LXD 3.19 has been released

16th of January 2020


The LXD team is very excited to announce the release of LXD 3.19!

This is a jam packed release, including one huge feature we've been working on for the past few months, virtual machine support! It's now possible to run LXD on a system and manage both containers and virtual machines through the exact same CLI, API or even as part of a cluster deployment!

We also have a lot of other features, user experience improvements and fixes in this release, quite possibly making it our busiest release yet!


PS: This release took quite a bit longer than our usual one month development cycle. This delay was caused by us wanting to complete the majority of our storage layer re-implementation as well as landing the virtual machine support based on top of it. We expect the next couple of LXD releases to come out on an accelerated cadence ahead of the big LXD 4.0 release in March/April.


Virtual machine support

No doubt the main highlight of this release is the initial support for running virtual machines through LXD.

This is exactly what it sounds like. You can now mix and match system containers and virtual machines.
Those virtual machines are also created from images, stored on the same storage pools as containers, connected to the same networks and even share configuration through profiles.

Interacting with a running virtual machine can be made almost identical to interacting with a container thanks to the LXD agent which when running inside a virtual machine allows the use of the standard exec, file and info features.

This is early work and we have a lot more pieces yet to be implemented, but as it stands, virtual machines can be created from Ubuntu images (with more distributions to come) or PXE booted.

All virtual machines run UEFI with secure boot enabled and we have support for configuring the number of cores and memory allocation as well as whether to use dedicated hugepages for memory backing.
Cloud-init configuration can be exposed to the VM through a config drive or by using the agent if backed into an image.

Here is a basic example of creating an Ubuntu 18.04 VM, installing the agent and querying details and getting a shell inside it:

stgraber@castiana:~$ lxc profile create vm
stgraber@castiana:~$ lxc profile edit vm
stgraber@castiana:~$ lxc profile show vm
  user.user-data: |
    ssh_pwauth: yes
      - name: ubuntu
        passwd: "$6$s.wXDkoGmU5md$d.vxMQSvtcs1I7wUG4SLgUhmarY7BR.5lusJq1D9U9EnHK2LJx18x90ipsg0g3Jcomfp0EoGAZYfgvT22qGFl/"
        lock_passwd: false
        groups: lxd
        shell: /bin/bash
        sudo: ALL=(ALL) NOPASSWD:ALL
description: VM specific configuration
    source: cloud-init:config
    type: disk
name: vm

stgraber@castiana:~$ lxc launch ubuntu:18.04 v1 --vm --profile default --profile vm
Creating v1
Starting v1

stgraber@castiana:~$ lxc console v1
To detach from the console, press: <ctrl>+a q

Ubuntu 18.04.3 LTS v1 ttyS0

v1 login: ubuntu
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

ubuntu@v1:~$ sudo -i
root@v1:~# mount -t 9p config /mnt/
root@v1:~# cd /mnt/
root@v1:/mnt# ./ 
Created symlink /etc/systemd/system/ → /lib/systemd/system/lxd-agent.service.
Created symlink /etc/systemd/system/ → /lib/systemd/system/lxd-agent-9p.service.

LXD agent has been installed, reboot to confirm setup.
To start it now, unmount this filesystem and run: systemctl start lxd-agent-9p lxd-agent
root@v1:/mnt# reboot

stgraber@castiana:~$ lxc info v1
Name: v1
Location: none
Remote: unix://
Architecture: x86_64
Created: 2020/01/17 02:23 UTC
Status: Running
Type: virtual-machine
Profiles: default, vm
Pid: 2490333
  enp5s0:   inet
  enp5s0:   inet6   2001:470:b368:4242:216:3eff:fed2:cd5
  enp5s0:   inet6   fe80::216:3eff:fed2:cd5
  lo:   inet
  lo:   inet6   ::1
  Processes: 22
  Disk usage:
    root: 23.51MB
  CPU usage:
    CPU usage (in seconds): 6
  Memory usage:
    Memory (current): 179.20MB
    Memory (peak): 201.19MB
  Network usage:
      Bytes received: 1.71kB
      Bytes sent: 1.94kB
      Packets received: 14
      Packets sent: 18
      Bytes received: 6.19kB
      Bytes sent: 6.19kB
      Packets received: 84
      Packets sent: 84

stgraber@castiana:~$ lxc exec v1 bash
root@v1:~# ps aux | grep lxd
root       787  1.5  1.6 747700 16300 ?        Ssl  02:25   0:00 /run/lxd_config/9p/lxd-agent
root      1024  0.0  0.0  14856  1004 pts/0    S+   02:26   0:00 grep --color=auto lxd

