LXD 4.20 has been released

6th of November 2021


The LXD team is very excited to announce the release of LXD 4.20!

This is one very busy release with a lot of new features.

VM users will be happy to see the initial implementation of live migration and core scheduling support. Container users are getting new configuration keys to set sysctls.

Then the bulk of the new features are all network related with peer network relationships, network zones for auto-generated DNS and SR-IOV accelerated OVN networks.

And lastly, on the clustering front, it's now possible to better control what servers will be receiving new workloads.


New features and highlights

Live migration of virtual machines

LXD now has initial support for live-migration of virtual machines.

This works by simply using lxc move to move between two separate LXD servers or lxc move --target to move within a cluster. Assuming the VM is running, live migration will be attempted.

Using this requires migration.stateful to be enabled on the VM which will prevent it from using GPUs, USB or host PCI devices as well as disable virtiofs (limiting filesystem passthrough to 9p).

The current implementation will effectively perform a stateful stop of the instance immediately followed with migration of the entire data (which will contain the runtime state) and restoration on the target.

This should just take 2-3s when using Ceph but can take significantly longer on other storage backends. We have work scheduled over the next 6 months to improve LXD's ability to very cheaply and quickly refresh volumes on BTRFS and ZFS which will then allow similar performance for those storage backends.

Network peering for OVN

When using OVN for LXD networking and multiple networks are defined, routing from one network to another currently exits OVN, hits the uplink network and then re-enters OVN. While this is sometimes desired to fully control the network flows, it can be a huge bottleneck.

To address this, LXD now supports network peers. A peer is added on each side of a pair of networks (can be across projects). Once the peer relation is established, OVN will be configured to directly route from one network to the other with traffic never leaving OVN.

Peer relations also allow for easier ACL rules, making it possible to use @some-network/some-peer in the source or destination field to affect traffic coming in or out of a specific peer network.

A new lxc network peer command is used to manage those peers relations.
At the API level, this is all under /1.0/networks/NAME/peers


Network zones (DNS)

Those managing a large set of instances across many projects will often appreciate all instances having valid forward and reverse DNS records available on their entire network.

Up until now, the only option for this was to use the built-in dnsmasq DNS server and its auto-generated DNS zone but this only really works for one network in one project and doesn't easily integrate within a larger infrastructure. The alternative being to run a completely manually provisioned DNS server on the side.

With this release, LXD introduces the concept of network zones. Those are effectively DNS zones that are tied to LXD networks and can be used for forward DNS records, reverse IPv4 or reverse IPv6 DNS records.

To set it up, one would first create some zones (lxc network zone create), then assign them for the right type of records on the right networks by setting one of:

Lastly the zone must get configured with at least one peer DNS server. This is done using the following configuration keys on the zone itself:
- peers.NAME.address
- peers.NAME.key

Either one, or both, of those must be set for a client DNS server to be able to pull the zone from LXD.

Once that's all setup, your external DNS server can perform a zone transfer (AXFR) from LXD for that zone and then serve it. LXD itself only allows for zone transfers and cannot be directly queried.


SR-IOV acceleration for OVN networking

To further improve the performance of OVN based networking on LXD, we have now added support for SR-IOV acceleration.

The way this works is by using physical network cards which can operate in switchdev mode. Such cards will then provide both a guest facing VF and a host facing representor port. When a system with a suitable card has it in switchdev mode, has the PF added to the OVS bridge and has OVS configured for SR-IOV offload, LXD can automatically allocate VFs for use by containers or VMs.

When all the prerequisites are met, all that needs to be done is set acceleration=sriov on the LXD nic device and LXD will do the rest.

This can lead to an extreme improvement in performance especially on 40G, 100G or 200G networks as it will effectively offload the bulk of the traffic processing directly onto the physical NIC. In such an environment only the first packet in most connections will ever go through the host system and OVS/OVN, all traffic after that point is directly handled in hardware.


Linux sysctl configuration on containers

A new linux.sysctl.* set of config keys has been introduced. This allows directly setting a specific sysctl to a specific value on container startup.

This can be more flexible than having a sysctl.d entry inside the container and can also enable accessing sysctls which are properly namespaced but require elevated privileges by having LXD apply those from the host.


Core scheduling for virtual machines

Following our work on core scheduling for containers in LXD 4.19, we have now extended it to virtual machines. When running LXD on a kernel that supports core scheduling, LXD will automatically ensure that all vCPU threads for a particular VM are part of the same core scheduling group.

Core scheduling is designed to allow the use of SMT on CPUs that would otherwise be at risk of attack by the guest due to the Spectre vulnerabilities. Core scheduling ensures that a guest will either use a core/thread pair or that the thread will remain unused while the guest uses the associated core.

Cluster member configuration

Cluster members now have support for configuration keys.

Other than the free form user.KEY=VALUE, the other key being introduced is scheduler.instance which can be used to prevent a particular cluster member from getting automaticly placed instances, instead only getting instances that are directly placed on it through the --target option of the CLI.


Improvement to network leases

As network leases are heavily relied upon for the new network zones feature, some improvements have been done.

Some of the improvements are:
- Support for network leases on OVN networks
- Uplink networks now showing up in the list of leases
- IPv6 EUI64 addresses included in the list (when stateful DHCPv6 isn't enabled)

On the CLI, those records can be seen with lxc network list-leases NETWORK-NAME

Complete changelog

Here is a complete list of all changes in this release:

Try it for yourself

This new LXD release is already available for you to try on our demo service.


The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc