill (very different kinds of overkill but still)
I had a landlord make me pay them in zelle. Bank limits meant I had to pay them over 3 days every month. What a mess
I was suggesting to do neither and run the container directly. Putting k8s on top of lxc is still completely stupid. Just run k8s bare metal to operate your containers.
Run docker within lxc within proxmox. This gave me an aneurism. You’ve lost the whole point of not actually virtualizing with containers by putting in two layers deep in virtualization. At this point your shit is so convoluted why don’t you just run kubernetes
Seconding the other comment, lots of orgs picked .lan and then over the last few years have moved things into the cloud and .lan has become a meaningless soup since half the shit isn’t even on local network. Now it just means “needs a vpn or ztn to talk to”
Luckily my last three orgs finally bought a second domain for private dns. It’s quickly becoming a pattern that myorg.com owns myorg.tech or whatever for private traffic. Domains are cheap as fuck compared to everything else a business spends money on, it’s really silly how many people are using hacks for this
I was replying specifically in the context of the original question. Unraid already has their services tooling built out over containers so this person already is probably using containerized versions of the arr services. It would be overkill to go build vms for these services specifically for what you said. They don’t need to be windows or osx, they don’t need hardware passthrough, they don’t need a full kernel.
That aside. You absolutely can run containers as a full isolated kernel and directly map hardware to them. CGroups absolutely allows for those use cases. You may not be using docker anymore but docker is more of a crutch for beginners who probably dont need those things.
One example of this in the real world are COS and Bottlerocket which are literally distributions of Linux where even core is components are individually running under different containers via cgroups. COS runs on every GKE cluster in the world and bottlerocket on most EKS clusters.