LXD 5.17 has been released


The LXD team is very excited to announce the release of LXD 5.17!

This month’s release includes three new features and a focus on documentation improvements, as well as the usual collection of bug fixes and improvements.


New features and highlights

ZFS 2.2 delegation support

LXD now supports using the namespace delegation support in ZFS 2.2.

This allows a container that has delegated ZFS access to control its dataset and anything underneath it.
The same works as expected with custom storage volumes which can therefore allow multiple containers to interact with the dataset.

This requires that the LXD host is running a kernel with the ZFS 2.2 kernel module. The LXD snap now has the ZFS 2.2 user-space tools bundled, but if not using the snap you will also need the matching user-space tools.

lxc init ubuntu:22.04 c1
lxc storage volume set default container/c1 zfs.delegate=true
lxc start c1

Add remote copy support for custom volume snapshots

It is now possible to copy a custom volume snapshot to another LXD host as a new custom volume.


lxc storage volume copy pool/volume/snap0 targetremote:targetpool/targetvolume

Allow recovery of empty storage pools

The lxd recover tool will now detect empty unknown storage pools and recreate the database records whereas previously this was only done if there was also an unknown instance or custom volume present. This avoids an issue that would prevent creating a storage pool if an empty storage volume was on disk but not in the LXD database.

Documentation improvements

There have been several improvements to the LXD documentation:

CSM Seabios ROM build option change

Due to a suspected compiler change in Ubuntu the Seabios ROM build was exceeding 128 kilobytes which meant it would no longer fit inside the EDK2 firmware build. In order to allow it to fit we disabled the CONFIG_SDCARD setting in Seabios as it was deemed not needed for booting VMs using CSM mode.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • lxd/cluster/membership: Apply MemberConfig to storage config table
  • lxd/device: Add checkAttachedRunningProcesses function
  • lxd/device/gpu: for VM, if gputype=physical, check that that no procs are tied to card before unbind
  • lxc/volume: Fix docstrings to clarify volume operations
  • lxd/client: Mark HasExtension as deprecated
  • lxd/storage/drivers/zfs: Allow volume snapshot refresh
  • api: Add storage_api_remote_volume_snapshot_copy extension
  • lxd/shared/api: Extend StorageVolumeSnapshotPost for remote copy
  • rest-api: Extend StorageVolumeSnapshotPost for remote copy
  • lxc/volume: Use the right path when copying volume snapshots
  • lxc/volume: Check for storage_api_remote_volume_snapshot_copy extension
  • lxd/api/storage: Add support to copy volume snapshots between remotes
  • lxc/volume: Block --volume-only flag when copying volume snapshots
  • tests: Check various volume snapshot copy operations
  • tests: Check various volume snapshot remote copy operations
  • lxd/config/generate: Update lxd-doc to support yaml type assertion
  • doc/backup: Clean up backup documentation
  • doc/backup: add information about using snap snapshots
  • lxddoc: no default .txt output if path not specified
  • doc: add a link to Ubuntu Discourse
  • lxc/utils: Support parsing of anonymous nested structs
  • test: Add get timestamp property test with instance snapshot
  • shared/proxy: allow SOCKS5 proxy
  • lxd/device/disk: Fix boot from Windows ISO by setting correct FSType for .iso files
  • lxd/storage/drivers/volume: Use vol.IsBlockBacked() in ConfigSize
  • lxd/storage/utils: Use vol.IsBlockBacked in ImageUnpack
  • lxd/storage/backend/lxd: ImageUnpack usage
  • lxd/storage/backend/lxd: Use the result of FillVolumeConfig in EnsureImage when comparing cached volumes
  • lxd/storage/drivers/driver/zfs/volumes: Don’t populate block volume settings for VM volumes in FillVolumeConfig
  • lxd/storage/backend/lxd: Removes unused poolBlockFilesystem function
  • lxd/backup/backup_config_utils: Change helper function to update multiple backup file properties
  • lxd/storage/backend: Update instance backup file on instance import
  • test/suites/backup.sh: Add test for backup export, import, and recovery
  • test/main.sh: Reference test for imported instance recovery
  • lxc/init: Remove project query parameter from instance name
  • lxd/storage/drivers/zfs: Tweak getDatasets
  • lxd/storage/drivers/zfs: Clarify comment
  • lxd/storage/drivers/ceph: Fix typo in comment
  • lxd/storage/zfs: Don’t strip leading slash on snapshots
  • lxd/storage/drivers: Handle newer losetup
  • tests: Skip LVM project test when not on LVM
  • tests: Skip tests on missing commands
  • lxd/storage/pool_interface: Add PostHooks to MountInfo
  • lxd/storage: Add MountInfo to MountCustomVolume
  • lxd: Update for MountCustomVolume change
  • lxd/device/disk: Update for MountCustomVolume change
  • lxd/instance/lxc: Update for MountInfo change
  • api: zfs_delegate
  • doc: Add zfs.delegate for ZFS
  • scripts: Add zfs.delegate to bash completion
  • lxd/storage/drivers/zfs: Detect support for delegation
  • lxd/storage/drivers/zfs: Add zfs.delegate
  • lxd/storage/drivers/zfs: Implement recursion
  • lxd/instance/lxc: Add /dev/zfs when delegation is supported
  • lxd/storage/drivers: Add DelegateVolume and CanDelegateVolume
  • lxd/storage: Add DelegateVolume to PostHooks
  • tests: Add basic ZFS delegation test
  • test/suites/clustering: Add test case for storage config on create vs cluster join
  • lxd/instance/lxc: Restrict /dev/zfs to unprivileged containers
  • doc/installing: update link to tutorial on Discourse
  • doc/cluster: add an example for a ZFS storage pool to preseed
  • lxd/device/device/utils/disk: Look for virtiofsd in /usr/lib/
  • SECURITY.md: update the security policy
  • lxddoc: unmarshal yaml + double-quotes processing
  • lxd/networks: Don’t filter config on project owned networks
  • test/suites/config.sh: LXC 2.0 is EOL
  • test/suites/kernel_limits.sh: LXC 2.0 is EOL
  • test/suites/console.sh: LXC 3.0 is EOL
  • test/suites/storage_driver_zfs.sh: be extra careful when parsing zfs --help
  • doc: change to Diataxis navigation
  • doc: add a link to switch between topical/Diataxis navigation
  • doc: move configuration options one level up
  • github: Install additional packages to enable PKI and concurrent exec tests
  • test: Improve skip message
  • lxd: Move rbac package to auth
  • lxd/auth: Add Authorizer interface
  • auth: Add common authorization driver
  • auth: Add tls authorizer
  • lxd: Add Authorizer to daemon
  • state: Add Authorizer to state
  • rbac: Make rbac use the new Authorizer interface
  • Use Authorizer interface across the code base
  • lxd: Stop status check if RBAC is disabled
  • shared/simplestreams: avoid out of bound array access in GetFiles()
  • lxd/util/kernel: avoid out of bound array access in HugepagesPath()
  • lxd-agent/metrics: avoid out of bound array access in getCPUMetrics()
  • lxd-agent/metrics: avoid out of bound array access in getDiskMetrics()
  • lxd-agent/metrics: avoid out of bound array access in getFilesystemMetrics()
  • lxd-agent/metrics: avoid out of bound array access in getMemoryMetrics()
  • doc: Update IPAM cli output to use documentation-specific IP addresses
  • doc: Add a readthedoc pre-build hook to build and generate codebase doc
  • makefile: don’t use the lxd-doc target in the doc target
  • client/simplestreams_images: avoid out of bound array access in GetImageFile()
  • auth/rbac: Fix uninitialized permission lock
  • rbac: Validate API URL
  • lxd: Pass RBAC agent username to authorizer
  • rbac: Mention config keys on validation error
  • doc: Remove DNS subheading.
  • rbac: Use correct function to get projects
  • Change RaftSpare node to RaftVoter
  • test/container_syscall_interception: supported releases have seccomp_notify support
  • doc: add an index.html redirect for topical navigation
  • lxddoc: Within a config group, alphabetically sort the config options
  • lxddoc/test: Add unit test for sortConfigKeys