Reworked storage layer

As part of the virtual machine work, we have completely rewritten our storage layer.
This was done partly to add support for storing the block devices backing the virtual machines and to cleanup a lot of cruft that's been accumulating over the years and evolution of the storage layer.

This has no user visible repercussions, if it works properly, the new logic should be acting exactly like the old one, though possibly with quite a few less bugs.

It is now easier than ever to add support for a new storage driver and thanks to good abstractions having been put in place, the vast majority of the storage operations now use shared logic, significantly reducing code duplication and risk of duplicated bugs throughout the codebase.

As with any work of this magnitude, there will be bugs. We will try to be as reactive as we can to address any issue reported to us and would strongly recommend testing LXD 3.19 on some less important systems through the candidate channel ahead of it hitting stable.

Contributions by students of the University of Texas

A number of group of students from the University of Texas in Austin have been contributing LXD features as part of an assignment in their virtualization class.

For this release, this includes:

  • Multi architecture clustering
  • Direct attach of Ceph rbd/fs volumes
  • Attaching profiles to images
  • Custom mount options for disk devices
  • LVM striping (partial work superseded by the re-implementation of the storage layer)

A number more are currently being polished and will be included in the next LXD release.

The LXD team really enjoyed those contributions and interacting with new contributors to the project and are wishing all the best to the participating students!

Other new features

Device keys as lxc list columns

It is now possible to define additional columns in lxc list to show the value of device configuration keys.

For example:

stgraber@castiana:~$ lxc list -c nst,config:image.os:OS,devices:eth0.parent:BRIDGE
|  NAME  |  STATE  |      TYPE       |   OS   | BRIDGE |
| maas01 | STOPPED | CONTAINER       | ubuntu | lxdbr0 |
| v1     | STOPPED | VIRTUAL-MACHINE | ubuntu | lxdbr0 |
| v2     | STOPPED | VIRTUAL-MACHINE | ubuntu | lxdbr0 |
| v3     | STOPPED | VIRTUAL-MACHINE |        | lxdbr0 |

Routed networking mode

A new routed mode (nictype) for network interfaces is now supported.
This requires a very recent feature of underlying liblxc and will effectively setup a point to point link between the container and host and will then route an IP to the container over it.

stgraber@castiana:~$ lxc config device add c1 eth0 nic nictype=routed ipv4.address=
Device eth0 added to c1
stgraber@castiana:~$ lxc start c1
stgraber@castiana:~$ lxc list c1
| NAME |  STATE  |         IPV4          | IPV6 |   TYPE    | SNAPSHOTS |
| c1   | RUNNING | (eth0) |      | CONTAINER | 0         |

Direct attach of Ceph RBD or FS to containers

For those users who have existing RBD or FS volumes on Ceph which aren't managed by LXD itself and so cannot be attached through a traditional disk device, it is now possible to attach such a volume directly to a container.

This is done with special values for the source config key of disk devices.

Examples include:
- source=ceph-rbd:pool/volume
- source=ceph-fs:fs/path

Additionally some configuration keys were added to select the Ceph cluster and user.

  • ceph.cluster_name
  • ceph.user_name

Custom mount options for disk devices

A new raw.mount_options config key was added to disk devices.
It takes an arbitrary list of comma separated mount options to be used when attaching the disk to the container.

Attaching profiles to images

A set of profiles can now be attached to profiles. Any new instance created from that image will be using that set of profiles rather than the default profile.

