Skip to content

Deployment Overview of LXD on Server

Prerequisites and Basic Requirements

The following requirements must be met before deploying the application:

  • Operating System: Ubuntu 22.04 (Jammy)

  • Privileges: Root or sudo access

  • Domain: hostkey.in

  • Required Ports:

  • Port 443 (External HTTPS)

  • Port 8443 (Internal LXD HTTPS)

  • Software Dependencies:

  • snapd

  • squashfs-tools

  • Docker (for Nginx and Certbot)

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN):

  • Format: lxd<Server ID>.hostkey.in

  • Port: 443 (Standard HTTPS)

Replace <Server ID> with the specific identifier assigned to the server instance.

File and Directory Structure

The application utilizes the following directory structure for configuration, data, and certificates:

Directory/Path Description
/snap/bin/lxd LXD binary location
/root/nginx Nginx and Docker Compose configuration directory
/root/nginx/compose.yml Docker Compose definition file
/data/nginx/user_conf.d/ Custom Nginx configuration directory
/data/nginx/nginx-certbot.env Environment variables for Nginx-Certbot
/etc/letsencrypt SSL certificate storage (mounted volume)

Application Installation Process

The deployment involves installing the LXD snap package and configuring a reverse proxy using Docker.

  1. Install Dependencies The system installs snapd and squashfs-tools using the apt package manager.

  2. Install LXD Snap LXD is installed from the Snap store targeting the specific stable channel. 

    snap install lxd --channel=5.21/stable
    If LXD is already installed, the channel is refreshed to ensure version alignment: 
    snap refresh lxd --channel=5.21/stable

  3. Initialize LXD The LXD daemon is initialized with minimal defaults if it has not been configured previously: 

    /snap/bin/lxd init --minimal

  4. Enable LXD UI The graphical user interface (UI) for LXD is enabled via the snap configuration: 

    snap set lxd ui.enable=true

  5. Deploy Proxy and SSL via Docker A reverse proxy and SSL certificate manager are deployed using Docker Compose.

  6. Ensure the docker service is running.

  7. Configure the Nginx configuration file at /data/nginx/user_conf.d/lxd<Server ID>.hostkey.in.conf.

  8. Execute the Docker Compose setup: 

    docker compose up -d

Access Rights and Security

Security configurations are managed as follows:

  • User Access: The administrator user is added to the lxd group to allow unprivileged access to LXD commands: 

    usermod -aG lxd <admin_user>

  • Firewall (UFW):

  • Firewall management is optional based on configuration.

  • If enabled, SSH access is permitted first.

  • Port 8443 is opened for LXD HTTPS traffic.

  • Access can be restricted to specific CIDR blocks if configured.

  • LXD Configuration:

  • LXD is configured to listen on all network interfaces for HTTPS on port 8443: 

    /snap/bin/lxc config set core.https_address ":8443"

Databases

No database components are included in the provided deployment configuration.

Docker Containers and Their Deployment

The reverse proxy and SSL certificate generation are handled by Docker containers defined in the compose.yml file located at /root/nginx/compose.yml.

Container Details:

  • Image: jonasal/nginx-certbot:latest

  • Restart Policy: unless-stopped

  • Network Mode: host

  • Volumes:

  • nginx_secrets (external volume) mounted at /etc/letsencrypt

  • /data/nginx/user_conf.d mounted at /etc/nginx/user_conf.d

Deployment Command:

The container stack is started using the following command from the configuration directory: 

cd /root/nginx
docker compose up -d

Proxy Servers

The application utilizes Nginx as a reverse proxy with SSL termination handled by Certbot.

  • Configuration Location: /data/nginx/user_conf.d/lxd<Server ID>.hostkey.in.conf

  • Proxy Backend: Traffic is proxied from the external domain to the internal LXD service.

  • The configuration includes the directive: 

    proxy_pass https://127.0.0.1:8443;

  • SSL Certificates: Managed automatically via the Nginx-Certbot container using the Let's Encrypt issuer.

  • Email for Certbot Alerts: [email protected] (defined in the environment file).

Permission Settings

File and directory permissions are set during the deployment process:

  • Nginx Directory:

  • Path: /root/nginx

  • Owner: root:root

  • Mode: 0755

  • Compose File:

  • Path: /root/nginx/compose.yml

  • Owner: root:root

  • Mode: 0644

  • LXD User Access:

  • The lxd group provides necessary permissions for users to interact with the daemon without root privileges.

Location of Configuration Files and Data

Key configuration and data files are stored in the following locations:

File/Path Purpose
/root/nginx/compose.yml Docker Compose service definition
/data/nginx/user_conf.d/lxd<Server ID>.hostkey.in.conf Nginx server block configuration
/data/nginx/nginx-certbot.env Environment variables for the proxy container
/snap/bin/lxd LXD executable
/etc/letsencrypt SSL certificate files (volume mount)

Available Ports for Connection

The following ports are configured for external and internal communication:

Port Protocol Description
443 TCP External HTTPS (Nginx/SSL)
8443 TCP Internal LXD API and UI (HTTPS)

Starting, Stopping, and Updating

LXD Service Management:

  • Restart LXD Daemon: 

    systemctl restart snap.lxd.daemon

  • Check LXD Version: 

    /snap/bin/lxc version

Docker Proxy Management:

  • Start/Restart Containers: 

    cd /root/nginx
docker compose up -d

  • Stop Containers: 

    cd /root/nginx
docker compose down

Updating LXD:

To update LXD to a specific channel: 

snap refresh lxd --channel=5.21/stable

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×