LXD 6.8 release notes

This is a feature release and is not recommended for production use.

Release notes content

These release notes cover updates in the core LXD repository and the LXD snap package. For a tour of LXD UI updates, please see the release announcement in our Discourse forum.

Highlights

This section highlights new and improved features in this release.

Cluster control-plane role

A new control-plane cluster member role has been added that can be manually assigned to designate which members participate in Raft consensus.

Control plane mode is inactive by default until at least 3 members are assigned the control-plane role. While inactive, all cluster members remain eligible for automatic promotion to database roles (preserving existing behavior). Once active, only control-plane members can become voters, standbys, or the database leader; members without the role are assigned RAFT_SPARE and excluded from automatic promotion.

When control plane mode is active, control-plane members also act as event hubs, replacing the now-deprecated event-hub role.

• Documentation: Use control plane mode

• API extension: clustering_control_plane

Cluster links

Cluster links enable secure, authenticated communication between separate LXD clusters using mutual TLS certificates.

This release adds a full cluster links API, including create/list/show/edit/rename/delete operations and state inspection support. Matching lxc cluster link ... subcommands have also been added.

• Documentation: Cluster links

• API extension: cluster_links

Replicators

Replicators enable active-passive project level instance refresh for disaster recovery using the new bi-directional cluster links functionality.

Replicators support scheduled and manual execution for replicating instances between linked clusters. The daemon gains a background task for running scheduled replicators, and matching lxc replicator subcommands have been added to the CLI.

• Documentation: How to set up replicators

• API extension: replicators

GPU CDI hotplug support for containers

Building on the AMD CDI container support added in LXD 6.7, GPU CDI devices can now be hotplugged into running containers.

• API extension: gpu_cdi_hotplug

Bulk instance state operations and metadata entity URL improvements

A new recursion=2 mode for GET /1.0/operations returns the full parent-child relationship between operations. GET /1.0/operations/{id} with recursion=1 also now returns related child operations.

Parallel bulk instance state updates now create a parent operation with per-instance child operations, providing more granular status reporting.

Additionally operation metadata handling for entity_url has been tightened and expanded. LXD now keeps the primary entity_url stable when metadata is updated and ensures it is present for applicable operations.

Rename operations can now expose both entity_url (the new target URL) and original_entity_url (the pre-rename URL), making rename tracking more reliable for API clients.

URL metadata coverage was also extended to additional create and rename operations, including project rename, instance rename/snapshot rename/backup rename, storage pool create, and storage volume create/snapshot rename/backup rename.

• API extension: bulk_operations

ZFS volume promotion support

A new zfs.promote configuration key has been added. When set to true, this instructs LXD to ZFS-promote the volume when creating (or recreating) it from a clone.

This key is primarily useful when combined with initial.* disk device configuration options and allows controlling ZFS promotion when creating instances from other instances.

• API extension: storage_zfs_promote

Ceph RBD default features changed

New volumes (and clones) in Ceph RBD (ceph) pools are no longer created with only --image-feature layering. Instead the default RBD features configured in the Ceph cluster are used.

If ceph.rbd.features is already set on a pool, that value continues to be used unchanged.

• API extension: storage_ceph_use_rbd_defaults

Ceph and CephFS support for messenger protocol v2

The Ceph storage driver now has support for the Ceph messenger protocol v2.

LXD now uses the native Ceph CLI tool (ceph mon dump --format json) instead of an internal ceph.conf parser for monitor discovery and FSID information. This enables Ceph messenger protocol v2 support.

These improvements enhance compatibility with modern Ceph deployments and provide more robust handling of various Ceph configurations, including those deployed through MicroCeph.

Custom port numbers in NVMe and iSCSI storage connectors

The NVMe and iSCSI storage connectors now support custom port numbers, providing more flexibility when connecting to storage targets that do not use standard ports.

OVN dynamic Northbound connection

When the network.ovn.northbound_connection server configuration is not set, LXD now dynamically determines the OVN Northbound database connection string based on the environment. If the MicroOVN snap is used, LXD reads the configuration from the MicroOVN ovn.env file. Otherwise, it defaults to unix:/var/run/ovn/ovnnb_db.sock.

This ensures that if the MicroOVN cluster membership changes, LXD will then use the updated OVN server connection configuration.

• API extension: ovn_dynamic_northbound_connection

Instance configuration refresh on copy

Instance copy --refresh operations now correctly apply target configuration, profile, and device updates server-side before the data transfer completes. This applies to both direct copies and migration-based refresh operations.

• API extension: instance_refresh_config

Extended image metadata from SimpleStreams

Two new optional fields, release_codename and release_title, have been added to the api.Image struct. These are populated from the SimpleStreams index when available. The generated image description for SimpleStreams images now includes the variant when available, and no longer includes the creation date or architecture.

