Docker container or VM? Canonical's LXD splits the difference

With LXD, Docker containers can emulate virtual machines while maintaining close-to-the-metal speed and high security

stacked shipping containers
Credit: Tristan Taussac

CoreOS was the first to demonstrate how Docker and containerization could remake Linux. Now Canonical is getting into the game, albeit from a different direction.

Canonical's new project, LXD, or the Linux Container Demon, lets users work with Docker containers to deploy the functional equivalent of full-blown isolated Linux VMs, not merely individual containerized apps.

In a video, Canonical product manager Dustin Kirkland described LXD as a system for running "full-system containers with the performance you'd expect from bare metal, but with the experience you expect from a virtual machine."

LXD uses containers to virtualize the behavior of an entire system, running as close to the metal as possible. Thus, users can launch new machines in less than a second and have an unprecedented degree of density for those LXD machines -- on the order of hundreds of virtualized machines per physical host.

In an email, Kirkland noted that the project grew out of several initiatives: Canonical's work with OpenStack, the company's efforts submitting upstream changes for LXC (the technology Docker is based on), and the needs of its customers. The company "found considerable customer and market interest in running essentially general, full operating system environments within containers," Kirkland explained, "in the interest of greater security, improved performance, higher density, and extensive portability."

Like many container-centric projects these days (Docker included), LXD is written in Go and provides both a CLI and a RESTful API to its functions. It also includes extensions to allow containers to access storage and networking securely, with the security functions using the same technologies as Linux containers: cgroups, user namespaces, and (when vendor support exists for it) hardware-assisted containerization.

Aside from the high density of systems and native-speed performance on the host hardware, LXD also features high-speed live migration. This function, which allows the contents of active containers to move between physical hosts, was built using another feature for which Canonical has submitted work upstream: Checkpoint Restart (CRIU). Kirkland described demos for the feature: "We were playing Doom in one container and live migrated it back and forth between two different hosts, with continuity."

The hardware-assisted containerization feature might raise the most eyebrows. In its effort to make LXD a real hypervisor, Canonical says it's "working with silicon companies to ensure hardware-assisted security and isolation for these containers, just like virtual machines today."

The big disadvantage is that LXD is strictly a Linux-on-Linux solution and exploits functionality only available on Linux at this time. When asked if a Windows port might be possible in the future, given recent word that Microsoft is planning to add containerization support to Windows in some form, Kirkland didn't provide a direct answer: "Due to the nature of containers," he wrote, "LXD can only really ever be Linux on Linux. That's our focus.  Other versions of Linux user space (i.e., non-Ubuntu) can run in LXD. But fundamentally, it will need to be Linux."