Lxd: LXD vs. LXC: Which one is "more secure"?

The LXC/LXD Devs did a lot to make LXD secure by default:

• A LXD container runs unprivileged, you have root inside the container but its mapped to a "normal" user.
• The Networking API is disabled by default, it listens only on Localhost
• No Script Hooks - no API calls that can an Arbitary script.
• Everything just works on Xenial and is in a good place, no hacking needed.

To answer your question about Apparmor profiles, I think BUT I'm not sure these are the same for LXC and LXD. Except the "unprivileged" container I think these products are the Same.

Lets wait for a core dev. for more details about this question.

Since LXD is using LXC behind the scenes (through go-lxc), it's certainly possible to make a LXC container as safe as a LXD one.

LXD does however make it easy by defaulting to a safe setup, using unprivileged containers by default, generating a per-container seccomp and apparmor policy and detecting and tweaking a number of extra options depending on container configuration options (automatically configures the devices cgroup, updates various list of bind-mounts, ...).

So I guess the answer is that yes, LXD is safer, simply because it does all of those things for you, right out of the box, significantly reducing the risk of you forgetting to tweak some particular options.

That does come at the cost of some flexibility obviously. LXC is still your go to option if you're building your own solution and want to have low level access to all the kernel features. But if you only care about running containers and have those be safe and have clear, well defined configuration options, LXD is the way to go nowadays.

(Also, just a reminder that LXC and LXD are both developed by the same people. We do the low level bits in LXC and then use them in LXD by adding the right user experience on top and any automatic logic which makes sense.)

@stgraber thank you so much for this detailed answer! This should be put somewhere on the LXC / LXD websites (please!)

@stgraber Just for curiosity; is this the same team which developed LXC in 2008?

@inf3rno no, the LXC team has evolved and changed quite a bit over the years. It started with @dlezcano who wrote the initial LXC codebase and was its top contributor and maintainer until around 2011 when @hallyn started pushing a number of changes to LXC for Ubuntu, I got active in 2012 and started maintaining a staging branch that Daniel would then pull from. In late 2013, Daniel made @hallyn and myself maintainers for LXC. We've since added Dwight and Christian as committers to it.

So it's certainly still the same project but people have been coming and going over the past decade as their interests change.