Translation(s): English - EspaƱol
LXD is a next generation system container and virtual machine manager. Debian packages LTS releases of LXD, beginning with bookworm.
Contents
Supported versions of LXD
LXD (upstream) has the following releases:
Version |
EOL |
In Debian release |
5.0 LTS |
Bookworm |
Incus
A community fork of LXD, Incus, has been started (announcement). Initial discussions about the packaging of Incus for Debian are taking place in bug 1042989.
Installation
Installing on Debian is as simple as installing the lxd package:
sudo apt install lxd
Configuration
After installing, you must perform an initial configuration for LXD:
sudo lxd init
LXD's default bridge networking requires the dnsmasq-base package to be installed. If you chose to install LXD without its recommended packages and intend to use the default bridge, you must first install dnsmasq-base for networking to work correctly.
If you wish to allow non-root users to interact with LXD via the local Unix socket, you must add them to the lxd group:
sudo usermod -aG lxd <username>
![/!\](/htdocs/debwiki/img/alert.png "/!\"){kind=small}
From the upstream documentation, be aware that local access to LXD through the Unix socket always grants full access to LXD. This includes the ability to attach file system paths or devices to any instance as well as tweak the security features on any instance. Therefore, you should only give access to users who would be trusted with root access to the host.
Init scripts
Both systemd and SysV init scripts are provided, but the SysV scripts aren't as well-tested as the systemd ones. Bug reports and patches are welcome to improve the LXD experience on non-systemd installs.
When installing LXD on a non-systemd host, you must ensure that a cgroup v2 hierarchy is mounted prior to starting LXD. One possible way to do this is to add a line like the following to your /etc/fstab:
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec 0 0
Storage backends
LXD supports several storage backends. When installing, LXD will suggest the necessary packages to enable all storage backends, but in brief:
btrfs requires the btrfs-progs package
ceph/cephfs require the ceph-common package
lvm requires the lvm2 package
zfs requires the zfsutils-linux package
After installing one or more of those additional packages, be sure to restart the LXD service so it picks up the additional storage backend(s).
Virtual machines
LXD optionally can create virtual machine instances utilizing QEMU. To enable this capability, on the host system install the desired qemu-system-<arch> package(s) and the lxd-agent package. Then, restart the LXD service. You will now be able to create virtual machine instances by passing the --vm flag in your creation command.
Known issues
- Running LXD and Docker on the same host can cause connectivity issues. A common reason for these issues is that Docker sets the FORWARD policy to DROP, which prevents LXD from forwarding traffic and thus causes the instances to lose network connectivity. There are two different ways you can fix this:
As outlined in bug 865975, message 91, you can add net.ipv4.ip_forward=1 to /etc/sysctl.conf which will create a FORWARD policy that docker can use. Docker then won't set the FORWARD chain to DROP when it starts up.
Alternately, you can use the following command to explicitly allow network traffic from your network bridge to your external network interface: iptables -I DOCKER-USER -i <network_bridge> -o <external_interface> -j ACCEPT (from the upstream LXD documentation)
If the apparmor package is not installed on the host system, containers will fail to start unless their configuration is modified to include lxc.apparmor.profile=unconfined; this has been reported upstream at https://github.com/lxc/lxc/issues/4150.
As of September 26, 2023, the 6.1 LTS kernel tree shipped in bookworm has an apparmor bug that prevents some systemd services which use features like PrivateNetwork=yes from starting. This was fixed in the 6.2 kernel release, but hasn't yet been backported to the 6.1 tree. Current workarounds include installing a newer kernel from bookworm-backports, modifying systemd service definitions within the container, or disabling apparmor protections for the container. Bugs: 1050256, 1038315, 1042880, and 1052934.
References
Incus - Linux containers community fork of LXD