• API extension: image_extended_metadata

lxc project get-current command

A new lxc project get-current command has been added that outputs the name of the currently selected project, making it easy to use in scripts.

lxc --column/-c flag for CSV output

The --column/-c flag is now supported by the lxc command everywhere that --format csv is accepted, allowing column selection to be combined with CSV output consistently across all lxc list commands.

Stricter file permissions across the codebase

A large sweep of stricter file permissions has been applied across the codebase, reducing the risk of unintended access to sensitive files created by the LXD daemon and the lxc client.

Widespread TOCTOU race condition fixes

Numerous time-of-check to time-of-use (TOCTOU) race conditions across the daemon, client, and storage drivers have been fixed, improving correctness and security under concurrent workloads.

CSRF protection using Go standard library

The daemon now uses the CSRF protection provided by the Go standard library, replacing the previous custom implementation.

Constant-time secret comparison

All secret comparison operations (exec, console, migration, and certificate token secrets) now use constant-time comparison to prevent timing side-channel attacks.

HTTP hardening

Several HTTP hardening improvements have been applied to the daemon:

• Dropped the deprecated X-XSS-Protection response header.

• Added a Referrer-Policy header to prevent leaking referrer information.

• Applied HTTP timeouts to the pprof, Loki, and endpoint listeners.

• TCP keep alive and TCP user timeout configured on incoming API connections for faster stale connection detection.

UI updates

This release introduces cluster links, improves instance configuration visibility, and enhances responsiveness across the UI, alongside a range of user-driven fixes and refinements.

Cluster management

• The UI now supports cluster links for connecting multiple clusters.

• The UI now supports full create, edit, and delete management for cluster member roles.

Instance experience

• The YAML editor now provides an expanded view that surfaces inherited configuration values (such as from profiles) alongside instance-level settings.

• More responsive instance creation with live progress updates via events.

• Ubuntu-themed terminal for instances.

Forms and input enhancements

• Introduced prefixed inputs for IP address assignments for clearer networking configuration.

• Added output fields to forms where applicable.

Asynchronous operations

• Improved handling of long-running operations with asynchronous support for:

  • Networks

  • Network peerings

  • Network ACLs

  • Storage pools

  • Storage buckets and bucket keys

User-driven improvements

• Instances uploaded from file now appear immediately in the instance list while processing.

• Improved visibility of available storage pool size.

• Enhanced storage driver selection with more details.

• Added icons for full-screen mode and ISO usage in the instance terminal.

• Removed expiry field from instance export (system defaults are now applied).

Bug fixes

• Fixed issue where the admin group was incorrectly immutable.

• Fixed terminal behavior to display content when a connection closes or errors occur.

Bug fixes

The following bug fixes are included in this release.

• VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf (CVE-2026-34177)

• Update of type field in restricted TLS certificate allows privilege escalation to cluster admin (CVE-2026-34179)

• Importing a crafted backup leads to project restriction bypass (CVE-2026-34178)

• Arbitrary file read and write through pongo templates (CVE-2026-33897 from Incus)

• Verify combined fingerprint when downloading images from simplestreams servers (CVE-2026-33542 from Incus)

• Fix creating instances using a local image from another project

• Require can_view on source instance and volume when copying

• Migration: Don't allow pull mode in restricted projects

• Use correct name in create-from-backup entity URL

• GPU CDI device fixes

• Fix snapshot URL in clustered mode

• Fix recursive file pull failing on existing directories and symlinks

• Fix --profile and --no-profiles flags being ignored on cluster moves

• Fix mutex leak and unclosed files

• Prevent concurrent evacuations

• Fix image fingerprint validation being too permissive

• Fix UI and documentation MIME type

• Enforce project limits.instances in clustered instance creation

• dnsmasq: clean up orphaned .removing files on bridge network start

• Improve phantom volume error reporting during cluster moves

• Fix instance copy to keep source architecture type

• Fix inverted TLS verification logic in Alletra client

• Mark images as cached consistently

• Fix deadlock by only taking storage pool and network creation lock for external API requests

• Network: Set veth/vtap host interface MTU to the larger of parent bridge or instance MTU

• Cluster: Fix cluster healing functionality

Backwards-incompatible changes

These changes are not compatible with older versions of LXD or its clients.

MAAS controller support removed

The MAAS controller integration has been removed from LXD. This removes all maas.api.url, maas.api.key, and maas.machine configuration keys, as well as the maas.subnet.ipv4 and maas.subnet.ipv6 NIC device options.

On upgrade, a patch automatically removes any MAAS-related configuration keys from the database.

MinIO local object storage buckets removed

Local (non-Ceph) storage drivers no longer support object storage buckets. Object storage buckets are now only supported by the cephobject driver.

The bundled minio binary and the core.storage_buckets_address configuration have been removed. The storage_buckets_local API extension is no longer advertised.

