like xen? I sat on a 10 minute presentation during openstack meetup, Ubuntu dude presented LXD...then I asked myself...xen does all this...then again choice is always welcomed
The VM experience ("guests") without the VM overhead. A virtual machine like Xen or KVM or ESX lets you run a guest kernel of a different OS, like WIndows. LXD avoids the overhead of hardware virtualisation and the guest OS, which means it only supports Linux guests, but they run at native speeds.
Any local kernel vulnerability will let you attack other containers on the same machine. This is a much bigger attack surface than Xen or KVM. It's nice in that it gives the same experience as "traditional" hypervisors (at least the basic features), but it's only applicable if you trust that the application inside the container will not be compromised.
On the flip side, when there is a kernel vulnerability, there's only 1 kernel to update! If you're running the Canonical Livepatch Service, for instance, critical security vulnerabilities are patch in real time, without reboot, and all containers running immediately benefit from the patch. Conversely, if you're running 50 Linux Xen or KVM machines, you have 51 kernels to update. So yeah, do think about what "attack surface" actually means, when comparing LXD and Full Virtualization.
On the same vein, there are plenty of Xen machines that are vulnerable despite the host OS being updated (which, honestly, I don't thing happens as quickly as it should considering it requires a restart for new kernel params). With things like live-patching, updating the kernel once, while running, makes sure all guests are also updated as well.
It's a trade off, but one that seems to trend towards more secure despite potentially a few quirks.
LXD supports using different id maps per container, which mitigates some of that.
I get that containers will always have a larger attack surface than Xen/KVM. Just thought it was worth mentioning that some container approaches are thinking about security more than others.
Sure, Xen is a hypervisor - just like KVM and a whole host of others, but Xen is /very/ heavy from a resource utilization. Xen doesn't produce lightweight VMs, they're traditional virtulation. You can produce 13 times more density with no performance trade off. No virtio, no paravirtualization, using native kernel primitives to get you machines that feel like "docker" containers, but are actual full machines.