From ArchWiki
Jump to navigation Jump to search

LXD is a container "hypervisor" and a new user experience for Linux Containers.


Install the lxdAUR package from the AUR. Start/enable lxd.socket to start LXD on-demand, or lxd.service to start LXD on boot. If you want to use LXD as a regular user, add the relevant account to the lxd user group. Then run the following commmand to configure the LXD storage pool and networking:

# lxd init

Upstream also provides a snapd package. The snap includes and manages the systemd units, so it's not necessary to start/enable them manually, though you need to run lxd init. To use it install snapdAUR and run:

# snap install lxd


Create container

LXD has two parts, the daemon (the lxd binary), and the client (the lxc binary). Now that the daemon is all configured and running, you can create a container:

$ lxc launch ubuntu:16.04

Alternatively, you can also use a remote LXD host as a source of images. One comes pre-configured in LXD, called "images" (

$ lxc launch images:centos/7/amd64 centos

The following command gives a list of available images:

$ lxc image list images:

Run command in container

It's possible to run commands in the container using lxd exec. For example to get a bash prompt run:

$ lxc exec container-name -- bash

Tips and tricks

Run unprivileged containers

Unprivileged containers have several advantages, since they are not run as root can be safer and don't require privilege escalation by the LXD daemon to run. However, the Arch Linux kernel blocks unprivileged containers by default for non-root users, so the kernel needs to be configured. See Linux Containers#Enable support to run unprivileged containers (optional) for more information.

LXD Networking

LXD uses LXC's networking capabilities. By default it connects containers to the lxcbr0 network device. Refer to the LXC documentation on network configuration to set up a bridge for your containers.

If you want to use a different interface than lxcbr0 edit the default using the lxc command line tool:

$ lxc profile edit default

An editor will open with a config file that by default contains:

name: default
config: {}
    name: eth0
    nictype: bridged
    parent: lxcbr0
    type: nic

You can set the parent parameter to whichever bridge you want LXD to attach the containers to by default.

Example network configuration

Thanks to @jpic, the LXD package now provides some example networking configuration in /usr/share/lxd/. To use this configuration run the following commands:

$ ln -s /usr/share/lxd/dnsmasq-lxd.conf /etc/dnsmasq-lxd.conf
$ ln -s /usr/share/lxd/systemd/system/dnsmasq@lxd.service /etc/systemd/system/dnsmasq@lxd.service 
$ ln -s /usr/share/lxd/netctl/lxd  /etc/netctl/lxd
$ ln -s /usr/share/lxd/dbus-1/system.d/dnsmasq-lxd.conf /etc/dbus-1/system.d/dnsmasq-lxd.conf

If you use NetworkManager, also symlink the following file:

$ ln -s /usr/share/lxd/NetworkManager/dnsmasq.d/lxd.conf /etc/NetworkManager/dnsmasq.d/lxd.conf

Change parent: lxcbr0 to parent: lxd:

$ lxc profile edit default

Finally, enable and start dnsmasq@lxd.service and netctl@lxd.service.

If you encounter issue with the provided example configuration, or have suggestions to improve it, please leave a comment on the lxdAUR page.

Modify processes and files limit

You may want to increase file descriptor limit or max user processes limit, since default file descriptor limit is 1024 on Arch Linux.

Edit the lxd.service:

# systemctl edit lxd.service


Check kernel configuration

Verify that the running kernel is properly configured to run a container:

$ lxc-checkconfig

Launching container without CONFIG_USER_NS

For launching images you must provide security.privileged=true during image creation:

$ lxc launch ubuntu:16.04 ubuntu -c security.privileged=true

Or for already existed image you may edit config:

$ lxc config edit ubuntu
name: ubuntu
- default
  security.privileged: "true"
    path: /
    type: disk
ephemeral: false

Or to enable security.privileged=true for new containers, edit the config for the default profile:

$ lxc profile edit default

No ipv4 on unprivileged Arch container

This was tested and validated on LXD v.2.20. The container can not start the systemd-networkd service so does not get a valid ipv4 address. A work-around was suggested by Stéphane Graber (Github Issue), execute on the host and restart the container:

$ lxc profile set default security.syscalls.blacklist "keyctl errno 38"
stgraber: "The reason is that the networkd systemd unit somehow makes use of the kernel keyring, which doesn't work inside unprivileged containers right now. The line above makes that system call return not-implemented which is enough of a workaround to get things going again."

See also