Comparing LXD vs. LXC

IMHO, along the lines of this post/article, another useful one (or two) would be to list some typical use cases for choosing either lxc or lxd.

i have not made a decision, yet. but i am leaning towards lxc. there are two reasons i am coming to this conclusion. the 1st is that i’m mostly interested personally in doing system level things with containers. the 2nd is the i am wanting to learn about containers the way i would have learned had i not been misdirected away when they first came out years ago. i am doing catch-up now. i would have learned lxc 1st because at one time that’s all there was. then i want to learned lxd in terms of already knowing lxc. and somewhere in their i want to also learn the API in terms of programming in C and in Python. i don’t think my use cases are typical, though. and they might well be confusing to typical users who only learn lxd (or Docker).

one of my goals is to set up a dual-distro system on my laptop with Ubuntu and Slackware (maybe also some others like Centos, Debian, and/or Fedora). and part of that goal is to have both Ubuntu and Slackware each running in their own container with the host system minimized to run containers and suitable system administrator tools. and i also want to look into building “distros” targeted to only be container images.

Can someone expand on the security dependencies of LXD on apparmor? I want to run LXD containers, but enable SELinux security, which I believe removes apparmor. Is this safe to do, and does anyone know of articles on how to secure an LXD container with SELinux?

LXD doesn’t require apparmor, it will happily run on systems that have it missing or disabled.

With AppArmor disabled, privileged containers should be considered as entirely unsafe. While we don’t consider them to be root safe when apparmor is present, we also don’t know of a trivial way to escape in that case, but without apparmor it’s downright trivial.

Unprivileged containers (default) should be perfectly safe as apparmor only acts as a safety net there with the user namespace acting as the main security barrier.

Thanks for the confirmation!

fyi, i have decided to go with LXD. i just haven’t installed it, yet, because my needs are not urgent. but there is a new need that i might like to do sooner, if it is doable.

Can you please solve this issue. I’ve been waiting for the reply for a long time

now, i am curious. with a few containers, or more. can i build a multi-node multi-LAN -like network and do some complex routing, like maybe with OSPF?

Depends on what you had in mind. I am using ospf inside some containers provided by frr. The containers are attached to multiple vlans, which I have created with openvswitch on the host. Works nicely even across openvpn tunnels.

Outside of Ubuntu, it’s a bit easier to deploy LXC than LXD on distros completely outside the Debian/Ubuntu ecosystem, because it has fewer dependencies on kernel features and patches. However, with the proper kernel, it is possible to get a fully working LXD on non-Ubuntu, non-Debian distros. Support for LXD out of the box may improve in the future on some non-Ubuntu distros, but we’ll have to wait and see.

We do actively test LXD on quite a wide variety of distributions, at least all the major ones where the upstream snap package can be installed:

https://jenkins.linuxcontainers.org/job/lxd-test-snap-latest-stable/

A number of other Linux distributions (Alpine Linux, Gentoo, …) also have their own native packages which aren’t part of that automated testing effort.

It’s also worth noting that our biggest source of users these days, isn’t coming from Ubuntu but from Chromebooks which all come with LXD as part of the Linux App feature.
That particular environment is some kind of modified Gentoo.

The opening post is really good, but the title is misleading, you can’t really compare LXC with LXD just as you can’t compare a boat with the sea.

Personally I found LXD to be an excellent enabler for LXC.
LXC is the sea (of containers), LXD just makes your experience much better, like sailing on a boat!

1 Like

fan vxlan driver not work correctly on centos, so the cluster function on centos was broken with lxdfan networking.

I wrote an article summarizing the differences,

2 Likes

Don’t you mean, “Basically I could say there no single situation where person should prefer LXC over LXD”?

Did you (or someone else) take the opportunity to write an article about LXD container networking scenarios? I think this would be a popular and helpful topic. Network configuration in virtual machines and containers is quite challenging.

1 Like

References:

I think there is an issue regarding the “usefulness” of this post. Although it provides useful information in other areas, having lxc and lxc- distinguish between interacting with LXD vs LXC is not intuitive and should not need to have a special post explaining the difference. This post is not the first thing a new user finds or knows to look for even after many years of experience. It should really be taken into consideration to change the command line interface name from lxc to lxd, so that its not so easily confused. Sometimes making an effort to reduce mental work on users goes a long way to making substantial progress.

2 Likes

While I agree with you, this discussion has been there for years.
Somewhere stgraber mentioned that it wasn’t their choice, whatever that means and who makes these decisions (maybe Ubuntu/Canonical?), I don’t know.

@stgraber
As some people ask specifically for LXC:

  • Are there any relevant feature differences between LXD and LXC?
    Or can someone in theory apply everything (for example every config option, network etc.) to both as well, and it’s just more complicated with LXC?

Hi
Really ? how to configure VSwitch on LXC/LXD?