Lxd Development Teams

Research Date: 2026-02-18
Topic: Using LXD for development team infrastructure

Executive Summary

This research evaluates using LXD (Linux Container Daemon) to provide isolated development environments for development teams. The analysis covers container configuration, Docker-in-LXD support, VS Code Remote SSH access, Ansible automation, and migration capabilities.

Findings

1. LXD Container Nesting for Docker Support

Finding: Docker can run inside unprivileged LXD containers using security.nesting=true without requiring privileged mode 12.

Verification: Canonical’s LXD documentation and community discussions confirm that security.nesting=true enables container nesting for unprivileged containers. Additional configuration options like security.syscalls.intercept.mknod=true and security.syscalls.intercept.setxattr=true may be required for full Docker functionality 23.

Implication: Development teams can run Docker and devcontainers inside LXD containers while maintaining security through unprivileged operation.

2. Docker Storage Driver Requirements in LXD

Finding: The vfs storage driver is not strictly required for Docker-in-LXD; fuse-overlayfs and modern kernel overlay2 support provide alternatives 456.

Verification:

  • Docker’s official documentation states vfs is “intended for testing purposes” with “poor performance” and “not generally recommended for production use” 4.
  • fuse-overlayfs enables overlay filesystem in userspace without root permissions, suitable for unprivileged containers 56.
  • Modern kernels (5.11+) support overlay2 in rootless mode, and recent LXC/LXD versions with ZFS backing can use overlay2 directly 67.

Implication: The blanket recommendation to use vfs is outdated. Teams should prefer fuse-overlayfs or native overlay2 when available for significantly better performance.

3. Live Migration Capabilities

Finding: Live migration (zero-downtime migration) is supported for LXD virtual machines but requires stopping containers before migration 8910.

Verification:

  • Official LXD documentation: “When migrating a container, you must stop it first. When migrating a virtual machine, you must either enable Live migration or stop it first” 8.
  • VM live migration requires migration.stateful=true and sufficient size.state allocation 8.
  • Experimental CRIU-based container live migration exists but requires privileged containers and has significant limitations 910.

Implication: Development teams requiring migration without downtime must use LXD virtual machines, not containers.

4. SSH Access Methods

Finding: LXD supports multiple SSH access patterns: proxy devices for port forwarding and bridged networking for direct IP access 1112.

Verification:

  • Proxy devices (proxy device type) forward host ports to container ports 11.
  • Bridged networking attaches containers directly to physical networks, allowing DHCP-assigned IPs 12.
  • Default lxdbr0 is IPv6 link-local only and requires configuration for SSH access 11.

Implication: Proxy devices are simpler for multi-developer scenarios where each container needs unique SSH ports; bridged networking suits environments requiring direct LAN access.

5. Ansible LXD Module Support

Finding: Ansible provides official community.general.lxd_container module for LXD container management 13.

Verification:

  • The module supports creating, starting, stopping, and deleting containers and VMs 13.
  • Configuration options include security.nesting, resource limits, and device attachments 13.
  • The module requires community.general collection installation 13.

Implication: Infrastructure-as-code automation for LXD development environments is well-supported through standard Ansible tooling.

6. Security Considerations

Finding: Unprivileged LXD containers provide strong isolation while supporting nested containers through security.nesting 114.

Verification:

  • Canonical recommends unprivileged containers for security, with security.nesting=true for Docker support 1.
  • Privileged containers bypass security controls and should be avoided 14.
  • Resource limits (limits.memory, limits.cpu, limits.disk) prevent resource exhaustion 15.

Implication: Development environments should use unprivileged containers with appropriate nesting and resource limits.

Recommendations

Decision Recommendation Rationale
Container Type Unprivileged LXD with security.nesting=true Security with Docker support 114
Docker Storage fuse-overlayfs or overlay2 (if available) Better performance than vfs 456
SSH Access Proxy devices Simpler port management for multi-developer setups 11
Automation Ansible community.general.lxd_container Official, maintained module support 13
Migration Plan for downtime (stop-move-start) Containers don’t support live migration 8
Alternative for Live Migration Use LXD VMs VMs support live migration with migration.stateful=true 8

References

Configuration Examples

The following configuration examples are derived from official documentation and verified sources. They demonstrate practical implementation of the findings above.

Example 1: Creating Developer Containers with Nesting

Create an unprivileged container with nesting enabled for Docker support 115:

1
2
3
4
5
6
7
8

# Create container with nesting enabled
lxc launch ubuntu:24.04 dev-1 \
  -c security.nesting=true \
  -c limits.memory=8GB \
  -c limits.cpu=4

# Alternative: specify configuration at launch
lxc launch ubuntu:24.04 dev-1 --config=user.user-data="$(cat cloud-init.yaml)"

Verified: The -c flag sets configuration options at launch time. security.nesting=true enables nested containers for Docker support 115.

Example 2: Resource Limits Configuration

Configure resource limits for development containers 15:

1
2
3
4
5
6
7

# Set memory and CPU limits
lxc config set dev-1 limits.memory 8GB
lxc config set dev-1 limits.cpu 4
lxc config set dev-1 limits.disk 100GB

# View current configuration
lxc config show dev-1

Verified: Resource limits prevent container resource exhaustion. Options include limits.memory, limits.cpu, limits.disk, and limits.processes 15.

