Installation of LXD

Installation of LXC Using Snap

LXC (Linux Containers) is a lightweight virtualization technology that allows you to run multiple isolated Linux systems (containers) on a single host. The lxd package provides the tools to manage LXC containers effectively. Below are the steps to install and configure LXC using Snap.

Step 1: Install LXC via Snap

The Snap package manager simplifies the installation process by providing a pre-packaged version of LXD (the daemon managing LXC containers).

sudo snap install lxc
  • Explanation: This command installs the LXD package from the Snap store. Snap ensures that the latest stable version of LXD is installed and automatically updated.

Step 2: Initialize LXD

After installation, you need to initialize LXD to configure its environment.

sudo lxd init
  • Interactive Configuration:
    • During initialization, you will be prompted with several questions. Below are the key options:
      1. Storage Backend: Choose between dir (directory-based storage) or zfs/btrfs (advanced storage backends). For beginners, dir is sufficient.
      2. Network Bridge: Configure a network bridge for container networking. You can either create a new bridge (lxdbr0) or use an existing one.
        • If you choose to use an existing bridge, ensure it is already configured on your system.
      3. IPv6 Support: Decide whether to enable IPv6 for container networking.
      4. Storage Pool: Define the storage pool name and location.

Step 3: Configure Web UI

LXD provides a web-based user interface (UI) for managing containers. To enable it:

  1. Enable the Web UI:

    sudo snap set lxd ui.enable=true

  2. Restart LXD to Apply Changes:

    sudo snap restart --reload lxd

  3. Set HTTPS Address: To make the web UI accessible, configure the HTTPS address:

    lxc config set core.https_address :7443
    • Explanation: This command binds the LXD API to port 7443 on all network interfaces (0.0.0.0). You can replace :7443 with a specific IP address (e.g., 192.168.1.10:7443) if needed.

  4. Access the Web UI: Open a browser and navigate to:

    https://<server-ip>:7443
    • Replace <server-ip> with the IP address of your server.
    • Accept the self-signed certificate warning in your browser.

Additional Notes

  • Authentication: By default, the LXD API uses client certificates for authentication. Ensure you trust the client certificate when accessing the web UI.
  • Firewall Rules: If you have a firewall enabled, allow traffic on port 7443: 
    sudo ufw allow 7443/tcp

Troubleshooting

  1. Snap Permissions: If you encounter permission issues, ensure your user is part of the lxd group:

    sudo usermod -aG lxd $USER
newgrp lxd

  2. Web UI Not Accessible: Verify that the LXD service is running:

    sudo systemctl status snap.lxd.daemon

  3. Port Conflicts: If the default port (e.g., 7443) is already in use, choose a different port:

    lxc config set core.https_address :8443

  4. Find the Web UI Port on the Server: To confirm which port the LXD Web UI is listening on, use the netstat command:

    sudo netstat -nltp | grep lxd
    • Explanation: This command lists all listening TCP ports and filters for processes related to lxd.
    • Example Output: 
      tcp6       0      0 :::8443                 :::*                    LISTEN      1518185/lxd
      • In this example, the Web UI is listening on port 8443.
    • Action: If the port listed does not match your configuration, update the core.https_address setting: 
      lxc config set core.https_address :<desired-port>

  5. Firewall Rules: Ensure the firewall allows traffic on the configured Web UI port. For example, if the Web UI is on port 8443:

    sudo ufw allow 8443/tcp

  6. Self-Signed Certificate Warnings: If you see SSL certificate warnings when accessing the Web UI, it is likely due to the self-signed certificate used by LXD. You can either:

    • Accept the warning in your browser.
    • Replace the self-signed certificate with a trusted one using a reverse proxy like Nginx or Apache.

Access Web UI with Certificate Encryption

To securely access the LXD Web UI using certificate-based encryption, you can use a .pfx (Personal Information Exchange) file. This method ensures that only authorized users with the correct certificate can access the Web UI. Follow the steps below to configure this on macOS:

Download the .pfx files from the Google drive Link

Step 1: Add the .pfx File to Keychain Access

  1. Locate the .pfx File:

    • Obtain the .pfx file from your LXD server or generate one if necessary.
    • The .pfx file contains both the private key and the certificate.

  2. Import the .pfx File:

    • Open Keychain Access on your Mac (Applications > Utilities > Keychain Access).
    • Go to File > Import Items.
    • Select the .pfx file and click Open.

  3. Configure Trust Settings:

    • In Keychain Access, locate the imported certificate.
    • Double-click the certificate to open its settings.
    • Expand the Trust section and set the following:
      • When using this certificate: Select Always Trust.
    • Close the window and enter your password to confirm the changes.

  4. Allow All Apps to Use the Certificate:

    • Right-click the certificate in Keychain Access and select Get Info.
    • Under the Access Control tab, select Allow all applications to access this item.
    • Confirm the changes.

Step 2: Configure Google Chrome

  1. Close and Reopen Google Chrome:

    • Ensure that Google Chrome is completely closed before proceeding.
    • Reopen Google Chrome to apply the updated Keychain settings.

  2. Access the Web UI:

    • Open a browser and navigate to the Web UI URL: 
      https://<server-ip>:<port>
      Replace <server-ip> with the IP address of your server and <port> with the configured HTTPS port (e.g., 7443).
      Mostly we configure port 7443 on server001 and 8443 on server001 and server003.

  3. Select the Certificate:

    • When prompted, select the certificate you added to Keychain Access.
    • If no prompt appears, ensure that the .pfx file is correctly imported and trusted.

Additional Notes

  • Certificate Warnings:
    • If you encounter warnings about an untrusted certificate, ensure that the .pfx file is properly imported and trusted in Keychain Access.
  • Alternative Browsers:
    • While the steps above focus on Google Chrome, similar configurations can be applied to other browsers like Firefox or Safari.
  • Security Considerations:
    • Only allow trusted devices to access the .pfx file.
    • Use strong passwords to protect the .pfx file.