one thing that bit me with LXC: anything that needs its own kernel module won't work. jails have the same limitation — shared host kernel. ran into this trying to run a VPN server (needs DKMS for a custom wireguard fork) in an LXC container — module can't load, period. ended up on a full KVM VM.