Community Linux Containers has released LXC 7.0, a toolkit for managing isolated containers. It provides a runtime suitable for both running containers with a full system environment, similar to virtual machines, and for running unprivileged containers of individual applications (OCI). LXC is a low-level toolkit that operates at the container level. For centralized management of containers deployed in a cluster of multiple servers, the Incus and LXD systems are being developed based on LXC. LXC 7.0 is a long-term support release, with updates generated for five years (until 2031). LXC is written in C and is licensed under the GPLv2.
LXC includes the liblxc library, a set of utilities (lxc-create, lxc-start, lxc-stop, lxc-ls, etc.), templates for building containers, and a set of bindings for various programming languages. Isolation is achieved using standard kernel mechanisms. LinuxNamespaces are used to isolate processes, the network stack (IPC, UTS), user IDs, and mount points. Cgroups are used to restrict resources. Kernel features such as Apparmor and SE profiles are used to reduce privileges and restrict access.Linux, Seccomp policies, Chroots (pivot_root) and capabilities.
Major changes:
- Isolation of the monitoring process has been implemented using the Landlock mechanism, which allows unprivileged programs to drop unnecessary privileges, voluntarily limiting their further access to the system for increased security. Landlock is used to restrict monitoring API handlers to working only with the container and prohibit access to files outside of it. This protection is applied when building landlock-monitor.
- Configuration of handlers (hooks) and containers (runtimes) has been separated. New settings, lxc.environment.hooks and lxc.environment.runtime, have been added. These settings allow you to selectively set environment variables only for containers, without passing them to hook handlers, and vice versa.
- Support for cgroup v1 and kernels has been discontinued. Linux, which do not support PIDFD and the new mount management API.
- A vulnerability (CVE-2026-39402) has been fixed that allows for bypassing authorization and deleting OVS (OpenVswitch) ports by manipulating the "lxc-user-nic delete" command. This vulnerability allows an unprivileged user to disable network interfaces for containers launched by other users.
Canonical also released a new version of its container management system, LXD 6.8. LXD provides tools for centralized management of containers and virtual machines deployed on a single host or in a cluster of multiple hosts. serversThe project is implemented as a background process that receives network requests via a REST API and supports various storage backends (directory tree, ZFS, Btrfs, LVM), snapshots with state slices, live migration of running containers from one machine to another, and tools for storing container images. The LXC toolchain is used as the runtime for launching containers.
Changes in LXD 6.8 include:
- Cluster links have been added, enabling secure and authenticated communication between different LXD clusters using TLS certificates. To manage cluster links, the "lxc cluster link" command has been added, and a corresponding section has been implemented in the web interface.
- A new cluster node role, "control-plane," has been added, allowing nodes to participate in Raft consensus determination and be able to act as backup or master nodes for the database.
- Replicators have been implemented to allow the use of the Cluster links API to replicate the contents of nodes to other LXD clusters for fault tolerance.
- Added support for hot-plugging GPU CDI (Container Device Interface) devices to running containers.
- Support for the msgr2 (Ceph messenger v2) protocol has been added to the Ceph storage driver.
- The web interface has been updated with tools for managing cluster node roles, the YAML configuration editor has been modernized, and a stylized interface has been implemented. Ubuntu The design of the built-in terminal emulator has been improved, and the choice of storage drivers has been improved.
Source: opennet.ru
