“Docker is not a hypervisor”
“it’s for shipping apps”
Canonical’s new project LXD (pronounced “lex-dee,” for Linux Container daemon) that has recently been announced, aims to provide “full-system containers with the performance you’d expect from bare metal, but with the experience of virtual machines.” Basically they are building a complete hypervisor for containers “it feels like a vm, there are tty’s, there is a ssh daemon” everything you would expect from a full virtualized system, except it’s running inside a container. At the time of writing, not many details have been revealed about LXD.
Current state of the hypervisor environment
Traditional hypervisors allow the environment to be secured directly by the server hardware. Such features keep the VM isolated from other things that are running on the system. Canonical’s hypervisor Openstack has Docker support through the nova Docker driver.
However, some features available using VMs are not present. For instance, there is no support of ssh, tty and other security functionalities we expect from a full hypervisor. Moreover, running VMs can become very performance-hungry. Indeed, the overhead of a classic hypervisor is that another kernel has to be emulated and another operating system put on top of the rest, which is a far cry from a container’s bare metal performance. As a result, few VMs can be available to work with on a single machine.
So on one hand, we have a full working solution that offers limited virtualization capabilities and average performance, and on the other hand we have a really performant way to virtualize but with a big lack of features. That’s the problem that Canonical wants to tackle.
What’s the purpose of LXD?
The idea of LXD is really simple. Canonical wants the same type of hardware security and features that are currently only available on traditional hypervisors, but with the performance of containers.
In the previous part we said that due to the overhead, performance in VMs are really limited for now, but by using containers we can completely remove this overhead as this layer is not required. This means better performance; almost bare metal performance.
So, on the technical side, we can consider this new hypervisor as an expansion for both LXC (Linux Containers) and, maybe in the near future, Docker.
Also, it’s good to specify that LXD must be seen as a “daemon exporting an authenticated interface both locally over a unix socket and over a network using https.” There will be two clients that will work with this daemon : the OpenStack plugin and the command line tool.
LXD is built on the following principles :
- Security : there are no privileged containers
- Live Migration : The main feature; it should be smooth, fast and reliable with a downtime of a fraction of a second
- Great performance : close to native hardware performance
Moreover, it has been said that Canonical is working closely with silicon companies to increase bare metal performance for LXC, to “ensure hardware-assisted security and isolation” and also “kernel security” for containers.
Let’s give LXD a try. In order to do that, the Canonical website says we will need a working Openstack installation, but installing and configuring openstack is really long and pretty difficult. LXD’s Github page gives you another way to install LXD without Openstack. We will only have the command line tool client, but that will be enough for this test.
For the purpose of this example, we are going to use Vagrant, which allows us to get our hands on a virtualized Ubuntu pretty quickly so we will not mess up our environment. You will find all the documentation about it here.
As Canonical mentioned on its website, we must use Ubuntu server 14.04 or greater. Fortunately, Vagrant already has this kind of box available online. To download it and initiate the Vagrantfile type :
vagrant init ubuntu/trusty64
Once the installation is done we can ssh into the newly created Virtual Machine with
The LXD homepage gives us commands to run in order to install the hypervisor. But in this tutorial, we will follow the instructions directly from the Github page and manually compile the binaries as we didn’t install Openstack. As LXD is written in Go, we will obviously need to install the latest version of Golang and configure a GOPATH:
sudo apt-get install software-properties-common sudo add-apt-repository ppa:ubuntu-lxc/lxd-daily sudo apt-get update sudo apt-get install golang mkdir -p ~/go export GOPATH=~/go
The next step consists of fetching the LXD go binaries from Github and compiling them
go get github.com/lxc/lxd cd ~/go/src/github.com/lxc/lxd go get -v -d ./... make
and finally the last step is just some configuration to do because LXD uses a hardcoded path to its container
sudo mkdir -p /var/lib/lxd sudo chown $USER:$USER /var/lib/lxd echo "$USER:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid
Now let’s launch the daemon
LXD is now up and running on our Ubuntu server VM. In order to access all of its features we must use the following command
which shows the multiple commands that LXD currently offers
Usage: lxc [subcommand] [options] Available commands: config - Manage configuration. create - lxc create images:ubuntu <name> finger - Fingers the lxd instance to check if it is up and working. freeze - Changes a container's state to freeze. help - Presents details on how to use lxd. list - Lists the available resources. remote - Manage remote lxc servers. restart - Changes a container's state to restart. shell - Start a shell or specified command (NOT IMPLEMENTED) in a container. start - Changes a container's state to start. stop - Changes a container's state to stop. unfreeze - Changes a container's state to unfreeze. version - Prints the version number of lxd.
we can see that this is the version 0.0.1 of LXD, so we can expect that many features are not yet implemented or available.
To start an LXC container, it is first required to create the image
./lxc/lxc create images:ubuntu test
and then to run this command
./lxc/lxc start test
Multiple tests tend to show that running containers is not working yet because while listing the images available with
the output says the container is stopped.
With this limitation, we are not able to go further in exploring LXD, but we can expect Canonical to release another version pretty soon.
Note: Currently, only the ubuntu image is supported by LXD.
The hypervisor that Canonical is currently developing is really promising. It must not be seen as a replacement but as an enhancement for both Docker and LXC. Bringing the VM experience to the container world is a way to accelerate the adoption of new virtualization technologies by companies, and a hypervisor like LXD is a game-changer.