LXD 6.7 supports AMD GPUs and improves cluster management

Canonical has released LXD 6.7: The new version of the container and VM manager extends GPU support to AMD hardware and brings improvements for cluster operation.

With the new version, users can pass through AMD graphics cards to containers. LXD supports the AMD Container Device Interface (CDI), which is included in the snap package. The command lxc config device add <instance> <device> gpu gputype=physical id=amd.com/gpu=0 binds a single GPU, and with id=amd.com/gpu=all, all available AMD graphics cards can be passed through. AMD CDI works analogously to the already known Nvidia Container Device Interface.

LXD 6.7 integrates QEMU 10.2 and EDK2 firmware 2025.02 – previously, QEMU 8.2.2 and EDK2 2023.11 were on board. The updated virtualization layer supports dynamic MMIO window sizes, increasing compatibility with modern graphics cards.

For processors with the x86-64-v3 instruction set, admins can now use optimized container images. The variants, designated amd64v3, utilize modern CPU instructions such as AVX, AVX2, BMI1, BMI2, and FMA. This increases performance on CPUs from the last ten years but does not work on older processors. The command ld.so --help | grep '\-v[0-9]' shows whether a system supports the architecture variant.

Cluster Recovery and Placement Groups

For cluster environments, LXD 6.7 introduces a recovery mechanism for storage pools. The new option source.recover when creating storage pools allows existing pools to be scanned without modifying data. This expands the existing lxd recover command with cluster functions and aids in disaster recovery.

Placement Groups allow control over the distribution of instances in clusters. The feature can be used in two ways: "spread" distributes instances across different cluster members (high availability), and "compact" groups them on a single member (minimal latency). Admins can enforce placement strictly or permissively. The command lxc placement-group create my-pg policy=spread rigor=strict creates such a group. The LXD web interface supports the configuration and use of Placement Groups.

The API now allows forced deletion of projects and instances – even if they are still running or frozen. The asynchronous DELETE command indicates which entities are affected. This function is only forward-compatible.

Simplified Access to the Web Interface

Initial access to the LXD web interface is now via a temporary link with a bearer token, valid for one day. The commands lxd init or lxd init --ui-initial-access-link generate the access link. After the first login, permanent authentication is set up via browser certificates with trust tokens, or via mTLS or OIDC. Browsers warn about self-signed certificates – which is acceptable at least for local or protected installations.

LXD 6.7 also introduces bearer authentication as a new identity type. The API endpoint /1.0/auth/identities/current displays the expiration date for bearer and TLS identities. The new authentication method is based on OAuth standards.

When querying instance status, admins can now retrieve individual fields. The parameter recursion in combination with fields – for example, ?recursion=2;fields=state.disk – avoids expensive disk or network queries and reduces system load.

The web interface has received various improvements: configuration of Placement Groups, network configuration with IP reservation and ACLs, full-screen cloud-init editor, informative tooltips for cluster members and networks, and a list of cluster members with storage information. Additionally, there are local peerings for OVN networks, unified error screens, and the option to migrate storage volumes between cluster members.

LXD 6.7 is now available in the snap channel 6/candidate and will be moved to 6/stable next week. Installation is done with snap install lxd --channel=6/stable. On macOS, users can use brew install lxc, and on Windows, choco install lxc. Further details can be found in the official announcement.

(fo)