Example 3: SSH Access via Proxy Device

Forward host port 2222 to container port 22 for SSH access 1116:

1
2
3
4

# Add proxy device for SSH forwarding
lxc config device add dev-1 ssh-proxy proxy \
  listen=tcp:0.0.0.0:2222 \
  connect=tcp:127.0.0.1:22

Verified: Proxy devices forward traffic from host listeners to container endpoints. The listen address is on the host, connect address is inside the container 1116.

Example 4: Running Commands in Containers

Execute commands inside containers using lxc exec 17:

1
2
3
4
5
6
7
8

# Run single command
lxc exec dev-1 -- apt update

# Get interactive shell
lxc exec dev-1 -- bash

# Run command as specific user
lxc exec dev-1 -- su - developer -c "whoami"

Verified: lxc exec executes commands directly in the instance. For interactive sessions, both stdin and stdout must be terminals 17.

Example 5: Ansible LXD Container Creation

Create and manage containers with Ansible 1318:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

- name: Create developer container
  community.general.lxd_container:
    name: dev-1
    state: started
    source:
      type: image
      mode: pull
      alias: "24.04"
    config:
      security.nesting: "true"
      limits.memory: "8GB"
      limits.cpu: "4"
    devices:
      root:
        path: /
        pool: default
        size: 100GB
        type: disk

Verified: The community.general.lxd_container module supports full container lifecycle management. Configuration options match LXD CLI options 1318.

Reference URLs

Revision History

Date Version Changes Author
2026-02-18 1.0 Initial research document Count
2026-02-18 2.0 Reorganized to finding-based format; added numbered citations; verified all claims; corrected Docker storage driver recommendations; added References and Revision History sections Count

Research completed: 2026-02-18
Repository: https://git.home.luguber.info/claw/research
Issue: https://git.home.luguber.info/claw/research/issues/4

  1. Canonical. (2024). “Enable security.nesting by default for unprivileged containers and modern enough images.” GitHub Issue #13631. https://github.com/canonical/lxd/issues/13631 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Linux Containers Forum. (2022). “LXD nesting containers with Docker.” https://discuss.linuxcontainers.org/t/lxd-nesting-containers-with-docker/13713 ↩︎ ↩︎

  3. Proxmox Support Forum. (2018). “LXC security.nesting.” https://forum.proxmox.com/threads/lxc-security-nesting.44726/ ↩︎

  4. Docker Inc. (2025). “Select a storage driver.” Docker Documentation. https://docs.docker.com/engine/storage/drivers/select-storage-driver/ ↩︎ ↩︎ ↩︎

  5. c-goes’s Linux Blog. (2020). “How to setup Docker with fuse-overlayfs in Proxmox LXC container.” https://c-goes.github.io/posts/proxmox-lxc-docker-fuse-overlayfs/ ↩︎ ↩︎ ↩︎

  6. Reddit r/Proxmox. (2022). “fuse overlayfs?” https://www.reddit.com/r/Proxmox/comments/va76fz/fuse_overlayfs/ ↩︎ ↩︎ ↩︎ ↩︎

  7. Proxmox Support Forum. (2023). “LXC ZFS + docker overlay2 driver.” https://forum.proxmox.com/threads/lxc-zfs-docker-overlay2-driver.122621/ ↩︎

  8. Canonical. (2025). “How to migrate LXD instances between servers.” Ubuntu LXD Documentation. https://documentation.ubuntu.com/lxd/latest/howto/instances_migrate/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  9. Ubuntu Blog. (2015). “Live Migration in LXD.” https://ubuntu.com/blog/live-migration-in-lxd ↩︎ ↩︎

  10. Linux Containers Forum. (2023). “[LXD] Online VM live-migration (QEMU to QEMU).” https://discuss.linuxcontainers.org/t/lxd-online-vm-live-migration-qemu-to-qemu/16635 ↩︎ ↩︎

  11. Canonical. (2016). “LXD networking: lxdbr0 explained.” https://canonical.com/blog/lxd-networking-lxdbr0-explained ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  12. Paskevic, D. “Using a bridged LXD network.” https://casept.github.io/post/lxd-bridged/ ↩︎ ↩︎

  13. Ansible Community. (2025). “community.general.lxd_container module – Manage LXD instances.” Ansible Documentation. https://docs.ansible.com/projects/ansible/latest/collections/community/general/lxd_container_module.html ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  14. Linux Containers Forum. (2022). “Unprivileged containers inside privileged LXD container.” https://discuss.linuxcontainers.org/t/unprivileged-containers-inside-privileged-lxd-container/14841 ↩︎ ↩︎ ↩︎

  15. Canonical. (2025). “Instance options.” LXD Documentation. https://documentation.ubuntu.com/lxd/latest/reference/instance_options/ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  16. Canonical. (2025). “Type: proxy.” LXD Documentation. https://documentation.ubuntu.com/lxd/latest/reference/devices_proxy/ ↩︎ ↩︎

  17. Canonical. (2025). “How to run commands in an instance.” LXD Documentation. https://documentation.ubuntu.com/lxd/latest/instance-exec/ ↩︎ ↩︎

  18. Canonical. (2025). “lxc launch.” LXD Documentation. https://documentation.ubuntu.com/lxd/latest/reference/manpages/lxc/launch/ ↩︎ ↩︎