Deployment Overview of LXD on Server¶

Prerequisites and Basic Requirements¶

The deployment process requires a server running a specific operating system version with administrative privileges. The following conditions must be met before initiating the installation:

• Operating System: Ubuntu 22.04 (codename jammy).
• Privileges: Root access or a user with sudo privileges is required to install system packages, manage services, and configure the firewall.
• Dependencies: The system must have snapd and squashfs-tools installed to support the LXD snap package.
• Network: The server must have network connectivity to download the LXD snap and, if applicable, to allow external access to the LXD API/UI.

File and Directory Structure¶

The application utilizes specific directories for configuration, data storage, and certificate management. The following paths are established during the deployment:

• Nginx Configuration Directory: /root/nginx
  • This directory contains the Docker Compose file and related configuration for the reverse proxy.
• Docker Compose File: /root/nginx/compose.yml
  • Defines the services for the Nginx and Certbot container.
• User Configuration Directory: /data/nginx/user_conf.d
  • Stores individual host configuration files, such as {{ prefix }}{{ server_id }}.hostkey.in.conf.
• Environment Variables: /data/nginx/nginx-certbot.env
  • Contains environment variables required by the Nginx-Certbot container.
• Let's Encrypt Secrets: /etc/letsencrypt
  • Mounted volume for storing SSL/TLS certificates and keys managed by Certbot.

Application Installation Process¶

The deployment involves installing the LXD container hypervisor via the Snap package manager and configuring a reverse proxy using Docker.

LXD Installation Steps:

1. Install the snapd and squashfs-tools packages using the apt package manager.
2. Install the LXD snap package using the command snap install lxd --channel=<channel>. If LXD is already installed, it is refreshed to the desired channel using snap refresh lxd --channel=<channel>.
3. Wait for the LXD daemon to become ready by verifying the version with /snap/bin/lxc version.
4. Initialize LXD with minimal defaults by running /snap/bin/lxd init --minimal if the storage backend is not yet configured.
5. Configure the LXD UI setting using snap set lxd ui.enable=<true|false> and restart the daemon with systemctl restart snap.lxd.daemon if the setting changes.
6. Set the HTTPS listen address for the LXD API/UI using /snap/bin/lxc config set core.https_address=<address>.

Docker and Proxy Installation Steps:

1. Ensure the Docker CLI is present. If missing, install Docker and start the service.
2. Wait for the Docker socket at /var/run/docker.sock to become available.
3. Verify the Docker daemon is ready by running docker info.
4. Create the directory /root/nginx with permissions 0755 owned by root.
5. Generate the compose.yml file in /root/nginx based on the required configuration.
6. Update the Nginx user configuration file located at /data/nginx/user_conf.d/{{ prefix }}{{ server_id }}.hostkey.in.conf to include the proxy_pass directive pointing to https://127.0.0.1:<internal_port>.
7. Start the Nginx and Certbot containers by running docker compose up -d from the /root/nginx directory.

Access Rights and Security¶

Security configurations include user group management and firewall rules to control access to the LXD service.

• User Group: The administrator user is added to the lxd group to allow non-root execution of LXD commands.
• Firewall (UFW):
  • The ufw package is installed if firewall management is enabled.
  • SSH access is allowed via the OpenSSH rule.
  • The LXD HTTPS port is opened to allow traffic. By default, this allows connections from any IP address.
  • If specific CIDR ranges are defined, the firewall is configured to allow traffic to the LXD HTTPS port only from those specific IP ranges.

Docker Containers and Their Deployment¶

The reverse proxy and SSL management are handled by a Docker container orchestrated via Docker Compose.

• Container Image: jonasal/nginx-certbot:latest
• Restart Policy: unless-stopped
• Network Mode: host
• Volumes:
  • nginx_secrets (external) mounted to /etc/letsencrypt for certificate storage.
  • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d for custom Nginx configurations.
• Environment:
  • CERTBOT_EMAIL is set to [email protected].
  • Additional environment variables are loaded from /data/nginx/nginx-certbot.env.

Proxy Servers¶

The deployment utilizes Nginx as a reverse proxy with integrated Let's Encrypt (Certbot) for SSL/TLS certificate management.

• Service: Nginx running inside a Docker container.
• SSL Management: Certbot is used to automatically obtain and renew SSL certificates.
• Configuration: Custom host configurations are stored in /data/nginx/user_conf.d. The proxy is configured to forward requests to the internal LXD service at https://127.0.0.1:<internal_port>.
• Domain: The configuration supports custom domains defined in the user configuration files.

Permission Settings¶

File and directory permissions are set to ensure secure operation of the services.

• Nginx Directory: The /root/nginx directory is created with 0755 permissions, owned by root:root.
• Compose File: The /root/nginx/compose.yml file is set to 0644 permissions, owned by root:root.
• User Configuration: Files in /data/nginx/user_conf.d are managed by the deployment process to ensure the Nginx container can read the configuration.

Starting, Stopping, and Updating¶

The following commands are used to manage the services after deployment.

LXD Service Management:

• Restart Daemon: systemctl restart snap.lxd.daemon
• Check Version: /snap/bin/lxc version
• List Storage: /snap/bin/lxc storage list --format csv

Docker Container Management:

• Start/Update Containers: docker compose up -d (executed from /root/nginx)
• Stop Containers: docker compose down (executed from /root/nginx)
• Check Docker Status: docker info