Your IP : 216.73.216.220
<!doctype html>
<html class="no-js" lang="en" data-content_root="../../">
<head><meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="How to harden security for LXD" />
<meta property="og:type" content="website" />
<meta property="og:url" content="/howto/security_harden/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="To increase the security posture of your LXD deployment, review the following hardening recommendations and apply those relevant to your setup. General: Use a supported version: Use only supported ..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/lxd_tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="To increase the security posture of your LXD deployment, review the following hardening recommendations and apply those relevant to your setup. General: Use a supported version: Use only supported ..." />
<meta property="article:modified_time" content="2026-02-12T14:01:41+00:00" /><link rel="index" title="Index" href="../../genindex/"><link rel="search" title="Search" href="../../search/"><link rel="next" title="Troubleshooting" href="../troubleshoot/"><link rel="prev" title="How to manage the LXD snap" href="../snap/">
<link rel="canonical" href="/howto/security_harden/">
<link rel="shortcut icon" href="../../_static/favicon.ico"><!-- Generated with Sphinx 7.4.7 and Furo 2025.12.19 -->
<title>How to harden security for LXD - LXD documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d111a655" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo.css?v=7bdb33bb" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<link rel="stylesheet" type="text/css" href="../../_static/config-options.css" />
<link rel="stylesheet" type="text/css" href="../../_static/related-links.css" />
<link rel="stylesheet" type="text/css" href="../../_static/terminal.css" />
<link rel="stylesheet" type="text/css" href="../../_static/youtube.css" />
<link rel="stylesheet" type="text/css" href="../../_static/sphinx-design.min.css?v=95c83b7e" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo-extensions.css?v=8dab3a3b" />
<link rel="stylesheet" type="text/css" href="../../_static/lxd_custom.css?v=bfbf4da2" />
<link rel="stylesheet" type="text/css" href="../../_static/cookie-banner.css?v=b74831ab" />
<link rel="stylesheet" type="text/css" href="../../_static/custom.css?v=e189117a" />
<link rel="stylesheet" type="text/css" href="../../_static/header.css?v=a8078839" />
<link rel="stylesheet" type="text/css" href="../../_static/github_issue_links.css?v=3d761185" />
<link rel="stylesheet" type="text/css" href="../../_static/furo_colors.css?v=825fec6f" />
</head>
<body>
<header id="header" class="p-navigation">
<!-- Google Tag Manager -->
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0];
var j = d.createElement(s);
var dl = '';
if (l != 'dataLayer') {
dl = '&l=' + l;
}
j.async = true;
j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
</script>
<div class="p-navigation__nav" role="menubar">
<ul class="p-navigation__links" role="menu">
<li>
<a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
<img src="../../_static/lxd_tag.png" alt="Logo" class="p-logo-image">
<div class="p-logo-text p-heading--4">LXD
</div>
</a>
</li>
<li class="nav-ubuntu-com">
<a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
</li>
<li class="nav-dropdown">
<a href="#" class="p-navigation__link nav-more-links"
id="more-resources-toggle"
aria-haspopup="true"
aria-expanded="false">
More resources
</a>
<ul class="more-links-dropdown" aria-labelledby="more-resources-toggle">
<li>
<a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Discourse</a>
</li>
<li>
<a href="https://matrix.to/#/#documentation:ubuntu.com" class="p-navigation__sub-link p-dropdown__link">Matrix</a>
</li>
<li>
<a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
</li>
</ul>
</li>
</ul>
</div>
</header>
<script>
document.body.dataset.theme = localStorage.getItem("theme") || "auto";
</script>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-toc" viewBox="0 0 24 24">
<title>Contents</title>
<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
<path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
</svg>
</symbol>
<symbol id="svg-menu" viewBox="0 0 24 24">
<title>Menu</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
<line x1="3" y1="12" x2="21" y2="12"></line>
<line x1="3" y1="6" x2="21" y2="6"></line>
<line x1="3" y1="18" x2="21" y2="18"></line>
</svg>
</symbol>
<symbol id="svg-arrow-right" viewBox="0 0 24 24">
<title>Expand</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
<polyline points="9 18 15 12 9 6"></polyline>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24">
<title>Light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24">
<title>Dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
</svg>
</symbol>
<symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
<title>Auto light/dark, in light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
<line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
<line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
<line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
<line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
<line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
<line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
<line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
<line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
<circle cx="14.5" cy="9.55" r="3.6"/>
</svg>
</symbol>
<symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
<title>Auto light/dark, in dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
<line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
<line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
<line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
<line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
<line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
<line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
<line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
<line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
<circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
</svg>
</symbol>
<symbol id="svg-pencil" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
<path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
<path d="M13.5 6.5l4 4" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
<symbol id="svg-eye" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
<path
d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
</svg>
<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation" aria-label="Toggle site navigation sidebar">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc" aria-label="Toggle table of contents sidebar">
<label class="overlay sidebar-overlay" for="__navigation"></label>
<label class="overlay toc-overlay" for="__toc"></label>
<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>
<div class="page">
<header class="mobile-header">
<div class="header-left">
<label class="nav-overlay-icon" for="__navigation">
<span class="icon"><svg><use href="#svg-menu"></use></svg></span>
</label>
</div>
<div class="header-center">
<a href="../../"><div class="brand">LXD documentation</div></a>
</div>
<div class="header-right">
<div class="theme-toggle-container theme-toggle-header">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-header-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
</header>
<aside class="sidebar-drawer">
<div class="sidebar-container">
<div class="sidebar-sticky"><a class="sidebar-brand" href="../../">
<span class="sidebar-brand-text">LXD documentation</span>
</a><form class="sidebar-search-container" method="get" action="../../search/" role="search">
<input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
<input type="submit" value="Go">
<input type="hidden" name="check_keywords" value="yes">
<input type="hidden" name="area" value="default">
</form>
<div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../">LXD</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../tutorial/first_steps/">Tutorial</a></li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../">How-to guides</a><input aria-label="Toggle navigation of How-to guides" checked="" class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l2 has-children"><a class="reference internal" href="../../getting_started/">Getting started</a><input aria-label="Toggle navigation of Getting started" class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../operation/">LXD server and client</a><input aria-label="Toggle navigation of LXD server and client" class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../oidc/">Configure single sign-on with OIDC</a><input aria-label="Toggle navigation of Configure single sign-on with OIDC" class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../oidc_auth0/">How to configure Auth0</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_ory/">How to configure Ory Hydra</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_keycloak/">How to configure Keycloak</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_entra_id/">How to configure Entra ID</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../instances/">Instances</a><input aria-label="Toggle navigation of Instances" class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../images/">Images</a><input aria-label="Toggle navigation of Images" class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../projects/">Projects</a><input aria-label="Toggle navigation of Projects" class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../storage/">Storage</a><input aria-label="Toggle navigation of Storage" class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_move_volume/">Move or copy a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_csi/">Use the LXD CSI driver with Kubernetes</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../networks/">Networking</a><input aria-label="Toggle navigation of Networking" class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_acls/">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_zones/">Configure network zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../clustering/">Clustering</a><input aria-label="Toggle navigation of Clustering" class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_placement_groups/">Use placement groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_recover/">Recover a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_vip/">Set up a highly available virtual IP</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../production-setup/">Production setup</a><input aria-label="Toggle navigation of Production setup" class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery/">Recover instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery_replication/">Disaster recovery with storage replication</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../snap/">Manage the snap</a></li>
<li class="toctree-l2 current current-page"><a class="current reference internal" href="#">Harden security</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../troubleshoot/">Troubleshooting</a><input aria-label="Toggle navigation of Troubleshooting" class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../contributing/">Contribute to LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../auth_bearer/">How to authenticate to the LXD API using bearer tokens</a></li>
<li class="toctree-l2"><a class="reference internal" href="../devlxd_authenticate/">How to authenticate to the DevLXD API</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../explanation/">Explanation</a><input aria-label="Toggle navigation of Explanation" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../authentication/">Remote API authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/authorization/">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/security/">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/bpf/">Privilege delegation using BPF Token</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/csi/">The LXD CSI driver</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../reference/">Reference</a><input aria-label="Toggle navigation of Reference" class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../architectures/">Architectures</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/release-notes/">Release notes</a><input aria-label="Toggle navigation of Release notes" class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.7/">LXD 6.7</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.6/">LXD 6.6</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../explanation/instance_config/">Instance configuration</a><input aria-label="Toggle navigation of Instance configuration" class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../../reference/devices/">Devices</a><input aria-label="Toggle navigation of Devices" class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/storage_drivers/">Storage drivers</a><input aria-label="Toggle navigation of Storage drivers" class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_alletra/">HPE Alletra - <code class="docutils literal notranslate"><span class="pre">alletra</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/networks/">Networks</a><input aria-label="Toggle navigation of Networks" class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/placement_groups/">Placement group configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../restapi_landing/">REST API</a><input aria-label="Toggle navigation of REST API" class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/driver_csi/">LXD CSI driver reference</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/manpages/">Man pages</a><input aria-label="Toggle navigation of Man pages" class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../internals/">Internals</a><input aria-label="Toggle navigation of Internals" class="toctree-checkbox" id="toctree-checkbox-22" name="toctree-checkbox-22" role="switch" type="checkbox"/><label for="toctree-checkbox-22"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../syscall-interception/">System call interception</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../userns-idmap/">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/dqlite-internals/">Dqlite</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</aside>
<div class="main">
<div class="content">
<div class="article-container">
<a href="#" class="back-to-top muted-link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
</svg>
<span>Back to top</span>
</a>
<div class="content-icon-container">
<div class="edit-this-page">
<a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/howto/security_harden.md" title="Contribute to this page">
<svg><use href="#svg-pencil"></use></svg>
<span class="visually-hidden">Contribute to this page</span>
</a>
</div><div class="theme-toggle-container theme-toggle-content">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-content-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
<article role="main" id="furo-main-content">
<section id="how-to-harden-security-for-lxd">
<span id="howto-security-harden"></span><h1>How to harden security for LXD<a class="headerlink" href="#how-to-harden-security-for-lxd" title="Link to this heading">¶</a></h1>
<p>To increase the security posture of your LXD deployment, review the following hardening recommendations and apply those relevant to your setup.</p>
<section id="general">
<h2>General<a class="headerlink" href="#general" title="Link to this heading">¶</a></h2>
<section id="use-a-supported-version">
<span id="howto-security-harden-supported"></span><h3>Use a supported version<a class="headerlink" href="#use-a-supported-version" title="Link to this heading">¶</a></h3>
<p>Use only supported LTS releases or the latest feature release of LXD, and ensure that you update it regularly to receive security updates and bugfixes. See: <a class="reference internal" href="../../reference/releases-snap/#ref-releases"><span class="std std-ref">Releases</span></a>.</p>
</section>
<section id="delete-unused-resources">
<span id="howto-security-harden-delete-unused"></span><h3>Delete unused resources<a class="headerlink" href="#delete-unused-resources" title="Link to this heading">¶</a></h3>
<p>Delete unused networks and storage pools to reduce the attack surface.</p>
</section>
</section>
<section id="access">
<h2>Access<a class="headerlink" href="#access" title="Link to this heading">¶</a></h2>
<section id="secure-the-lxd-group">
<span id="howto-security-harden-group"></span><h3>Secure the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group<a class="headerlink" href="#secure-the-lxd-group" title="Link to this heading">¶</a></h3>
<p>Users in the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group who access LXD through the local Unix socket are given full administrative control over LXD. Thus, ensure that only trusted users are members of the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group (or any custom group you configure via <code class="docutils literal notranslate"><span class="pre">snap.lxd.daemon.group</span></code>). Audit group membership regularly.</p>
<p>Also see: <a class="reference internal" href="#howto-security-harden-restricted-group"><span class="std std-ref">Use a restricted group for non-admin users</span></a>.</p>
</section>
<section id="harden-remote-api-access">
<span id="howto-security-harden-remote"></span><h3>Harden remote API access<a class="headerlink" href="#harden-remote-api-access" title="Link to this heading">¶</a></h3>
<p>For <a class="reference internal" href="../../authentication/#authentication"><span class="std std-ref">Remote API authentication</span></a>, LXD can use either <abbr title="Transport Layer Security">TLS</abbr> client certificates or OpenID Connect:</p>
<ul class="simple">
<li><p>Client certificates:</p>
<ul>
<li><p>Ensure that only clients with certificates issued by your trusted Certificate Authority (CA) can connect. The <a class="configref reference internal" href="../../server/#server-core:core.trust_ca_certificates"><code class="docutils literal notranslate"><span class="pre">core.trust_ca_certificates</span></code></a> option is <code class="docutils literal notranslate"><span class="pre">false</span></code> by default. To prevent auto-trusting of CA-signed certificates, ensure it remains disabled.</p></li>
<li><p>Regularly audit and remove unused client certificates from the trust store.</p></li>
<li><p>Ensure that private CAs issue short-lived certificates.</p></li>