  • github: keep GITHUB_ACTIONS in the test env to skip cleanup
  • doc: Add a how to for routed nic devices on VMs.
  • doc: Add the routed nic how to to the toctree.
  • doc: Link to the VM routed nic how-to from the device reference.
  • Update .deepsource.toml
  • static-analysis: Fix shellcheck 0.9.x complaints
  • test/migration: use a smaller ISO file
  • test/backup: use a smaller ISO file
  • test/storage_local_volume_handling: use a smaller ISO file
  • test/storage_volume_import: use smaller ISO files
  • github: run “apt-get clean” to reclaim some space
  • github: the sphinx config moved to doc/
  • test/includes/lxc: avoid printing LXC_LOCAL=1 lxc_remote …
  • test/includes/lxc: avoid printing the eval line in DEBUG
  • lxd/endpoints_exported_test: s/sss/ss/
  • lxd/endpoints/network: s/sss/ss/
  • lxd/endpoints/pprof: s/sss/ss/
  • lxd/networks: s/sss/ss/
  • shared/validate: s/sss/ss/
  • test/basic: s/sss/ss/
  • lxd/device/nic_macvlan: s/suppprt/support/
  • lxd/device/nic_macvlan: s/suppprt/support/
  • lxd/storage/drivers/driver_dir_utils: s/ppp/pp/
  • lxd/util/http: s/fff/ff/
  • lxd/network/bridge: s/dbUpdateNeeeded/dbUpdateNeeded/
  • lxd/network/macvlan: s/dbUpdateNeeeded/dbUpdateNeeded/
  • lxd/network/ovn: s/dbUpdateNeeeded/dbUpdateNeeded/
  • lxd/network/physical: s/dbUpdateNeeeded/dbUpdateNeeded/
  • lxd/network/sriov: s/dbUpdateNeeeded/dbUpdateNeeded/
  • lxd/api_internal_recover: s/neeed/need/
  • lxd/firewall/nftables: s/adddress/address
  • shared/util: fix RandomCryptoString()'s description
  • shared/util: fix JoinTokenDecode()'s description
  • lxd/api_internal_recover: Recover database entry for empty storage pools
  • lxd/main_recover: Allow recovery of empty storage pools
  • test/suites/backup.sh: Update expected no-op recovery output
  • doc: Clarify scope of nexthop config keys in BGP extension
  • lxd/instance/drivers: update instance config if rebuild as empty
  • doc/api-extensions: fix extension name for VM support
  • client/lxd_server: use StringInSlice() in HasExtension()
  • lxc/copy: replace strings.Contains() and .SplitN() by strings.Cut()
  • lxc/init: replace strings.Contains() and .SplitN() by strings.Cut()
  • lxc/project: replace strings.Contains() and .SplitN() by strings.Cut()
  • lxd-migrate: replace strings.SplitN() by strings.Cut()
  • i18n: Update translation files
  • Makefile: “command -v” doesn’t output to stderr
  • doc/security: fix wrongly formatted link
  • doc/storage: mark ZFS as usable inside a container
  • api/instance: Fix instance movement node selection
  • lxd/network: fix bgp.ipv*.nexthop keys not being recognized
  • doc: Align header of macaroon_authentication
  • test/migration: Check instance node when moving within cluster group
  • test: Check that a container rebuilt as empty does not contain image config fields
  • lxd: update swagger description in rebuild endpoint
  • doc: update rest-api.yaml
  • doc: restrict Sphinx version
  • doc/security: add a missing redirect
  • readme: update link
  • doc: temporarily pin Sphinx requirement
  • doc: update link to IRC tutorial
  • doc: update download links
  • fix: helper message typo
  • shared/termios: Use golang.org/x/term instead of golang.org/x/crypto/ssh/terminal
  • gomod: Adds golang.org/x/term
  • i18n: Update translations from weblate
  • gomod: Update dependencies
  • lxd/api_cluster: document cluster options
  • shared/instance: document instance miscellaneous options
  • shared/instance: document instance boot-related options
  • shared/instance: document instance cloud-init options
  • shared/instance: document instance limit options
  • shared/instance: document instance nvidia options
  • shared/instance: document instance raw options
  • shared/instance: document instance security options
  • shared/instance: document instance snapshots options
  • shared/instance: document instance volatile options
  • server: Document the core server options
  • server: Document the acme server options
  • server: Document the candid and rbac server options
  • server: Document the oidc server options
  • server: Document the cluster server options
  • server: Document the images server options
  • server: Document the loki server options
  • server: Document the miscellaneous server options
  • doc/cluster: review config option documentation
  • doc/cluster: use automatically generated config options
  • doc/instances: review config option documentation
  • doc/instances: use automatically generated config options
  • doc/instance: fix spellcheck
  • doc/server: review config option documentation
  • doc/server: use automatically generated config options
  • doc: add configuration option index
  • doc/css: add an orange color to the doc styling
  • lxd-metadata: rename folder to avoid go install issues with other tools
  • doc: update readthedoc hook
  • makefile: update install target of lxddoc
  • doc: update link to distrobuilder docs
  • lxd/devices: adjust network device hotplug check
  • lxd/instance/drivers/driver_lxc: wait for container to start before setNetworkPriority
  • api: add operations_get_query_all_projects extension
  • lxd/db: add support for getting nodes without project name
  • lxd: add all-projects param for operationsGet
  • lxd: add param swagger doc for operationsGet
  • doc/rest-api: Refresh swagger YAML
  • client: add GetOperationsAllProjects
  • tests: add standalone test cases for operations_get
  • lxd/device/nic_bridgeed: Allow migration if nic parent is managed network
  • lxd/instance/drivers/driver_common: Log warnings when auto-migration is prevented by a certain device
  • shared/instance: Improve docs of the cluster.evacuate setting


The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

LXD 5.17 is now available in the latest/candidate snap channel and will be rolled out to stable users next week.


Does the delegation support help with running Docker inside a container in some way? What use cases does it allow now?

LXD 5.17 has now been pushed to the latest/stable snap channel using progressive rollout, so it will become available to users gradually.

1 Like

My understanding is it allows processes inside the container (with the zfs userspace tools installed) to access /dev/zfs (which is passed to the container as part of this feature) and manage sub-datasets/volumes below the container’s main dataset.

This is similar to what was previously only possible with btrfs.

1 Like