LXD 5.21.5 release notes¶
This is a LTS release and is recommended for production use.
Release notes content
These release notes cover updates in the core LXD repository and the LXD snap package.
This is a maintenance release for the 5.21 LTS series. It backports a number of new features, storage and networking improvements, security hardening, and bug fixes from the main development branch.
Highlights¶
This section highlights new and improved features in this release.
HPE Alletra storage driver¶
A new alletra storage driver has been added for the consumption of storage volumes from an HPE Alletra storage array. The driver supports both iSCSI and NVMe/TCP connections, including volume resize and multipath handling.
Documentation: HPE Alletra - alletra
API extension: storage_driver_alletra
OVN internal load balancers and network forwards¶
Support for internal OVN load balancers and network forwards has been introduced. This allows ovn networks to define ports on internal IP addresses that can be forwarded to other internal IPs within their networks, removing the previous limitation that load balancers and network forwards could only forward from external IP addresses.
Documentation: How to configure network load balancers and How to configure network forwards
API extension: ovn_internal_load_balancer
OVN DHCP ranges¶
Support for the ipv4.dhcp.ranges configuration key has been added for ovn networks, allowing a list of IPv4 ranges to be reserved for dynamic allocation using DHCP.
Documentation: How to set up OVN with LXD
API extension: ovn_dhcp_ranges
OVN NIC acceleration parent¶
Support has been added for specifying the OVN NIC acceleration physical function interfaces from which to allocate virtual functions. This avoids the need to add physical function interfaces to the OVN integration bridge.
Documentation: nictype: ovn
API extension: ovn_nic_acceleration_parent
Forced project deletion¶
Support has been added for force deleting projects together with their entities (instances, profiles, images, networks, network ACLs, network zones, storage volumes, and storage buckets) by setting the force query parameter on DELETE /1.0/projects/{name} requests.
API extension: projects_force_delete
Importing custom volumes from tarballs¶
A new tar option has been added for the --type parameter in the POST /1.0/storage-pools/{poolName}/volumes/{type} API call.
Documentation: How to manage storage volumes
API extension: import_custom_volume_tar
Persistent VM PCIe bus allocations¶
Support has been added for persistently recording VM PCIe bus allocations in volatile.<name>.bus configuration keys, improving the stability of device addressing across VM restarts.
API extension: vm_persistent_bus
Operation requestor information¶
A new requestor field has been added to operations, which contains information about the caller that initiated the operation.
API extension: operation_requestor
Disk usage in resources¶
A used_by field has been added to disks returned by the resources endpoint to indicate their use by any virtual parent device, for example bcache.
API extension: resources_disk_used_by
Bug fixes¶
The following bug fixes are included in this release.
Project restriction bypass in instance copy across projects (CVE-2026-55622) Project restriction bypass for custom volume copy across projects (CVE-2026-55621) Restricted project bypass leading to arbitrary command execution (CVE-2026-48751) Arbitrary file write on host via exec-outputsymlink in crafted image (CVE-2026-48750)Arbitrary file read+write on host via templates/ symlink in malicious image (CVE-2026-48752) Arbitrary file read+write on host via rootfs/ symlink in malicious image (CVE-2026-48749) Argument injection in backup compression algorithm leading to AFW and ACE (CVE-2026-48755) Arbitrary file write on client due to trusted image hash (CVE-2026-48769) Backup snapshot import bypasses project restrictions (CVE-2026-9640) Fix potential crash if non string config sent as notification in api10Put Fix deadlock by only taking storage pool and network creation lock for external API requests Validate a cluster group edit does not ignore a member removal Fix storage patch update with instance volume with size config Ensure Pure Storage image size is applied if not specified otherwise Fix Alletra and Pure block device unmap and volume resize in iSCSI/multipath mode Fix lxc auth regression where groups were not removed from identities Explicitly close both ends of mirrored websockets to avoid hanging instance console websockets Fix stale CDI-related files cleanup logic for physical GPU devices Fix getDHCPv4Reservations() and randomAddressInSubnet() in the network drivers Fix incorrect address comparison when changing the pprof address
Backwards-incompatible changes¶
These changes are not compatible with older versions of LXD or its clients.
Minimum system requirement changes¶
The minimum supported version of some components has changed:
The minimum required version of Go to build LXD is now 1.26.4 (see Updated minimum Go version).
Stricter validation and tightened permissions¶
Several inputs are now validated more strictly, and some permissions have been tightened as part of security hardening backports. Requests that previously succeeded with malformed or unexpected values may now be rejected:
Stricter certificate fingerprint validation.
Stricter checks for low-level (
raw.*) configuration options.Improved certificate edit validation.
Tightened storage pool permissions.
Validation of struct slices and config during import.
Updated minimum Go version¶
If you are building LXD from source instead of using a package manager, the minimum version of Go required to build LXD is now 1.26.4 (previously 1.24.5).
Snap packaging changes¶
Transitioned the snap base from
core22tocore24.Several bundled components are now staged from the Ubuntu archive or built from Ubuntu source packages instead of being built from upstream Git, reducing build complexity. This includes Open vSwitch, OVN, swtpm, virtiofsd, and squashfs-tools-ng.
QEMU is now built from the Ubuntu source package (
8.2.2+ds-0ubuntu1.17) instead of upstream Git.EDK2/OVMF is now built from the Ubuntu source package (
2024.02-2ubuntu0.8) instead of upstream Git.SPICE is now built from the Ubuntu source package (
0.15.1-1build2) instead of upstream Git.Enabled LXCFS per-container process tracking (
snap set lxd lxcfs.pidfd=true) by default.dqlite bumped to v1.17.3.
LXC bumped to v6.0.6.
LXCFS bumped to v6.0.6.
LXCFS: Reverted partial backport of PSI functionality that prevented host machine suspend (#17983).
libnvidia-container bumped to v1.19.0.
NVIDIA container toolkit bumped to v1.19.0.
ZFS 2.2 bumped to 2.2.10.
ZFS 2.3 bumped to 2.3.8.
ZFS 2.4 bumped to 2.4.3.
Change log¶
Downloads¶
The source tarballs and binary clients can be found on our download page.
Binary packages are also available for:
Linux:
snap install lxd --channel=5.21/stableMacOS client:
brew install lxcWindows client:
choco install lxc