<li><p>When <a class="reference internal" href="../../authentication/#authentication-pki"><span class="std std-ref">using a PKI system</span></a>, regularly audit and revoke unused client certificates using a <a class="reference internal" href="../../authentication/#authentication-revoke-certificates"><span class="std std-ref">certificate revocation list</span></a>.</p></li>
</ul>
</li>
<li><p>OpenID Connect:</p>
<ul>
<li><p>Only set <code class="docutils literal notranslate"><span class="pre">oidc.client.secret</span></code> if required by the identity provider.</p></li>
<li><p>Configure your OIDC provider to issue short-lived access tokens.</p></li>
<li><p>Require multi-factor authentication (MFA) in your identity provider.</p></li>
</ul>
</li>
</ul>
<p>For <a class="reference internal" href="../../explanation/authorization/#authorization"><span class="std std-ref">Remote API authorization</span></a>, use <a class="reference internal" href="../../explanation/authorization/#restricted-tls-certs"><span class="std std-ref">Restricted TLS certificates</span></a> or <a class="reference internal" href="../../explanation/authorization/#fine-grained-authorization"><span class="std std-ref">Fine-grained authorization</span></a> where relevant to your setup.</p>
<p>Refer to the <a class="reference internal" href="../../authentication/#authentication"><span class="std std-ref">Remote API authentication</span></a> and <a class="reference internal" href="../../explanation/authorization/#authorization"><span class="std std-ref">Remote API authorization</span></a> pages for details.</p>
</section>
<section id="decrease-token-expiry">
<span id="howto-security-harden-auth-expiry"></span><h3>Decrease token expiry<a class="headerlink" href="#decrease-token-expiry" title="Link to this heading">¶</a></h3>
<p>Decrease the expiry times for LXD cluster join tokens and remote authentication tokens, such as to 15 minutes each:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>lxc<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>cluster.join_token_expiry<span class="w"> </span>15M
sudo<span class="w"> </span>lxc<span class="w"> </span>config<span class="w"> </span><span class="nb">set</span><span class="w"> </span>core.remote_token_expiry<span class="w"> </span>15M
</pre></div>
</div>
</section>
</section>
<section id="network-security">
<span id="howto-security-harden-network"></span><h2>Network security<a class="headerlink" href="#network-security" title="Link to this heading">¶</a></h2>
<p>Control traffic on LXD networks.</p>
<section id="configure-acls">
<span id="howto-security-harden-acls"></span><h3>Configure ACLs<a class="headerlink" href="#configure-acls" title="Link to this heading">¶</a></h3>
<p><a class="reference internal" href="../network_acls/#network-acls"><span class="std std-ref">Network Access Control Lists</span></a> (ACLs) are used to control traffic between instances and external networks, as well as traffic between instances on the same network. Set ACL rules to limit traffic to only what is necessary.</p>
</section>
<section id="limit-network-exposure">
<span id="howto-security-harden-use-ip"></span><h3>Limit network exposure<a class="headerlink" href="#limit-network-exposure" title="Link to this heading">¶</a></h3>
<p>By default, LXD is only accessible locally through a Unix socket. If you need to <a class="reference internal" href="../server_expose/#server-expose"><span class="std std-ref">expose LXD to the network</span></a>, you must set the LXD server’s <a class="configref reference internal" href="../../server/#server-core:core.https_address"><code class="docutils literal notranslate"><span class="pre">core.https_address</span></code></a>. To reduce the attack surface, do not set this address to a port alone.</p>
<p>Instead, use a trusted IP address on the LXD management interface along with a port, such as <code class="docutils literal notranslate"><span class="pre">192.0.2.10:8443</span></code>. If you only need local HTTPS access, use the loopback address and port, such as <code class="docutils literal notranslate"><span class="pre">127.0.0.1:8443</span></code>.</p>
</section>
</section>
<section id="instance-security">
<span id="howto-security-harden-instance"></span><h2>Instance security<a class="headerlink" href="#instance-security" title="Link to this heading">¶</a></h2>
<p>Along with the recommendations below, review all <a class="reference internal" href="../../reference/instance_options/#instance-options-security"><span class="std std-ref">instance security options</span></a> for further options that might be relevant to your setup.</p>
<p>Rather than applying these options on a per-instance basis, use either <a class="reference internal" href="../../projects/#projects"><span class="std std-ref">Projects</span></a>, <a class="reference internal" href="../images_profiles/#images-profiles"><span class="std std-ref">profiles</span></a>, or both. See the section on <a class="reference internal" href="#howto-security-profiles"><span class="std std-ref">using profiles</span></a> below.</p>
<section id="use-unprivileged-containers">
<span id="howto-security-harden-unprivileged"></span><h3>Use unprivileged containers<a class="headerlink" href="#use-unprivileged-containers" title="Link to this heading">¶</a></h3>
<p>By default, LXD containers are unprivileged. If you need to use privileged containers, make sure to put appropriate security measures in place. For more information, see: <a class="reference internal" href="../../explanation/security/#container-security"><span class="std std-ref">Container security</span></a>.</p>
</section>
<section id="set-instance-resource-limits">
<span id="howto-security-harden-instance-resource-limits"></span><h3>Set instance resource limits<a class="headerlink" href="#set-instance-resource-limits" title="Link to this heading">¶</a></h3>
<p>There are multiple <a class="reference internal" href="../../reference/instance_options/#instance-options-limits"><span class="std std-ref">Resource limits</span></a> that can be configured for instances. To decrease the potential damage from DoS attacks, set reasonable limits.</p>