Ceph RBD and CephFS source configuration key dropped

The source configuration key for the ceph and cephfs storage drivers has been removed. Use ceph.osd.pool_name for Ceph RBD pools and cephfs.path for CephFS pools instead.

On upgrade, a patch automatically unsets any stored source configuration keys for affected pools.

• API extension: storage_remote_drop_source

FAN bridge fan.type=ipip support removed

Support for fan.type=ipip in bridge networks has been removed. Only fan.type=vxlan (the default) remains supported.

Cluster role event-hub removed

The event-hub cluster role has been removed in favor of the new control-plane role, which provides equivalent event-hub behaviour alongside full Raft control-plane functionality. Existing event-hub role assignments are automatically migrated to control-plane on upgrade.

• API extension: clustering_control_plane

Asynchronous storage pool, network, and storage bucket endpoints

Storage and network endpoints that were previously synchronous now return background operations. This affects create, update, delete, and rename actions.

This includes storage pools, storage buckets (including bucket keys), networks, network ACLs, network zones, network zone records, network forwards, network load balancers and network peers.

Clients should check for this extension and handle the asynchronous response by waiting on the returned operation. Operation metadata may include additional data, such as storage bucket admin credentials on bucket creation.

• API extension: storage_and_network_operations

Operation resources metadata no longer populated

Operation resources entries are now intentionally emptied and should no longer be relied upon by clients.

Historically, some clients used resources to infer the URL of entities created or affected by asynchronous operations. With the 6.8 changes, clients should treat entity_url as authoritative for the operation target and, for rename operations, use original_entity_url (old URL) together with entity_url (new URL).

The resources field will be used in the future to record associated entities for an operation.

• API extension: bulk_operations

Public images restricted to the default project

Public images can no longer be created in non-default projects. Attempts to mark images as public in non-default projects via image creation or update API endpoints will be rejected.

Images in non-default projects cannot be accessed by unauthenticated or unauthorized clients; only authenticated clients with appropriate permissions can view them. To share images publicly, they must be created in or moved to the default project.

This change supports the forthcoming Image Registries feature.

Migration pull mode into restricted projects no longer allowed

It is no longer possible to migrate instances and storage volumes into a restricted project when using pull migration mode.

Go SDK changes

The following backwards-incompatible changes were made to the LXD Go SDK and will require updates to consuming applications. These client functions are made to be backward compatible with older LXD servers.

• Storage pool Create, Update, and Delete functions now return an Operation.

• Storage bucket and bucket key Create, Update, and Delete functions now return an Operation.

• Network Create, Update, Delete, and Rename functions now return an Operation.

• Network ACL Create, Update, Delete, and Rename functions now return an Operation.

• Network peer Create, Update, and Delete functions now return an Operation.

• Network zone and network zone record Create, Update, and Delete functions now return an Operation.

• GetInstances variants unified into a single GetInstances method accepting an args struct.

Deprecated features

These features are removed in this release.

MAAS integration removed

All MAAS-related configuration options have been removed (see Backwards-incompatible changes above).

Local MinIO storage buckets removed

Local object storage bucket support using MinIO has been removed (see Backwards-incompatible changes above).

Known issues

ARM64 VM Boot Failures (Synchronous Exception)

Booting virtual machines on ARM64 hardware (such as Raspberry Pi 4 and 5) may result in a Synchronous Exception early in the UEFI boot process.

Impact: Ubuntu 22.04 VMs fail to boot immediately. Ubuntu 24.04 VMs are also affected, with the failure threshold depending on the host’s available memory. Cause: This bug is tied to Secure Boot and is hypothesized to be related to memory availability and layout.

The workaround for now is disabling Secure Boot (setting boot.mode to uefi-nosecureboot).

Updated minimum Go version

If you are building LXD from source instead of using a package manager, the minimum version of Go required to build LXD is now 1.26.2.

Snap packaging changes

• Minimum required snapd raised to 2.64.

• Dqlite bumped to v1.18.6.

• QEMU bumped to 10.2.1+ds-1ubuntu3.

• EDK2 rebased to 2025.11-3ubuntu7.

• NVIDIA container toolkit updated to 1.19.0.

• Go toolchain for snap builds bumped to go1.26.

• Removed MinIO-related snap config (minio.path) and MinIO support bits.

• Added the ovn-env plug for MicroOVN integration.

• Updated LXCFS handling to align with pidfs defaults and removed obsolete lxcfs.pidfd options/checks.

• Refactored ZFS setup through a dedicated setup-zfs helper script, including improved error handling and fallback behavior.

Change log

View the complete list of all changes in this release.

Downloads

The source tarballs and binary clients can be found on our download page.

Binary packages are also available for:

• Linux: snap install lxd --channel=6/stable

• MacOS client: brew install lxc

• Windows client: choco install lxc