Recently Canonical announced the release of the new version of insulated containers LXC 5.0, which becomes the new LTS branch and in which a large number of bug fixes have been made and above all various improvements have also been made.
For those new to LXC, you should know that LXC provides a suitable runtime both for running containers with a full system environment near virtual machines and for running single application (OCI) containers without privileges.
LXC refers to low-level toolkits that work at the level of individual containers.. For centralized management of containers deployed in a multi-server cluster, the LXC-based LXD system is under development.
LXC includes the liblxc library, a set of utilities (lxc-create, lxc-start, lxc-stop, lxc-ls, etc.), templates for building containers, and a set of bindings for various programming languages. Isolation is done using the regular mechanisms of the Linux kernel.
The namespace mechanism is used to isolate processes, the ipc, uts network stack, user ids, and cgroups mount points are used to limit resources. Kernel features such as Apparmor and SELinux profiles, Seccomp policies, Chroots (pivot_root), and capabilities are used to reduce privileges and restrict access.
Main novelties of LXC 5.0
This new branch that comes out of containers LXC 5.0 is classified as a long-term support release (LTS), which will have updates generated during a period of 5 years (that is, until 2027).
For the part of the changes that stand out from this new version of LXC 5.0, it is mentioned that made switch from autotools to Meson build system, which is also used to build projects like X.Org Server, Mesa, Lighttpd, systemd, GStreamer, Wayland, GNOME, GTK, among others.
In addition to this, it also stands out in this new version of LXC 5.0, which added support for time namespaces to bind a separate state of the system clock to the container, which allows you to use your own time in the container, different from the system. For configuration, the lxc.time.offset.boot and lxc.time.offset.monotonic options are proposed, which allow defining a container offset relative to the main system clock.
Also, it stands out in this new version of LXC 5.0 that implemented VLAN support for virtual Ethernet adapters (Veth), plus the following options are provided for VLAN management: veth.vlan.id to configure the primary VLAN and veth.vlan.tagged.id to bind additional tagged VLANs.
For virtual ethernet adapters, added the ability to configure the size of receive and transmit queues using the new veth.n_rxqueues and veth.n_txqueues options.
On the other hand, we can find that added new cgroup config options: lxc.cgroup.dir.container, lxc.cgroup.dir.monitor, lxc.cgroup.dir.monitor.pivot, and lxc.cgroup.dir.container.inner, which allow you to explicitly define cgroup paths for containers, monitoring processes and nested cgroup hierarchies.
It is also worth mentioning that with the release of this new 5.0 branch, LXC 4.0 will now switch to a slower maintenance pace and will only receive critical bug fixes and security updates.
Of the other changes that stand out from this new version:
- utils: fix unverified return value
- conf: fix unverified return value
- utils: allows resolution between devices
- conf: fix mount handling based on CAP_NET_ADMIN
- Commands: seccomp notification support check fix.
- tests: fix build with appamor enabled.
- lxc-attach: enable SELinux context configuration
- macro: increased MAX_GRBUF_SIZE to 2mb
- autotools: enable static builds for tools
- autotools: enable static builds for commands
- Fixed build with Wstrict-prototypes -Wold-style-definition
- conf: fix memory leak
Finally if you are interested in knowing more about it About this new version, you can check the details in the following link