The Linux Containers community has announced the release of LXC 7.0, a set of tools designed for managing isolated containers. This release offers a runtime suitable for running containers with a full system environment similar to virtual machines, as well as unprivileged containers for individual applications following the OCI standard. LXC is a low-level toolkit focused on individual container operations. For centralized management of containers in a multi-server cluster, the Incus and LXD systems are being developed based on LXC. The LXC 7.0 release is a long-term support version, with updates planned for five years until 2031. The LXC code, written in C, is distributed under the GPLv2 license.
LXC includes the liblxc library, a range of utilities like lxc-create, lxc-start, lxc-stop, lxc-ls, and templates for creating containers. Isolation is achieved using standard Linux kernel mechanisms such as namespaces for isolating processes, IPC, network stack, UTS, user IDs, and mount points. Resource limits are enforced through cgroups, while kernel features like Apparmor, SELinux profiles, Seccomp, Chroots (pivot_root), and capabilities policies are used to restrict access and lower privileges.
Key changes in the LXC 7.0 release include:
- Implementation of isolation for monitoring processes using the Landlock mechanism, enhancing security by limiting unnecessary privileges and access for unprivileged programs.
- Separation of handler (hook) and container (runtime) configurations with the addition of new settings lxc.environment.hooks and lxc.environment.runtime, allowing selective environment variable settings for containers and handlers.
- Discontinuation of support for cgroup v1 and Linux kernels lacking PIDFD and the new mount management API.
- Addressing a vulnerability (CVE-2026-39402) which could allow unauthorized users to remove OVS ports for containers running under different users by exploiting the “lxc-user-nic delete” command.