LXD

LXD Article description::is a next generation system container manager. The core of LXD is a privileged daemon which exposes a REST API over a local Unix socket as well as over the network (if enabled).

LXD isn't a rewrite of LXC; in fact it is built on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding to create and manage the containers. It's basically an alternative to LXC's tools and distribution template system with the added features that come from being controllable over the network.

For those new to container technology, it can be useful to first read the LXC Virtualization Concepts article.

Key features of LXD include:


 * It prefers to launch unprivileged containers (secure by default).
 * A command-line client interacts with a daemon.
 * Configuration is made intuitive and scriptable through cascading profiles.
 * Configuration changes are performed with the command (not config files).
 * Multiple hosts can be federated together (with a certificate-based trust system).
 * A federated setup means that containers can be launched on remote machines and live-migrated between hosts (using CRIU technology).
 * It is usable as a standalone hypervisor or integrated with Openstack Nova

Kernel configuration
It is a good idea to have most kernel flags required by and.

Do you have plans for running systemd-based unprivileged containers? You will probably need to enable the "Gentoo Linux -> Support for init systems, system and service managers -> systemd" (CONFIG_GENTOO_LINUX_INIT_SYSTEMD)

Authorize a non-privileged user
This will allow a non-root user to interact with the control socket which is owned by the lxd unix group. For the group change to take effect, users may need to log out and log back in again.

Configure subuid/subgid
Ensure that you have the files /etc/subuid and /etc/subgid present

In this setup, the user 0-65535 on the container will actually be seen on the host system as user 1000000+uid and 1000000+gid. This protects the host system, since if any container managed to break out of its sandboxed namespace, it could interact with the host system only as a process with an unknown, very high UID/GID.

Usermod is part of which is needed for the subuid/subgid functionality.

Start the daemon
For OpenRC users:

A systemd unit file has also been installed.

has a few available options related to debug output, but the defaults are adequate for this quick start.'

Configure the bridge
If a new bridge was created by, start it now.

If desired, the bridge can be configured to come up automatically in the runlevel.

Launch a container
Add an image repository at a remote called "images":

This is an untrusted remote, which can be a source of images that have been published with the --public flag. Trusted remotes are also possible, and are used as container hosts and also to serve private images. This specific remote is not special to LXD; organizations may host their own images.

There are Gentoo images in the list, although they are not maintained by the Gentoo project. LXC users may recognize these images as the same ones available using the "download" template.

A shell can be run in the container's context.

While the container sees its processes as running as the root user, running  on the host shows the processes running as UID 1000000. This is the advantage of unprivileged containers: root is only root in the container, and is nobody special in the host. It is possible to manipulate the subuid/subgid maps to allow containers access to host resources (for example, write to the host's X socket) but this must be explicitly allowed.

Configuration
Configuration of containers is managed with the  and   commands. The two commands provide largely the same capabilities, but  acts on single containers while   configures a profile which can be used across multiple containers.

Importantly, containers can be launched with multiple profiles. The profiles have a cascading effect so that a profile specified later in the list can add, remove, and override configuration values that were specified in a earlier profile. This can allow for complex setups where groups of containers can be specified which share some properties but not others.

The default profile is applied if no profile is specified on the command line. In the quick start, the  omitted the profile, and so was equivalent to:

Notice that that the default profile only specifies that a container should have a single NIC which is bridged onto an existing bridge lxcbr0. So, having a bridge with that name is not a hard requirement, it just happens to be named in the default profile.

Available configuration includes limits on memory and CPU cores, and also devices including NICs, bind mounts, and block/character device nodes.

Configuration is documented in (substitute the correct version of course).

Example
Here a container is launched with the default profile and also a "cpusandbox" profile which imposes a limit of one CPU core. A directory on the host is also bind-mounted into the container using the container-specific  command.

First, prepare a reusable profile.

requires a container name, so a container is initialized.

In this example a host directory is bind-mounted into the container at. While this could be configured in a profile, instead it will be considered an exclusive feature for that container.

Set the directory to be owned by the container's root user (really UID 1000000 in the host).

Multi-host setup
Two hosts on a network, alpha and beta, are running the lxd daemon. The goal is to run commands on alpha which can manipulate containers and images on either alpha or beta.

Setup
Configure the daemon on the remote to listen over HTTPS instead of the default local Unix socket.

Restart the daemon after this step, and be sure that the firewall will accept incoming connections as specified.

On beta configure a trust password, which is only used until certificates are exchanged.

Add the beta remote to alpha.

Result
It is now possible to perform actions on beta from alpha using the remote: syntax

To copy containers or images, the source ("from") host must have its daemon listening via HTTPS not Unix socket.

Live migration
TODO

Automatic BTRFS integration
When LXD detects that is on a Btrfs filesystem, it uses Btrfs' snapshot capabilities to ensure that images, containers and snapshots share blocks as much as possible. No user action is required to enable this behavior.

When the container was launched in the Quick Start section above LXD created subvolumes for the image and container. The container filesystem is a copy-on-write snapshot of the image.

Making a snapshot of the running container filesystem creates another copy-on-write snapshot.

/dev/lxd/sock
A socket is bind-mounted into the container at. It serves no critical purpose, but is available to users as a means to query configuration information about the container.

Cgroups inside Containers with OpenRC
As of 26th November 2017 there is an open bug with OpenRC (at least inside the container). Informations on the state of fixing and a workaround (or possible fix) can be found here: https://discuss.linuxcontainers.org/t/running-lxd-an-openrc-container-on-a-openrc-system-trouble-with-cgroups/843 (includes patching and init file). Setting rc_sys="" inside the container works, too, but might break other things.

Proceed at own risk and create backups ;-)

Containers not starting under OpenRC
Recent OpenRC release brought "unified" cgroups and LXD doesn't seem to like that (it runs well under systemd which also has unified cgroups though...). The workaround for that is to disable unified cgroups. You do that by editing  and setting.

Running systemd based containers on OpenRC hosts
To support systemd for e.g. ubuntu containers the host must be modified:

Create the system cgroup directory and mount the cgroup there:

Older versions up to lxd-3.9 might need a raw.lxc config entry in addition to mount the host's cgroups automagically into the container:

For more details take a look a the upstream issue on github.com