<p>This is especially important for containers and their <a class="configref reference internal" href="../../reference/instance_options/#instance-resource-limits:limits.cpu"><code class="docutils literal notranslate"><span class="pre">limits.cpu</span></code></a>, <a class="configref reference internal" href="../../reference/instance_options/#instance-resource-limits:limits.memory"><code class="docutils literal notranslate"><span class="pre">limits.memory</span></code></a>, and <a class="configref reference internal" href="../../reference/instance_options/#instance-resource-limits:limits.processes"><code class="docutils literal notranslate"><span class="pre">limits.processes</span></code></a> options, which by default are set without limits. Review the <a class="reference internal" href="../../reference/instance_options/#instance-options-limits"><span class="std std-ref">Resource limits</span></a> reference guide for other options you might want to restrict.</p>
</section>
<section id="disable-container-nesting">
<span id="howto-security-harden-nesting-disable"></span><h3>Disable container nesting<a class="headerlink" href="#disable-container-nesting" title="Link to this heading">¶</a></h3>
<p>The instance configuration option <a class="configref reference internal" href="../../reference/instance_options/#instance-security:security.nesting"><code class="docutils literal notranslate"><span class="pre">security.nesting</span></code></a> enables nested container capability. This increases complexity and can broaden the attack surface. The default for this setting is <code class="docutils literal notranslate"><span class="pre">false</span></code>. Do not set this to <code class="docutils literal notranslate"><span class="pre">true</span></code> unless absolutely needed.</p>
<p>Setting this option to <code class="docutils literal notranslate"><span class="pre">true</span></code> is especially dangerous in combination with <a class="configref reference internal" href="../../reference/instance_options/#instance-security:security.privileged"><code class="docutils literal notranslate"><span class="pre">security.privileged</span></code></a> set to <code class="docutils literal notranslate"><span class="pre">true</span></code> because it provides root access to the host.</p>
</section>
<section id="isolate-containers">
<span id="howto-security-harden-isolate"></span><h3>Isolate containers<a class="headerlink" href="#isolate-containers" title="Link to this heading">¶</a></h3>
<p>If a set of containers do not need to share data with each other, enable the instance option <a class="configref reference internal" href="../../reference/instance_options/#instance-security:security.idmap.isolated"><code class="docutils literal notranslate"><span class="pre">security.idmap.isolated</span></code></a> on each one. This configures them to use unique UID/GID maps, preventing potential <abbr title="Denial of Service">DoS</abbr> attacks from one container to another. Only unprivileged containers can use this option.</p>
</section>
<section id="use-profiles">
<span id="howto-security-profiles"></span><h3>Use profiles<a class="headerlink" href="#use-profiles" title="Link to this heading">¶</a></h3>
<p>Instead of applying <a class="reference internal" href="../../reference/instance_options/#instance-options"><span class="std std-ref">Instance options</span></a> on a per-instance basis, use either <a class="reference internal" href="../../projects/#projects"><span class="std std-ref">Projects</span></a>, <a class="reference internal" href="../images_profiles/#images-profiles"><span class="std std-ref">profiles</span></a>, or both. This enables you to use a consistent hardened configuration.</p>
<p>The set of commands to create and use a profile below are provided as an example only, including the instance options explicitly mentioned in this guide. Review all instance options and decide if there are other options you want to set for your hardened profile.</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>lxc<span class="w"> </span>profile<span class="w"> </span>create<span class="w"> </span>hardened1
sudo<span class="w"> </span>lxc<span class="w"> </span>profile<span class="w"> </span><span class="nb">set</span><span class="w"> </span>hardened1<span class="w"> </span>limits.cpu<span class="o">=</span><span class="m">2</span><span class="w"> </span>limits.memory<span class="o">=</span>4GiB<span class="w"> </span>limits.processes<span class="o">=</span><span class="m">500</span>
sudo<span class="w"> </span>lxc<span class="w"> </span>profile<span class="w"> </span><span class="nb">set</span><span class="w"> </span>hardened1<span class="w"> </span>security.idmap.isolated<span class="o">=</span><span class="nb">true</span><span class="w"> </span>security.nesting<span class="o">=</span><span class="nb">false</span>
sudo<span class="w"> </span>lxc<span class="w"> </span>profile<span class="w"> </span>add<span class="w"> </span><my-container><span class="w"> </span>hardened1
</pre></div>
</div>
</section>
</section>
<section id="device-security">
<span id="howto-security-harden-device"></span><h2>Device security<a class="headerlink" href="#device-security" title="Link to this heading">¶</a></h2>
<section id="limit-device-passthrough">
<span id="howto-security-harden-passthrough"></span><h3>Limit device passthrough<a class="headerlink" href="#limit-device-passthrough" title="Link to this heading">¶</a></h3>
<p>PCI, USB, and disk device passthroughs give the container significant access to the host. Avoid adding devices to instances unless strictly necessary. Set <a class="reference internal" href="../../reference/devices_disk/#devices-disk"><span class="std std-ref">disk device</span></a> mounts to <a class="configref reference internal" href="../../reference/devices_disk/#device-disk-device-conf:readonly"><code class="docutils literal notranslate"><span class="pre">readonly</span></code></a> where possible.</p>
</section>
<section id="prevent-spoofing">
<span id="howto-security-harden-spoof"></span><h3>Prevent spoofing<a class="headerlink" href="#prevent-spoofing" title="Link to this heading">¶</a></h3>
<p>With bridged NICs, the default configuration allows MAC or IP spoofing. For details on how to prevent this, see <a class="reference internal" href="../../explanation/security/#exp-security-bridged"><span class="std std-ref">Bridged NIC security</span></a>.</p>