This is configured through lxc image edit and is kept as images auto-update.

stgraber@castiana:~$ lxc image show a722a8eb4d31
auto_update: true
  architecture: amd64
  description: Alpine 3.8 amd64 (20200116_13:00)
  os: Alpine
  release: "3.8"
  serial: "20200116_13:00"
  type: squashfs
public: false
expires_at: 1969-12-31T19:00:00-05:00
- default

stgraber@castiana:~$ lxc image edit a722a8eb4d31

stgraber@castiana:~$ lxc image show a722a8eb4d31
auto_update: true
  architecture: amd64
  description: Alpine 3.8 amd64 (20200116_13:00)
  os: Alpine
  release: "3.8"
  serial: "20200116_13:00"
  type: squashfs
public: false
expires_at: 1969-12-31T19:00:00-05:00
- blah

stgraber@castiana:~$ lxc launch a722a8eb4d31 a1
Creating a1
Starting a1

stgraber@castiana:~$ lxc info a1 | grep Profiles
Profiles: blah

Interception of the mount system call

Our system call interception layer has been extended to support intercepting the mount syscall.

This can be used to allow normally restricted filesystems to be mounted inside unprivileged containers, but maybe more importantly, it allows for transparent redirection of mount calls to FUSE drivers.

The new configuration options are:
- security.syscalls.intercept.mount (enable/disable the feature)
- security.syscalls.intercept.mount.allowed (list of filesystems to allow mounting)
- security.syscalls.intercept.mount.fuse (list of filesystems to redirect to FUSE)
- security.syscalls.intercept.mount.shift (whether to automatically setup a shiftfs layer)

WARNING: You should never grant the allowed permission to a container that you don't completely trust. This directly exposes your container to the kernel superblock parser and can be used to attack the kernel, crashing the host or even breaking out of the container.

Here is an example of both mounting through by allowing ext4 as well as then using FUSE as a much safer alternative:

root@vm02:~# lxc launch ubuntu:18.04 c1
Creating c1
Starting c1

root@vm02:~# mkfs.ext4 /dev/sdb
mke2fs 1.44.1 (24-Mar-2018)
Discarding device blocks: done                            
Creating filesystem with 2621440 4k blocks and 655360 inodes
Filesystem UUID: 134bc6d4-e7d3-4db1-a3aa-a398c1acff85
Superblock backups stored on blocks: 
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

root@vm02:~# lxc config device add c1 sdb unix-block path=/dev/sdb
Device sdb added to c1

root@vm02:~# lxc exec c1 -- mount /dev/sdb /mnt
mount: /mnt: permission denied.

root@vm02:~# lxc config set c1 security.syscalls.intercept.mount true
root@vm02:~# lxc config set c1 security.syscalls.intercept.mount.shift true
root@vm02:~# lxc config set c1 security.syscalls.intercept.mount.allowed ext4
root@vm02:~# lxc restart c1

root@vm02:~# lxc exec c1 -- mount /dev/sdb /mnt
root@vm02:~# lxc exec c1 -- ls -lh /mnt
total 16K
drwx------ 2 root root 16K Jan 17 01:56 lost+found

root@vm02:~# lxc exec c1 -- apt-get install -y fuse2fs
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 28.8 kB of archives.
After this operation, 143 kB of additional disk space will be used.
Get:1 bionic-updates/universe amd64 fuse2fs amd64     1.44.1-1ubuntu1.2 [28.8 kB]
Fetched 28.8 kB in 0s (117 kB/s)
Selecting previously unselected package fuse2fs.
(Reading database ... 28654 files and directories currently installed.)
Preparing to unpack .../fuse2fs_1.44.1-1ubuntu1.2_amd64.deb ...
Unpacking fuse2fs (1.44.1-1ubuntu1.2) ...
Setting up fuse2fs (1.44.1-1ubuntu1.2) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

root@vm02:~# lxc config unset c1 security.syscalls.intercept.mount.allowed
root@vm02:~# lxc config set c1 security.syscalls.intercept.mount.fuse ext4=/usr/sbin/fuse2fs
root@vm02:~# lxc restart c1

root@vm02:~# lxc exec c1 -- mount /dev/sdb /mnt
root@vm02:~# lxc exec c1 -- ls -lh /mnt
total 128K
drwx------ 2 root root 16K Jan 17 01:56 lost+found
root@vm02:~# lxc exec c1 -- ps aux | grep fuse
root       304  0.0  0.0 170172   788 ?        Ssl  02:00   0:00 /usr/sbin/fuse2fs /dev/sdb /mnt -o dev,suid

Additions to the resources API

Two new fields have been added to the disk entries in the resources API.

