Canonical Company release of tools for organizing the work of isolated containers , container manager and virtual FS for simulation in /proc, /sys containers and virtualized cgroupfs view for distributions without cgroup namespace support. The 4.0 branch is classified as a long-term support release, with updates for which are formed over a period of 5 years
LXC is a runtime for running both system containers and containers for individual applications (OCI). LXC includes the liblxc library, a set of utilities (lxc-create, lxc-start, lxc-stop, lxc-ls, etc.), templates for building containers, and a set of bindings for various programming languages. Isolation is carried out using the regular mechanisms of the Linux kernel. The mechanism of namespaces is used to isolate processes, the ipc, uts network stack, user IDs and mount points. cgroups are used to limit resources. Kernel features such as Apparmor and SELinux profiles, Seccomp policies, Chroots (pivot_root), and capabilities are used to lower privileges and restrict access. Code LXC in C language and distributed under the GPLv2 license.
LXD is an add-on to LXC, CRIU, and QEMU that is used to centrally manage containers and virtual machines on one or more servers. If LXC is a low-level toolkit for manipulation at the level of individual containers, then LXD is implemented as a background process that accepts requests over the network via the REST API and allows you to create scalable configurations deployed on a cluster of multiple servers.
Various storage backends are supported (directory tree, ZFS, Btrfs, LVM), state snapshots, live migration of running containers from one machine to another, and tools for organizing image storage. LXD Code in the Go language and distributed under the Apache 2.0 license.
Key in LXC 4.0:
- Completely rewritten driver to work with cgroup. Added support for unified cgroup hierarchy (cgroup2). Added freezer controller functionality, which can be used to stop work in a cgroup and temporarily free up some resources (CPU, I/O, and potentially even memory) for other tasks;
- Implemented infrastructure for intercepting system calls;
- Added support for the "pidfd" kernel subsystem designed to handle the PID reuse situation (pidfd is associated with a specific process and does not change, while a PID can be associated with another process after the current process associated with this PID terminates);
- Improved creation and deletion of network devices, as well as their movement between network subsystem namespaces;
- Implemented the ability to move wireless network devices (nl80211) to containers.
Key in LXD 4.0:
- Added support for launching not only containers, but also virtual machines;
- For sharding LXD servers, a design concept has been proposed that makes it easier to manage groups of containers and virtual machines. Each project can include its own set of containers, virtual machines, images, profiles, and storage partitions. In connection with projects, you can set your own restrictions and change settings;
- Added support for intercepting system calls for containers;
- Implemented creating backup copies of environments and restoring from them;
- Provided automated creation of snapshots of environments and storage partitions with the ability to set the lifetime of the snapshot;
- Added API for monitoring network status (lxc network info);
- Added support , a virtual file system for mapping mount points to user namespaces;
- New types of network adapters "ipvlan" and "routed" are proposed;
- Added backend for using storages based on CephFS;
- For clusters, support for image replication and multi-architecture configurations is implemented;
- Added role-based access control (RBAC) capability;
- Added support for CGroup2;
- Added the ability to configure the MAC address and determine the source address for NAT;
- Added API for managing bindings in DHCP (leases);
- Added support for Nftables.
Source: opennet.ru