</section>
</section>
<section id="storage-device-security">
<span id="howto-security-harden-storage"></span><h2>Storage device security<a class="headerlink" href="#storage-device-security" title="Link to this heading">¶</a></h2>
<p>The Linux kernel might ignore mount options if a block-based filesystem (like <code class="docutils literal notranslate"><span class="pre">ext4</span></code>) is already mounted with different options. Thus, sharing the same disk device across multiple storage pools can lead to unexpected mount behavior.</p>
<p>To avoid security issues, either dedicate a disk device per storage pool or ensure that all pools sharing a device use the same mount options. For more information, see the <a class="reference internal" href="../../reference/storage_drivers/#storage-drivers-security"><span class="std std-ref">Security considerations</span></a> section of the <a class="reference internal" href="../../reference/storage_drivers/#storage-drivers"><span class="std std-ref">Storage drivers</span></a> reference guide.</p>
</section>
<section id="logging">
<span id="howto-security-harden-logging"></span><h2>Logging<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h2>
<p>Increase logging and regularly audit the logs for suspicious activity.</p>
<section id="use-system-logging">
<span id="howto-security-harden-logging-system"></span><h3>Use system logging<a class="headerlink" href="#use-system-logging" title="Link to this heading">¶</a></h3>
<p>Enable system logging for the LXD daemon and set it to the <code class="docutils literal notranslate"><span class="pre">verbose</span></code> level:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>snap<span class="w"> </span><span class="nb">set</span><span class="w"> </span>lxd<span class="w"> </span>daemon.syslog<span class="o">=</span><span class="nb">true</span>
sudo<span class="w"> </span>snap<span class="w"> </span><span class="nb">set</span><span class="w"> </span>lxd<span class="w"> </span>daemon.verbose<span class="o">=</span><span class="nb">true</span>
</pre></div>
</div>
<p>Regularly check these logs using:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>snap<span class="w"> </span>logs<span class="w"> </span>lxd.daemon
</pre></div>
</div>
<p>By default, only the last 10 lines are output. To see more, use the <code class="docutils literal notranslate"><span class="pre">-n=[all|<#>]</span></code> flag.</p>
<p>For example, to see all logs, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>snap<span class="w"> </span>logs<span class="w"> </span>-n<span class="o">=</span>all<span class="w"> </span>lxd.daemon
</pre></div>
</div>
</section>
<section id="use-auditd-rules">
<span id="howto-security-harden-logging-auditd"></span><h3>Use <code class="docutils literal notranslate"><span class="pre">auditd</span></code> rules<a class="headerlink" href="#use-auditd-rules" title="Link to this heading">¶</a></h3>
<p>Use <code class="docutils literal notranslate"><span class="pre">auditd</span></code> rules to track LXD command execution and configuration file changes.</p>
<p>Configure the audit daemon to track all commands to the LXD daemon:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>-a<span class="w"> </span>always,exit<span class="w"> </span>-F<span class="w"> </span><span class="nv">path</span><span class="o">=</span>/snap/bin/lxc<span class="w"> </span>-p<span class="w"> </span>x<span class="w"> </span>-k<span class="w"> </span>lxd_execution
-a<span class="w"> </span>always,exit<span class="w"> </span>-F<span class="w"> </span><span class="nv">path</span><span class="o">=</span>/snap/bin/lxd<span class="w"> </span>-p<span class="w"> </span>x<span class="w"> </span>-k<span class="w"> </span>lxd_execution
-a<span class="w"> </span>always,exit<span class="w"> </span>-F<span class="w"> </span><span class="nv">path</span><span class="o">=</span>/snap/bin/lxd.buginfo<span class="w"> </span>-p<span class="w"> </span>x<span class="w"> </span>-k<span class="w"> </span>lxd_execution
-a<span class="w"> </span>always,exit<span class="w"> </span>-F<span class="w"> </span><span class="nv">path</span><span class="o">=</span>/snap/bin/lxd.check-kernel<span class="w"> </span>-p<span class="w"> </span>x<span class="w"> </span>-k<span class="w"> </span>lxd_execution
-a<span class="w"> </span>always,exit<span class="w"> </span>-F<span class="w"> </span><span class="nv">path</span><span class="o">=</span>/snap/bin/lxd.lxc<span class="w"> </span>-p<span class="w"> </span>x<span class="w"> </span>-k<span class="w"> </span>lxd_execution
</pre></div>
</div>
</section>
<section id="lxc-monitor-and-loki">
<h3><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">monitor</span></code> and Loki<a class="headerlink" href="#lxc-monitor-and-loki" title="Link to this heading">¶</a></h3>
<p>The<code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">monitor</span></code> command is used to view information about logging and life cycle LXD events. Consider using a dedicated system that allows you to keep a record of these events, such as Loki. See: <a class="reference internal" href="../logs_loki/#logs-loki"><span class="std std-ref">How to send logs to Loki</span></a>.</p>
</section>
</section>
<section id="multi-user-environment">
<span id="howto-security-harden-multi-user"></span><h2>Multi-user environment<a class="headerlink" href="#multi-user-environment" title="Link to this heading">¶</a></h2>
<p>These settings are relevant if your LXD server is used by multiple users, such as in a lab setting.</p>
<section id="use-a-restricted-group-for-non-admin-users">
<span id="howto-security-harden-restricted-group"></span><h3>Use a restricted group for non-admin users<a class="headerlink" href="#use-a-restricted-group-for-non-admin-users" title="Link to this heading">¶</a></h3>
<p>By default, both the <code class="docutils literal notranslate"><span class="pre">daemon.group</span></code> and <code class="docutils literal notranslate"><span class="pre">daemon.user.group</span></code> are set to <code class="docutils literal notranslate"><span class="pre">lxd</span></code>. This gives all users in the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group full local access to LXD through the Unix socket. This includes the ability to attach file system paths or devices to any instance, or tweak any instance’s security features.</p>
<p>Only users who are trusted with <code class="docutils literal notranslate"><span class="pre">sudo</span></code> access to your system should be in the <code class="docutils literal notranslate"><span class="pre">daemon.group</span></code>. Define and use a separate group for users who should not have admin access, such as <code class="docutils literal notranslate"><span class="pre">lxdusers</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>groupadd<span class="w"> </span>lxdusers
sudo<span class="w"> </span>snap<span class="w"> </span><span class="nb">set</span><span class="w"> </span>lxd<span class="w"> </span>daemon.user.group<span class="o">=</span>lxdusers
</pre></div>
</div>
</section>
<section id="confine-users-to-projects">
<span id="howto-security-harden-projects"></span><h3>Confine users to projects<a class="headerlink" href="#confine-users-to-projects" title="Link to this heading">¶</a></h3>
<p>You can confine users to specific projects, which can be configured with stricter restrictions to prevent misuse. For details, see: <a class="reference internal" href="../projects_confine/#projects-confine-users"><span class="std std-ref">Confine users to specific LXD projects via Unix socket</span></a>, <a class="reference internal" href="../../explanation/projects/#exp-projects"><span class="std std-ref">Instances grouping with projects</span></a>, and <a class="reference internal" href="../../explanation/authorization/#restricted-tls-certs"><span class="std std-ref">Restricted TLS certificates</span></a>.</p>
</section>
<section id="prevent-name-leakage">
<span id="howto-security-harden-name-leakage"></span><h3>Prevent name leakage<a class="headerlink" href="#prevent-name-leakage" title="Link to this heading">¶</a></h3>
<p>The default server configuration makes it possible to list all cgroups on a system, and by extension, all running containers. Prevent container name leakage by blocking access to <code class="docutils literal notranslate"><span class="pre">/sys/kernel/slab</span></code> and <code class="docutils literal notranslate"><span class="pre">/proc/sched_debug</span></code> before you start any containers. To do so, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>chmod<span class="w"> </span><span class="m">400</span><span class="w"> </span>/proc/sched_debug
chmod<span class="w"> </span><span class="m">700</span><span class="w"> </span>/sys/kernel/slab/
</pre></div>
</div>
</section>
</section>
<section id="harden-the-lxd-host-os">
<span id="howto-security-harden-host"></span><h2>Harden the LXD host OS<a class="headerlink" href="#harden-the-lxd-host-os" title="Link to this heading">¶</a></h2>
<p>To harden your deployment, also harden the host’s operating system (OS). These are some ways you can harden the host OS:</p>
<ul class="simple">
<li><p>Keep your OS updated and install all available security patches.</p></li>
<li><p>Use a firewall to drop unexpected inbound traffic and restrict outbound traffic as needed. Ensure only the necessary ports are open.</p></li>
<li><p>For Ubuntu systems, subscribe to <a class="reference external" href="https://ubuntu.com/pro">Ubuntu Pro</a>.</p></li>
<li><p>Use the latest <a class="reference external" href="https://www.cisecurity.org/cis-benchmarks">CIS hardening benchmarks</a> for your OS.</p></li>
</ul>
<section id="ubuntu-cis-hardening">
<span id="howto-security-harden-cis"></span><h3>Ubuntu CIS hardening<a class="headerlink" href="#ubuntu-cis-hardening" title="Link to this heading">¶</a></h3>
<p>For Ubuntu LTS releases subscribed to Ubuntu Pro, use the <a class="reference external" href="https://documentation.ubuntu.com/security/compliance/usg/">Ubuntu Security Guide (USG)</a> tool for CIS hardening. The tool can audit the host system and fix many issues automatically. Depending on how your system is configured, there might be other issues that you must remediate manually.</p>
<p>There are known issues with three of the auditing tool’s rule IDs when auditing LXD hosts with the <code class="docutils literal notranslate"><span class="pre">cis_level1_server</span></code> profile. One is that it generates a false failure report for the following rule ID, flagging that no UEFI boot loader password is set even when it is:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">xccdf_org</span><span class="o">.</span><span class="n">ssgproject</span><span class="o">.</span><span class="n">content_rule_grub2_uefi_password</span>
</pre></div>
</div>
<p>As long as you have set this password and can confirm that the UEFI boot process requests it, you can ignore this failure report.</p>
<p>Furthermore, if the Ubuntu system is running LXD containers, the USG audit will report failure on the following rule IDs:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">xccdf_org</span><span class="o">.</span><span class="n">ssgproject</span><span class="o">.</span><span class="n">content_rule_no_files_unowned_by_user</span>
<span class="n">xccdf_org</span><span class="o">.</span><span class="n">ssgproject</span><span class="o">.</span><span class="n">content_rule_file_permissions_ungroupowned</span>
</pre></div>
</div>
<p>By design, LXD’s unprivileged containers run inside a user namespace for greater isolation. This causes some files and directories under <code class="docutils literal notranslate"><span class="pre">/sys/fs/cgroup/lxc.payload.<container_name></span></code> to appear as having no owner. Since this is expected, the USG tool’s failure report for this can be ignored.</p>
<p>You can customize the tool’s CIS profile to always ignore these three rule IDs. To do so, follow the instructions in the <a class="reference external" href="https://documentation.ubuntu.com/security/compliance/usg/cis-customize/">Customizing CIS profiles</a> section of the Ubuntu security documentation.</p>
</section>
</section>
<section id="related-topics">
<h2>Related topics<a class="headerlink" href="#related-topics" title="Link to this heading">¶</a></h2>
<p>How-to guides:</p>
<ul class="simple">
<li><p><a class="reference internal" href="../network_bridge_firewalld/#network-bridge-firewall"><span class="std std-ref">How to configure your firewall</span></a></p></li>
<li><p><a class="reference internal" href="../projects_confine/#projects-confine"><span class="std std-ref">How to confine users to specific projects</span></a></p></li>
</ul>
<p>Explanation:</p>
<ul class="simple">
<li><p><a class="reference internal" href="../../explanation/security/#exp-security"><span class="std std-ref">Security</span></a></p></li>
<li><p><a class="reference internal" href="../../authentication/#authentication"><span class="std std-ref">Remote API authentication</span></a></p></li>
<li><p><a class="reference internal" href="../../explanation/authorization/#authorization"><span class="std std-ref">Remote API authorization</span></a></p></li>
</ul>
<p>Reference:</p>
<ul class="simple">
<li><p><a class="reference internal" href="../../reference/instance_options/#instance-options-security"><span class="std std-ref">Instance-level security options</span></a></p></li>
</ul>
</section>
</section>
</article>
</div>
<footer>
<div class="related-pages">
<a class="next-page" href="../troubleshoot/">
<div class="page-info">
<div class="context">
<span>Next</span>
</div>
<div class="title">Troubleshooting</div>
</div>
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
</a>
<a class="prev-page" href="../snap/">
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
<div class="page-info">
<div class="context">
<span>Previous</span>
</div>
<div class="title">How to manage the LXD snap</div>
</div>
</a>
</div>
<div class="bottom-of-page">
<div class="left-details">
<div class="copyright">
© 2014-2026 AGPL-3.0, LXD contributors
</div><div class="last-updated">
Last updated on Feb 12, 2026</div>
</div>
<div class="right-details">
<a href="" class="js-revoke-cookie-manager muted-link">Manage your tracker settings</a>
</div>
</footer>
</div>
<aside class="toc-drawer">
<div class="toc-sticky toc-scroll">
<div class="toc-title-container">
<span class="toc-title">
Contents
</span>
</div>
<div class="toc-tree-container">
<div class="toc-tree">
<ul>
<li><a class="reference internal" href="#">How to harden security for LXD</a><ul>
<li><a class="reference internal" href="#general">General</a><ul>
<li><a class="reference internal" href="#use-a-supported-version">Use a supported version</a></li>
<li><a class="reference internal" href="#delete-unused-resources">Delete unused resources</a></li>
</ul>
</li>
<li><a class="reference internal" href="#access">Access</a><ul>
<li><a class="reference internal" href="#secure-the-lxd-group">Secure the <code class="docutils literal notranslate"><span class="pre">lxd</span></code> group</a></li>
<li><a class="reference internal" href="#harden-remote-api-access">Harden remote API access</a></li>
<li><a class="reference internal" href="#decrease-token-expiry">Decrease token expiry</a></li>
</ul>
</li>
<li><a class="reference internal" href="#network-security">Network security</a><ul>
<li><a class="reference internal" href="#configure-acls">Configure ACLs</a></li>
<li><a class="reference internal" href="#limit-network-exposure">Limit network exposure</a></li>
</ul>
</li>
<li><a class="reference internal" href="#instance-security">Instance security</a><ul>
<li><a class="reference internal" href="#use-unprivileged-containers">Use unprivileged containers</a></li>
<li><a class="reference internal" href="#set-instance-resource-limits">Set instance resource limits</a></li>
<li><a class="reference internal" href="#disable-container-nesting">Disable container nesting</a></li>
<li><a class="reference internal" href="#isolate-containers">Isolate containers</a></li>
<li><a class="reference internal" href="#use-profiles">Use profiles</a></li>
</ul>
</li>
<li><a class="reference internal" href="#device-security">Device security</a><ul>
<li><a class="reference internal" href="#limit-device-passthrough">Limit device passthrough</a></li>
<li><a class="reference internal" href="#prevent-spoofing">Prevent spoofing</a></li>
</ul>
</li>
<li><a class="reference internal" href="#storage-device-security">Storage device security</a></li>
<li><a class="reference internal" href="#logging">Logging</a><ul>
<li><a class="reference internal" href="#use-system-logging">Use system logging</a></li>
<li><a class="reference internal" href="#use-auditd-rules">Use <code class="docutils literal notranslate"><span class="pre">auditd</span></code> rules</a></li>
<li><a class="reference internal" href="#lxc-monitor-and-loki"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">monitor</span></code> and Loki</a></li>
</ul>
</li>
<li><a class="reference internal" href="#multi-user-environment">Multi-user environment</a><ul>
<li><a class="reference internal" href="#use-a-restricted-group-for-non-admin-users">Use a restricted group for non-admin users</a></li>
<li><a class="reference internal" href="#confine-users-to-projects">Confine users to projects</a></li>
<li><a class="reference internal" href="#prevent-name-leakage">Prevent name leakage</a></li>
</ul>
</li>
<li><a class="reference internal" href="#harden-the-lxd-host-os">Harden the LXD host OS</a><ul>
<li><a class="reference internal" href="#ubuntu-cis-hardening">Ubuntu CIS hardening</a></li>
</ul>
</li>
<li><a class="reference internal" href="#related-topics">Related topics</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</aside>
</div>
</div><script src="../../_static/jquery.js?v=5d32c60e"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../../_static/documentation_options.js?v=a5603611"></script>
<script src="../../_static/doctools.js?v=9a2dae69"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/scripts/furo.js?v=46bd48cc"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=b01cb6f2"></script>
<script src="../../_static/config-options.js"></script>
<script src="../../_static/design-tabs.js?v=f930bc37"></script>
<script src="../../_static/js/bundle.js?v=a4d88309"></script>
<script src="../../_static/header-nav.js?v=e117ad08"></script>
<script src="../../_static/github_issue_links.js?v=32bb732f"></script>
<script>
const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>