LXD Advanced Concepts

Understanding system containers: architecture, principles, and common configuration challenges.

🐳 Docker Application packaging
No full Systemd

LXD / LXC Full Ubuntu OS
SSH, Apt ready
System container

Full OS Container

KVM / VM Full hardware emulation
Dedicated kernel
High overhead

Core Principle

Shared Kernel Architecture

The key difference between LXD containers and VMs is no Hypervisor layer. Container processes directly call host kernel syscalls.

Native performance: Near-zero CPU and memory overhead.
Second-level startup: No need to boot BIOS and kernel.
High density: Run hundreds of containers on one machine.

CPU

MEM/DISK

NIC

Physical Hardware

Host Linux Kernel (Shared)

Ubuntu C1

/bin/bash

systemd

ssh

Alpine C2

/bin/sh

init

apk

Isolation Technology

Namespaces & Cgroups

Resource isolation using Linux kernel features. Namespaces provide "view isolation" (can't see), Cgroups provide "resource limits" (can't touch).

HOST SYSTEM

LXD Container

PID NS

Process isolation
Container PID 1

Net NS

Network isolation
Independent IP/MAC

Mount NS

Filesystem isolation
Independent mount points

Cgroups

Resource quotas
Max RAM/CPU

Challenge #1

UID/GID Mapping

This is the most common cause of `Permission Denied` errors for beginners. LXD uses unprivileged containers by default, meaning host Root and container Root are different users.

Simulation Settings

Privileged Mode

Container

root

UID 0

Process Calls

Namespace Mapping

Host Kernel

user

UID 100000

Secure Mode: ID Mapping Active Container Root (0) appears as regular user (100000) on host. Even if escaped, cannot damage core system files.

Challenge #2

Network Modes: NAT vs Bridge

How do containers communicate with the internet? What's the difference between default lxdbr0 and physical bridge?

Internet

eth0

Host

192.168.1.10

NAT (lxdbr0)

Container 10.0.0.x