  • FirmwareVersion exposes the firmware revision of the network card
  • DeviceID shows a device identifier suitable for lookup under /dev/disk/by-id

An example for a NVME drive now looks like:

stgraber@castiana:~$ lxc query /1.0/resources | jq .storage.disks[0]
  "block_size": 512,
  "device": "259:0",
  "device_id": "nvme-eui.0000000001000000e4d25cafae2e4c00",
  "device_path": "pci-0000:05:00.0-nvme-1",
  "firmware_version": "PSF121C",
  "id": "nvme0n1",
  "model": "INTEL SSDPEKKW256G7",
  "numa_node": 0,
  "partitions": [
      "device": "259:1",
      "id": "nvme0n1p1",
      "partition": 1,
      "read_only": false,
      "size": 52428800
      "device": "259:2",
      "id": "nvme0n1p2",
      "partition": 2,
      "read_only": false,
      "size": 1073741824
      "device": "259:3",
      "id": "nvme0n1p3",
      "partition": 3,
      "read_only": false,
      "size": 254933278208
  "read_only": false,
  "removable": false,
  "rpm": 0,
  "serial": "BTPY63440ARH256D",
  "size": 256060514304,
  "type": "nvme",
  "wwn": "eui.0000000001000000e4d25cafae2e4c00"

Multi-architecture clustering

It is now possible to mix cluster members of different architectures.
LXD will automatically place containers on the right systems based on image architecture.

As a bit of an extreme example, here is a cluster made of 3 different non-Intel architectures:

root@cluster:~# lxc cluster list
|     NAME      |            URL             | DATABASE | STATE  |      MESSAGE      | ARCHITECTURE |
| bos01-arm64   |  | YES      | ONLINE | fully operational | aarch64      |
| bos01-ppc64el | | YES      | ONLINE | fully operational | ppc64le      |
| bos01-s390x   |  | YES      | ONLINE | fully operational | s390x        |
| bos02-arm64   | | NO       | ONLINE | fully operational | aarch64      |
| bos02-ppc64el | | NO       | ONLINE | fully operational | ppc64le      |
| bos02-s390x   |  | NO       | ONLINE | fully operational | s390x        |

Improved clustering setup logic

Prior to this release, when building up a LXD cluster, the first 3 servers to be part of the cluster would act as database nodes, receiving a full copy of the database and starting to vote on database transactions.

This behavior led many to believe that a cluster of just 2 servers was safe to operate despite the number of database members being even, preventing a proper quorum and effectively taking down the entire database should either of the servers go offline.

The new behavior is to keep operating with a single database server until the 3rd server is joined, at which point all 3 servers become database servers.

This will be further improved in LXD 3.20 with the introduction of standby database nodes allowing for multiple database nodes to go offline without the cluster itself going offline.

MAC filtering on unmanaged bridge

The security.mac_filtering configuration key can now be used with nic devices attached to network bridges that aren't managed by LXD itself.

Configurable Ceph data pool name

For those wanting separate OSD pools for their data and metadata, a new configuration key ceph.osd.data_pool_name was added allowing control of where the data should be stored. The metadata will be stored at the pool referenced by ceph.osd.pool_name.

LVM striping support

LVM striping is now supported, it can be configured through the volume.lvm.stripes and volume.lvm.stripes.size.

Initial CGroup2 resource restrictions

A new CGroup abstraction layer was added to LXD as well as an initial mapping for v2 resource controllers. This combined with recent improvements to liblxc should allow for most resource constraints to function in a CGroup V2 environment.

Configurable backup compression at creation time

The compression algorithm used for backups can be configured through backups.compression_algorithm but this is a global setting which will apply to all new backups.

In line with instance publishing (lxc publish), it is now possible to override the compression algorithm of backups at the time of their creation. This is exposed through lxc export --compression-algorithm.

Support for compressing backups and images using squashfs

squashfs can now be selected as compression algorithm for both images and backups.
Prior to this, LXD could consume images compressed through squashfs but couldn't create them itself.

Complete changelog

Here is a complete list of all changes in this release:

Try it for yourself

This new LXD release is already available for you to try on our demo service.


The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc