/proc/1387184/root/snap/lxd/current/share/lxd-documentation/explanation/security/ Current File: //proc/1387184/root/snap/lxd/current/share/lxd-documentation/explanation/security/index.html
<!doctype html>
<html class="no-js" lang="en" data-content_root="../../">
  <head><meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width,initial-scale=1"/>
    <meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="Security" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://documentation.ubuntu.com/lxd/latest/explanation/security/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="Consider the following aspects to ensure that your LXD installation is secure: Keep your operating system up-to-date and install all available security patches., Use only supported LXD versions (LT..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="Consider the following aspects to ensure that your LXD installation is secure: Keep your operating system up-to-date and install all available security patches., Use only supported LXD versions (LT..." />
<link rel="index" title="Index" href="../../genindex/" /><link rel="search" title="Search" href="../../search/" /><link rel="next" title="Privilege delegation using BPF Token" href="../bpf/" /><link rel="prev" title="Performance tuning" href="../performance_tuning/" />
        <link rel="canonical" href="https://documentation.ubuntu.com/lxd/explanation/security/" />

    <link rel="shortcut icon" href="../../_static/favicon.ico"/><!-- Generated with Sphinx 8.2.3 and Furo 2025.07.19 -->
        <title>Security</title>
      <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d111a655" />
    <link rel="stylesheet" type="text/css" href="../../_static/styles/furo.css?v=25af2a20" />
    <link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
    <link rel="stylesheet" type="text/css" href="../../_static/youtube.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/related-links.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/terminal-output.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/config-options.css" />
    <link rel="stylesheet" type="text/css" href="../../_static/sphinx-design.min.css?v=95c83b7e" />
    <link rel="stylesheet" type="text/css" href="../../_static/styles/furo-extensions.css?v=8dab3a3b" />
    <link rel="stylesheet" type="text/css" href="../../_static/custom.css?v=66d86e9d" />
    <link rel="stylesheet" type="text/css" href="../../_static/header.css?v=84f70f09" />
    <link rel="stylesheet" type="text/css" href="../../_static/github_issue_links.css?v=af88fb93" />
    <link rel="stylesheet" type="text/css" href="../../_static/furo_colors.css?v=c4ccdb8a" />
    <link rel="stylesheet" type="text/css" href="../../_static/footer.css?v=bd05fc90" />
    <link rel="stylesheet" type="text/css" href="../../_static/cookie-banner.css?v=b74831ab" />
    
</head>
  <body>
    <header id="header" class="p-navigation">
  <script type="module" src="../../_static/js/bundle.js">
  </script>

  <!-- Google Tag Manager -->
  <script>
    (function(w, d, s, l, i) {
      w[l] = w[l] || [];
      w[l].push({
        'gtm.start': new Date().getTime(),
        event: 'gtm.js'
      });
      var f = d.getElementsByTagName(s)[0];
      var j = d.createElement(s);
      var dl = '';
      if (l != 'dataLayer') {
          dl = '&l=' + l;
      }
      j.async = true;
      j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
      f.parentNode.insertBefore(j, f);
    })(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
  </script>
  
  <div class="p-navigation__nav" role="menubar">

    <ul class="p-navigation__links" role="menu">

      <li>
        <a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
          <img src="../../_static/tag.png" alt="Logo" class="p-logo-image">
          <div class="p-logo-text p-heading--4">LXD
          </div>
        </a>
      </li>

      <li class="nav-ubuntu-com">
        <a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
      </li>

      <li>
        <a href="#" class="p-navigation__link nav-more-links">More resources</a>
        <ul class="more-links-dropdown">

          <li>
            <a href="https://ubuntu.com/lxd/install/" class="p-navigation__sub-link p-dropdown__link">Install LXD</a>
          </li>

          <li>
            <a href="https://ubuntu.com/lxd/manage/" class="p-navigation__sub-link p-dropdown__link">Manage LXD</a>
          </li>

          <li>
            <a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Forum</a>
          </li>

          <li>
            <a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
          </li>

        </ul>
      </li>

    </ul>
  </div>
</header>
   
    <script>
      document.body.dataset.theme = localStorage.getItem("theme") || "auto";
    </script>
    

<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
  <symbol id="svg-toc" viewBox="0 0 24 24">
    <title>Contents</title>
    <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
      <path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
    </svg>
  </symbol>
  <symbol id="svg-menu" viewBox="0 0 24 24">
    <title>Menu</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
      <line x1="3" y1="12" x2="21" y2="12"></line>
      <line x1="3" y1="6" x2="21" y2="6"></line>
      <line x1="3" y1="18" x2="21" y2="18"></line>
    </svg>
  </symbol>
  <symbol id="svg-arrow-right" viewBox="0 0 24 24">
    <title>Expand</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
      <polyline points="9 18 15 12 9 6"></polyline>
    </svg>
  </symbol>
  <symbol id="svg-sun" viewBox="0 0 24 24">
    <title>Light mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
      <circle cx="12" cy="12" r="5"></circle>
      <line x1="12" y1="1" x2="12" y2="3"></line>
      <line x1="12" y1="21" x2="12" y2="23"></line>
      <line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
      <line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
      <line x1="1" y1="12" x2="3" y2="12"></line>
      <line x1="21" y1="12" x2="23" y2="12"></line>
      <line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
      <line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
    </svg>
  </symbol>
  <symbol id="svg-moon" viewBox="0 0 24 24">
    <title>Dark mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
      <path stroke="none" d="M0 0h24v24H0z" fill="none" />
      <path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
    </svg>
  </symbol>
  <symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
    <title>Auto light/dark, in light mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
      class="icon-custom-derived-from-feather-sun-and-tabler-moon">
      <path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
      <line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
      <line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
      <line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
      <line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
      <line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
      <line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
      <line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
      <line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
      <circle cx="14.5" cy="9.55" r="3.6"/>
    </svg>
  </symbol>
  <symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
    <title>Auto light/dark, in dark mode</title>
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
      class="icon-custom-derived-from-feather-sun-and-tabler-moon">
      <path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
      <line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
      <line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
      <line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
      <line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
      <line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
      <line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
      <line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
      <line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
      <circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
    </svg>
  </symbol>
  <symbol id="svg-pencil" viewBox="0 0 24 24">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
      <path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
      <path d="M13.5 6.5l4 4" />
      <path d="M20 21l2 -2l-2 -2" />
      <path d="M17 17l-2 2l2 2" />
    </svg>
  </symbol>
  <symbol id="svg-eye" viewBox="0 0 24 24">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
      stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
      <path stroke="none" d="M0 0h24v24H0z" fill="none" />
      <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
      <path
        d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
      <path d="M20 21l2 -2l-2 -2" />
      <path d="M17 17l-2 2l2 2" />
    </svg>
  </symbol>
</svg>

<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc">
<label class="overlay sidebar-overlay" for="__navigation">
  <div class="visually-hidden">Hide navigation sidebar</div>
</label>
<label class="overlay toc-overlay" for="__toc">
  <div class="visually-hidden">Hide table of contents sidebar</div>
</label>

<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>



<div class="page">
  <header class="mobile-header">
    <div class="header-left">
      <label class="nav-overlay-icon" for="__navigation">
        <div class="visually-hidden">Toggle site navigation sidebar</div>
        <i class="icon"><svg><use href="#svg-menu"></use></svg></i>
      </label>
    </div>
    <div class="header-center">
      <a href="../../"><div class="brand">LXD</div></a>
    </div>
    <div class="header-right">
      <div class="theme-toggle-container theme-toggle-header">
        <button class="theme-toggle">
          <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div>
          <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
          <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
          <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
          <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
        </button>
      </div>
      <label class="toc-overlay-icon toc-header-icon" for="__toc">
        <div class="visually-hidden">Toggle table of contents sidebar</div>
        <i class="icon"><svg><use href="#svg-toc"></use></svg></i>
      </label>
    </div>
  </header>
  <aside class="sidebar-drawer">
    <div class="sidebar-container">
      
      <div class="sidebar-sticky"><a class="sidebar-brand" href="../../">
  
  
</a><form class="sidebar-search-container" method="get" action="../../search/" role="search">
    <input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
    <input type="submit" value="Go">
    <input type="hidden" name="check_keywords" value="yes">
    <input type="hidden" name="area" value="default">
  </form>
  <div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
  <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../">LXD</a></li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../tutorial/">Tutorials</a><input class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><div class="visually-hidden">Toggle navigation of Tutorials</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../tutorial/first_steps/">First steps with LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../tutorial/ui/">Getting started with the UI</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../howto/">How-to guides</a><input class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><div class="visually-hidden">Toggle navigation of How-to guides</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../getting_started/">Getting started</a><input class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><div class="visually-hidden">Toggle navigation of Getting started</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../operation/">LXD server and client</a><input class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><div class="visually-hidden">Toggle navigation of LXD server and client</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_auth0/">Configure OIDC authentication with Auth0</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_ory/">Configure OIDC authentication with Ory Hydra</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_keycloak/">Configure OIDC authentication with Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/oidc_entra_id/">Configure OIDC authentication with Microsoft Entra ID</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../instances/">Instances</a><input class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><div class="visually-hidden">Toggle navigation of Instances</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../images/">Images</a><input class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><div class="visually-hidden">Toggle navigation of Images</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../projects/">Projects</a><input class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><div class="visually-hidden">Toggle navigation of Projects</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../storage/">Storage</a><input class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><div class="visually-hidden">Toggle navigation of Storage</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/storage_move_volume/">Move or copy a volume</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../networks/">Networking</a><input class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><div class="visually-hidden">Toggle navigation of Networking</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_acls/">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_zones/">Configure network zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../clustering/">Clustering</a><input class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><div class="visually-hidden">Toggle navigation of Clustering</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/cluster_recover/">Recover a cluster</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../production-setup/">Production setup</a><input class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><div class="visually-hidden">Toggle navigation of Production setup</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/disaster_recovery/">Recover instances</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../howto/snap/">Manage the snap</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../howto/troubleshoot/">Troubleshooting</a><input class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><div class="visually-hidden">Toggle navigation of Troubleshooting</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../howto/dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../contributing/">Contribute to LXD</a></li>
</ul>
</li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../">Explanation</a><input checked="" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><div class="visually-hidden">Toggle navigation of Explanation</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../authentication/">Remote API authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../authorization/">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2 current current-page"><a class="current reference internal" href="#">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bpf/">Privilege delegation using BPF Token</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../reference/">Reference</a><input class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><div class="visually-hidden">Toggle navigation of Reference</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../architectures/">Architectures</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../instance_config/">Instance configuration</a><input class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><div class="visually-hidden">Toggle navigation of Instance configuration</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../../reference/devices/">Devices</a><input class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><div class="visually-hidden">Toggle navigation of Devices</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/storage_drivers/">Storage drivers</a><input class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><div class="visually-hidden">Toggle navigation of Storage drivers</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/networks/">Networks</a><input class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><div class="visually-hidden">Toggle navigation of Networks</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../restapi_landing/">REST API</a><input class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><div class="visually-hidden">Toggle navigation of REST API</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/manpages/">Man pages</a><input class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><div class="visually-hidden">Toggle navigation of Man pages</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../internals/">Internals</a><input class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><div class="visually-hidden">Toggle navigation of Internals</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../syscall-interception/">System call interception</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../userns-idmap/">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>

</div>
</div>

      </div>
      
    </div>
  </aside>
  <div class="main">
    <div class="content">
      <div class="article-container">
        <a href="#" class="back-to-top muted-link">
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
            <path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
          </svg>
          <span>Back to top</span>
        </a>
        <div class="content-icon-container">
          <div class="view-this-page">
  <a class="muted-link" href="../../_sources/explanation/security.md.txt" title="View this page">
    <svg><use href="#svg-eye"></use></svg>
    <span class="visually-hidden">View this page</span>
  </a>
</div>
<div class="theme-toggle-container theme-toggle-content">
            <button class="theme-toggle">
              <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div>
              <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
              <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
              <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
              <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
            </button>
          </div>
          <label class="toc-overlay-icon toc-content-icon" for="__toc">
            <div class="visually-hidden">Toggle table of contents sidebar</div>
            <i class="icon"><svg><use href="#svg-toc"></use></svg></i>
          </label>
        </div>
        <article role="main" id="furo-main-content">
          <section id="security">
<span id="exp-security"></span><span id="id1"></span><h1>Security<a class="headerlink" href="#security" title="Link to this heading">¶</a></h1>
         <p class="youtube_link">           <a href="https://www.youtube.com/watch?v=cOOzKdYHkus" target="_blank">             <span title="LXD security - YouTube" class="play_icon">▶</span>             <span title="LXD security - YouTube">Watch on YouTube</span>           </a>         </p><p>Consider the following aspects to ensure that your LXD installation is secure:</p>
<ul class="simple">
<li><p>Keep your operating system up-to-date and install all available security patches.</p></li>
<li><p>Use only supported LXD versions (LTS releases or the latest feature release).</p></li>
<li><p>Restrict access to the LXD daemon and the remote API.</p></li>
<li><p>Configure your network interfaces to be secure.</p></li>
<li><p>Do not use privileged containers unless required. If you use privileged containers, put appropriate security measures in place.</p></li>
</ul>
<p>See the following sections for detailed information.</p>
<p>If you discover a security issue, see the <a class="reference external" href="https://github.com/canonical/lxd/blob/main/SECURITY.md">LXD security policy</a> for information on how to report the issue.</p>
<section id="supported-versions">
<h2>Supported versions<a class="headerlink" href="#supported-versions" title="Link to this heading">¶</a></h2>
<p>Never use unsupported LXD versions in a production environment.</p>
<p>LXD has two types of releases:</p>
<ul class="simple">
<li><p>Feature releases</p></li>
<li><p>LTS releases</p></li>
</ul>
<p>For feature releases, only the latest one is supported, and we usually
don’t do point releases. Instead, users are expected to wait until the
next feature release.</p>
<p>For LTS releases, we do periodic bugfix releases that include an
accumulation of bugfixes from the feature releases. Such bugfix releases
do not include new features.</p>
</section>
<section id="access-to-the-lxd-daemon">
<span id="security-daemon-access"></span><h2>Access to the LXD daemon<a class="headerlink" href="#access-to-the-lxd-daemon" title="Link to this heading">¶</a></h2>
<p>LXD is a daemon that can be accessed locally over a Unix socket or, if configured, remotely over a <abbr title="Transport Layer Security">TLS</abbr> socket.
Anyone with access to the socket can fully control LXD, which includes the ability to attach host devices and file systems or to tweak the security features for all instances.</p>
<p>Therefore, make sure to restrict the access to the daemon to trusted users.</p>
<section id="local-access-to-the-lxd-daemon">
<h3>Local access to the LXD daemon<a class="headerlink" href="#local-access-to-the-lxd-daemon" title="Link to this heading">¶</a></h3>
<p>The LXD daemon runs as root and provides a Unix socket for local communication.
Access control for LXD is based on group membership.
The root user and all members of the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group can interact with the local daemon.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Local access to LXD through the Unix socket always grants full access to LXD.
This includes the ability to attach file system paths or devices to any instance as well as tweak the security features on any instance.</p>
<p>Therefore, you should only give such access to users who you’d trust with root access to your system.</p>
</div>
</section>
<section id="access-to-the-remote-api">
<span id="security-remote-access"></span><h3>Access to the remote API<a class="headerlink" href="#access-to-the-remote-api" title="Link to this heading">¶</a></h3>
<p>By default, access to the daemon is only possible locally.
By setting the <a class="configref reference internal" href="../../server/#server-core:core.https_address"><code class="docutils literal notranslate"><span class="pre">core.https_address</span></code></a> configuration option, you can expose the same API over the network on a <abbr title="Transport Layer Security">TLS</abbr> socket.
See <a class="reference internal" href="../../howto/server_expose/#server-expose"><span class="std std-ref">How to expose LXD to the network</span></a> for instructions.
Remote clients can then connect to LXD and access any image that is marked for public use.</p>
<p>There are several ways to authenticate remote clients as trusted clients to allow them to access the API.
See <a class="reference internal" href="../../authentication/#authentication"><span class="std std-ref">Remote API authentication</span></a> for details.</p>
<p>In a production setup, you should set <a class="configref reference internal" href="../../server/#server-core:core.https_address"><code class="docutils literal notranslate"><span class="pre">core.https_address</span></code></a> to the single address where the server should be available (rather than any address on the host).
In addition, you should set firewall rules to allow access to the LXD port only from authorized hosts/subnets.</p>
</section>
</section>
<section id="container-security">
<span id="id2"></span><h2>Container security<a class="headerlink" href="#container-security" title="Link to this heading">¶</a></h2>
<p>LXD containers can use a wide range of features for security.</p>
<p>Also see the <a class="reference external" href="https://linuxcontainers.org/lxc/security/">LXC security page</a> on <code class="docutils literal notranslate"><span class="pre">linuxcontainers.org</span></code> for details on LXC container security and the applied kernel features.</p>
<section id="unprivileged-containers">
<h3>Unprivileged containers<a class="headerlink" href="#unprivileged-containers" title="Link to this heading">¶</a></h3>
<p>By default, containers are <em>unprivileged</em>, meaning that they operate inside a user namespace, restricting the abilities of users in the container to that of regular users on the host with limited privileges on the devices that the container owns.</p>
<p>Unprivileged containers are safe by design: The container UID 0 is mapped to an unprivileged user outside of the container.
It has extra rights only on resources that it owns itself.</p>
<p>This mechanism ensures that most security issues (for example, container escape or resource abuse) that might occur in a container apply just as well to a random unprivileged user, which means they are a generic kernel security bug rather than a LXD issue.</p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>If data sharing between containers isn’t needed, you can enable <a class="configref reference internal" href="../../reference/instance_options/#instance-security:security.idmap.isolated"><code class="docutils literal notranslate"><span class="pre">security.idmap.isolated</span></code></a>, which will use non-overlapping UID/GID maps for each container, preventing potential <abbr title="Denial of Service">DoS</abbr> attacks on other containers.</p>
</div>
</section>
<section id="privileged-containers">
<h3>Privileged containers<a class="headerlink" href="#privileged-containers" title="Link to this heading">¶</a></h3>
<p>LXD can also run <em>privileged</em> containers.
In privileged containers, the container UID 0 is mapped to the host’s UID 0.</p>
<p>Such privileged containers are not root-safe, and a user with root access in such a container will be able to DoS the host as well as find ways to escape confinement.</p>
<p>LXC applies some protection measures to privileged containers to prevent accidental damage of the host (where damage is defined as things like reconfiguring host hardware, reconfiguring the host kernel, or accessing the host file system).
This protection of the host and prevention of escape is achieved through mandatory access control (<code class="docutils literal notranslate"><span class="pre">apparmor</span></code>, <code class="docutils literal notranslate"><span class="pre">selinux</span></code>), Seccomp filters, dropping of capabilities, and namespaces.
These measures are valuable when running trusted workloads, but they do not make privileged containers root-safe.</p>
<p>Therefore, you should not use privileged containers unless required.
If you use them, make sure to put appropriate security measures in place.</p>
</section>
<section id="container-name-leakage">
<h3>Container name leakage<a class="headerlink" href="#container-name-leakage" title="Link to this heading">¶</a></h3>
<p>The default server configuration makes it easy to list all cgroups on a system and, by extension, all running containers.</p>
<p>You can prevent this name leakage by blocking access to <code class="docutils literal notranslate"><span class="pre">/sys/kernel/slab</span></code> and <code class="docutils literal notranslate"><span class="pre">/proc/sched_debug</span></code> before you start any containers.
To do so, run the following commands:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>chmod 400 /proc/sched_debug
chmod 700 /sys/kernel/slab/
</pre></div>
</div>
</section>
</section>
<section id="network-security">
<h2>Network security<a class="headerlink" href="#network-security" title="Link to this heading">¶</a></h2>
<p>Make sure to configure your network interfaces to be secure.
Which aspects you should consider depends on the networking mode you decide to use.</p>
<section id="bridged-nic-security">
<h3>Bridged NIC security<a class="headerlink" href="#bridged-nic-security" title="Link to this heading">¶</a></h3>
<p>The default networking mode in LXD is to provide a “managed” private network bridge that each instance connects to.
In this mode, there is an interface on the host called <code class="docutils literal notranslate"><span class="pre">lxdbr0</span></code> that acts as the bridge for the instances.</p>
<p>The host runs an instance of <code class="docutils literal notranslate"><span class="pre">dnsmasq</span></code> for each managed bridge, which is responsible for allocating IP addresses and providing both authoritative and recursive DNS services.</p>
<p>Instances using DHCPv4 will be allocated an IPv4 address, and a DNS record will be created for their instance name.
This prevents instances from being able to spoof DNS records by providing false host name information in the DHCP request.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">dnsmasq</span></code> service also provides IPv6 router advertisement capabilities.
This means that instances will auto-configure their own IPv6 address using SLAAC, so no allocation is made by <code class="docutils literal notranslate"><span class="pre">dnsmasq</span></code>.
However, instances that are also using DHCPv4 will also get an AAAA DNS record created for the equivalent SLAAC IPv6 address.
This assumes that the instances are not using any IPv6 privacy extensions when generating IPv6 addresses.</p>
<p>In this default configuration, whilst DNS names cannot not be spoofed, the instance is connected to an Ethernet bridge and can transmit any layer 2 traffic that it wishes, which means an instance that is not trusted can effectively do MAC or IP spoofing on the bridge.</p>
<p>In the default configuration, it is also possible for instances connected to the bridge to modify the LXD host’s IPv6 routing table by sending (potentially malicious) IPv6 router advertisements to the bridge.
This is because the <code class="docutils literal notranslate"><span class="pre">lxdbr0</span></code> interface is created with <code class="docutils literal notranslate"><span class="pre">/proc/sys/net/ipv6/conf/lxdbr0/accept_ra</span></code> set to <code class="docutils literal notranslate"><span class="pre">2</span></code>, meaning that the LXD host will accept router advertisements even though <code class="docutils literal notranslate"><span class="pre">forwarding</span></code> is enabled (see <a class="reference external" href="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt"><code class="docutils literal notranslate"><span class="pre">/proc/sys/net/ipv4/*</span></code> Variables</a> for more information).</p>
<p>However, LXD offers several bridged <abbr title="Network interface controller">NIC</abbr> security features that can be used to control the type of traffic that an instance is allowed to send onto the network.
These NIC settings should be added to the profile that the instance is using, or they can be added to individual instances, as shown below.</p>
<p>The following security features are available for bridged NICs:</p>
<div class="table-wrapper colwidths-auto docutils container">
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head text-left"><p>Key</p></th>
<th class="head text-left"><p>Type</p></th>
<th class="head text-left"><p>Default</p></th>
<th class="head text-left"><p>Required</p></th>
<th class="head text-left"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">security.mac_filtering</span></code></p></td>
<td class="text-left"><p>bool</p></td>
<td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p></td>
<td class="text-left"><p>no</p></td>
<td class="text-left"><p>Prevent the instance from spoofing another instance’s MAC address</p></td>
</tr>
<tr class="row-odd"><td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">security.ipv4_filtering</span></code></p></td>
<td class="text-left"><p>bool</p></td>
<td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p></td>
<td class="text-left"><p>no</p></td>
<td class="text-left"><p>Prevent the instance from spoofing another instance’s IPv4 address (enables <code class="docutils literal notranslate"><span class="pre">mac_filtering</span></code>)</p></td>
</tr>
<tr class="row-even"><td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">security.ipv6_filtering</span></code></p></td>
<td class="text-left"><p>bool</p></td>
<td class="text-left"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p></td>
<td class="text-left"><p>no</p></td>
<td class="text-left"><p>Prevent the instance from spoofing another instance’s IPv6 address (enables <code class="docutils literal notranslate"><span class="pre">mac_filtering</span></code>)</p></td>
</tr>
</tbody>
</table>
</div>
<p>One can override the default bridged NIC settings from the profile on a per-instance basis using:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">lxc</span> <span class="n">config</span> <span class="n">device</span> <span class="n">override</span> <span class="o">&lt;</span><span class="n">instance</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">NIC</span><span class="o">&gt;</span> <span class="n">security</span><span class="o">.</span><span class="n">mac_filtering</span><span class="o">=</span><span class="n">true</span>
</pre></div>
</div>
<p>Used together, these features can prevent an instance connected to a bridge from spoofing MAC and IP addresses.
These options are implemented using either <code class="docutils literal notranslate"><span class="pre">xtables</span></code> (<code class="docutils literal notranslate"><span class="pre">iptables</span></code>, <code class="docutils literal notranslate"><span class="pre">ip6tables</span></code> and <code class="docutils literal notranslate"><span class="pre">ebtables</span></code>) or <code class="docutils literal notranslate"><span class="pre">nftables</span></code>, depending on what is available on the host.</p>
<p>It’s worth noting that those options effectively prevent nested containers from using the parent network with a different MAC address (i.e using bridged or <code class="docutils literal notranslate"><span class="pre">macvlan</span></code> NICs).</p>
<p>The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any packets that contain a spoofed source address.</p>
<p>If <code class="docutils literal notranslate"><span class="pre">security.ipv4_filtering</span></code> or <code class="docutils literal notranslate"><span class="pre">security.ipv6_filtering</span></code> is enabled and the instance cannot be allocated an IP address (because <code class="docutils literal notranslate"><span class="pre">ipvX.address=none</span></code> or there is no DHCP service enabled on the bridge), then all IP traffic for that protocol is blocked from the instance.</p>
<p>When <code class="docutils literal notranslate"><span class="pre">security.ipv6_filtering</span></code> is enabled, IPv6 router advertisements are blocked from the instance.</p>
<p>When <code class="docutils literal notranslate"><span class="pre">security.ipv4_filtering</span></code> or <code class="docutils literal notranslate"><span class="pre">security.ipv6_filtering</span></code> is enabled, any Ethernet frames that are not ARP, IPv4 or IPv6 are dropped.
This prevents stacked VLAN Q-in-Q (802.1ad) frames from bypassing the IP filtering.</p>
</section>
<section id="routed-nic-security">
<h3>Routed NIC security<a class="headerlink" href="#routed-nic-security" title="Link to this heading">¶</a></h3>
<p>An alternative networking mode is available called “routed”.
It provides a virtual Ethernet device pair between container and host.
In this networking mode, the LXD host functions as a router, and static routes are added to the host directing traffic for the container’s IPs towards the container’s <code class="docutils literal notranslate"><span class="pre">veth</span></code> interface.</p>
<p>By default, the <code class="docutils literal notranslate"><span class="pre">veth</span></code> interface created on the host has its <code class="docutils literal notranslate"><span class="pre">accept_ra</span></code> setting disabled to prevent router advertisements from the container modifying the IPv6 routing table on the LXD host.
In addition to that, the <code class="docutils literal notranslate"><span class="pre">rp_filter</span></code> on the host is set to <code class="docutils literal notranslate"><span class="pre">1</span></code> to prevent source address spoofing for IPs that the host does not know the container has.</p>
</section>
</section>
<section id="related-topics">
<h2>Related topics<a class="headerlink" href="#related-topics" title="Link to this heading">¶</a></h2>
<p>How-to guides:</p>
<ul class="simple">
<li><p><a class="reference internal" href="../../howto/server_expose/#server-expose"><span class="std std-ref">How to expose LXD to the network</span></a></p></li>
</ul>
<p>Explanation:</p>
<ul class="simple">
<li><p><a class="reference internal" href="../../authentication/#authentication"><span class="std std-ref">Remote API authentication</span></a></p></li>
</ul>
</section>
</section>

        </article>
      </div>
      <footer>
        
   

<div class="related-pages">
  
  
      
  
  
  <a class="next-page" href="../bpf/">
        <div class="page-info">
          <div class="context">
            <span>Next</span>
          </div>
          <div class="title">Privilege delegation using BPF Token</div>
        </div>
        <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
      </a>
    <a class="prev-page" href="../performance_tuning/">
        <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
        <div class="page-info">
          <div class="context">
            <span>Previous</span>
          </div>
          
            <div class="title">Performance tuning</div>
          
        </div>
      </a>
</div>
<div class="bottom-of-page">
  <div class="left-details">
    <div class="copyright">
        Copyright &#169; 2014-2025 LXD contributors
    </div>

    <div class="last-updated">
      Last updated on Sep 08, 2025</div>
    <div class="show-source">
      <a class="muted-link" href="../../_sources/explanation/security.md.txt"
         rel="nofollow">Show source</a>
    </div>
  </div>
  <div>
    
        
        
          
              <a class="display-contributors">Thanks to the 2 contributors!</a>
          
          <div id="overlay"></div>
          <ul class="all-contributors">
              
                  <li>
                      <a href="https://github.com/canonical/lxd/commit/04ab1ce602e06d802c0480f40fcb0cd8b75d7a3a" class="contributor">Minae Lee</a>
                  </li>
              
                  <li>
                      <a href="https://github.com/canonical/lxd/commit/3ab13a6becacc2e13aa9416a6699c36fcb3fa50e" class="contributor">Ruth Fuchss</a>
                  </li>
              
          </ul>
        
    
  </div>
  <div class="right-details">

    

    
    <div class="ask-discourse">
      <a class="muted-link" href="https://discourse.ubuntu.com/c/lxd/">Ask a question on Discourse</a>
    </div>
    

    

    
    <div class="ask-matrix">
      <a class="muted-link" href="https://matrix.to/#/#documentation:ubuntu.com">Ask a question on Matrix</a>
    </div>
    

    

    
    <div class="issue-github">
      <a class="muted-link" href="https://github.com/canonical/lxd/issues/new?title=doc%3A+ADD+A+TITLE&body=DESCRIBE+THE+ISSUE%0A%0A---%0ADocument: explanation/security.md">Open a GitHub issue for this page</a>
    </div>
    

    <div class="edit-github">
      <a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/explanation/security.md">Edit this page on GitHub</a>
    </div>
    


    </div>
  </div>
</div>

      </footer>
    </div>
    <aside class="toc-drawer">
      
<div class="toc-sticky toc-scroll">
   
    <div class="toc-title-container">
      <span class="toc-title">
       Contents
      </span>
    </div>
    <div class="toc-tree-container">
      <div class="toc-tree">
        <ul>
<li><a class="reference internal" href="#">Security</a><ul>
<li><a class="reference internal" href="#supported-versions">Supported versions</a></li>
<li><a class="reference internal" href="#access-to-the-lxd-daemon">Access to the LXD daemon</a><ul>
<li><a class="reference internal" href="#local-access-to-the-lxd-daemon">Local access to the LXD daemon</a></li>
<li><a class="reference internal" href="#access-to-the-remote-api">Access to the remote API</a></li>
</ul>
</li>
<li><a class="reference internal" href="#container-security">Container security</a><ul>
<li><a class="reference internal" href="#unprivileged-containers">Unprivileged containers</a></li>
<li><a class="reference internal" href="#privileged-containers">Privileged containers</a></li>
<li><a class="reference internal" href="#container-name-leakage">Container name leakage</a></li>
</ul>
</li>
<li><a class="reference internal" href="#network-security">Network security</a><ul>
<li><a class="reference internal" href="#bridged-nic-security">Bridged NIC security</a></li>
<li><a class="reference internal" href="#routed-nic-security">Routed NIC security</a></li>
</ul>
</li>
<li><a class="reference internal" href="#related-topics">Related topics</a></li>
</ul>
</li>
</ul>

      </div>
    </div>
   
    
    <div class="relatedlinks-title-container">
      <span class="relatedlinks-title">
       Related links
      </span>
    </div>
    <div class="relatedlinks-container">
      <div class="relatedlinks">
        
        
          <ul><li><a href="https://linuxcontainers.org/lxc/security/" target="_blank">Linux&#32;containers&#32;security</a></li></ul>
        
      </div>
    </div>
    
  </div>

    </aside>
  </div>
</div><script src="../../_static/jquery.js?v=5d32c60e"></script>
    <script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
    <script src="../../_static/documentation_options.js?v=187304be"></script>
    <script src="../../_static/doctools.js?v=9bcbadda"></script>
    <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../../_static/scripts/furo.js?v=46bd48cc"></script>
    <script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
    <script src="../../_static/copybutton.js?v=f281be69"></script>
    <script src="../../_static/config-options.js"></script>
    <script src="../../_static/design-tabs.js?v=f930bc37"></script>
    <script src="../../_static/header-nav.js?v=e117ad08"></script>
    <script src="../../_static/footer.js?v=5acea47a"></script>
    <script src="../../_static/github_issue_links.js?v=32bb732f"></script>
    <script src="../../_static/js/bundle.js?v=a4d88309"></script>
    
<script>
  const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>