LXC goes for new hierarchies, while LXD casts its net at VMs


Container runtime LXC, container and VM manager LXD, and FUSE filesystem LXCFS are now available in new long-term support version 4.0, which will see five guaranteed years of security updates and bug fixes.

LXC is described as a “userspace interface for the Linux kernel containment features” and might ring a bell to those not using it in its pure form for its use as container execution driver in some of the early Docker versions. LXD builds on top of LXC and aims at providing “a new, better user experience” with some additional features stemming from being controllable over the network.

Since the last LTS version, system container manager LXD has made quite a stride and is now able to run containers as well as virtual machines. Another significant addition comes in the form of projects, which can be used to segment a LXD server. Projects can contain their own sets of instances, images, profiles, and storage volumes which can be disabled on a per-project basis as well as restricted to certain types or limited in consumption etc.

Those who already made the jump to 3.23 and are therefore familiar with the changes since 3.0 will also find some improvements. Version 4.0 for example allows the use of lxc export and lxc import with virtual machines, though users should keep in mind that the execution might take a while since VMs are only accessible as large block devices.

Meanwhile containers now report the usage of attached custom volumes via the state API, and users are able to query the size of a snapshot should this information be needed. In terms of authentication, teams using LXD with a managed PKI can configure the manager to automatically trust any client certificate signed by CA with core.trust_ca_certificates. 

Version 4.0 also comes with an extended list of all PCI and USB devices on the system in the resources API, and support for multiple ipvlan NIC devices as well as host addresses on routed NIC. The only breaking change noted is the removal of –container-only, which has been replaced by –instance-only to reflect the addition of the VM handling capabilities.

Digging a little deeper and taking a look at the new LXC, the team behind the container runtime mainly concentrated on cgroup2 support for the 4.0 release. Thanks to a rewrite of the cgroup driver, LXC can now handle the unified cgroup hierarchy among other things. Supporting this hierarchy is also one of the major changes in the project’s file system LXCFS, though breaking the component up into separate files for better maintainability probably used up a lot of the team’s time as well.

LXC is now also meant to work with cgroup2’s implementation of freezer control, which should improve reliability when freezing containers, and use the device controller properly. Apart from that, manual syscall implementations have been improved and low-level network management should work more reliably since the way network devices are created, tracked and moved has been reworked – especially moving wireless network devices into containers should be ok again.

Compared to prior releases, tmpfs mounts can be size restricted in LXC 4.0, and users are able to specify the selinux context for a container’s keyring. A new (apparently bug decreasing) way of cleaning up resources has been introduced by adding new internal APIs to define and call cleanup macros, while new file utils fopen-cached() and fdopen-cached are said to make file handling more robust.

Users of LXD 3.0 who can’t bring themselves to upgrade yet, will see another bugfix release “in the near future”. After that, the series will enter security-only maintenance mode for another three years. Meanwhile LXC and LXCFS 3.0 will “switch to a slower maintenance pace”.