LXD

LXD is the Linux Containers Daemon, and the successor to LXC. Though both are developed concurrently by Stéphane Graber (and Canonical), LXD is still under active development and is currently suitable for evaluation use only.

For those new to container technology, it would be good to first read the "Virtualization Concepts" section of the LXC article.

Key features of LXD include:


 * Prefers to launch unprivileged containers (secure by default).
 * A command-line client (lxc) interacts with a daemon (lxd).
 * Configuration is made easier through cascading profiles.
 * Configuration changes are performed with the lxc command (no more config files).
 * Multiple hosts can be federated together (with a certificate-based trust system).
 * A federated setup means that containers can be launched on remote machines and live-migrated between hosts (using CRIU technology).

Kernel configuration
It is a good idea to have most kernel flags required by and.

Emerge
Since LXD is not yet stable, the keyword may need to be unmasked to install the package.

Authorize a non-privileged user
This will allow a non-root user to interact with the control socket which is owned by the lxd unix group. For the group change to take effect, users may need to log out and log back in again.

Configure a bridge
LXD's default profile looks for a Linux bridge named lxcbr0. The ebuild has created lxcbr0 but no real interface has been added to the bridge.

Also, note that lxcbr0 wasn't configured to be persistent across a reboot. Edit the file for the bridge to be automatically configured by netifrc.

Configure subuid/subgid
In this setup, the user 0-65535 on the container will actually be seen on the host system as user 1000000+uid and 1000000+gid. This protects the host system, since if any container managed to break out of its sandboxed namespace, it could interact with the host system only as a process with an unknown, very high UID/GID.

Start the daemon
For SysV users:

A systemd unit file has also been installed.

/etc/conf.d/lxd has a few available options related to debug output, but the defaults are adequate for this quick start.

Launch a container
Add add an image repository at a remote called "images":

This is an untrusted remote, which can be a source of images that have been published with the --public flag. Trusted remotes are also possible, and are used as container hosts and also to serve private images. This specific remote is not special to LXD; organizations may host their own images.

There are Gentoo images in the list, although they are not maintained by the Gentoo project. LXC users may recognize these images as the same ones available using the "download" template.

A shell can be run in the container's context.

While the container sees its processes as running as the root user, running  on the host shows the processes running as UID 1000000. This is the advantage of unprivileged containers: root is only root in the container, and is nobody special in the host. It is possible to manipulate the subuid/subgid maps to allow containers access to host resources (for example, write to the X socket) but this must be explicitly allowed.

Configuration
TODO

Multi-host Setup
TODO

Live migration
TODO