Skip to content

Deployment Overview of LXD on Server

Prerequisites and Basic Requirements

The deployment of LXD on the server requires the following system specifications and configurations:

  • Operating System: Ubuntu 22.04 (codename: jammy).

  • Privileges: Root access or a user with sudo privileges is required to install Snap packages and manage system services.

  • Required Packages: The system must have snapd and squashfs-tools installed.

  • User Group: The administrative user must be added to the lxd group to manage containers without sudo.

  • Firewall: The Uncomplicated Firewall (ufw) is optional. If enabled, it must allow SSH and the specific LXD HTTPS port.

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) format:

lxd<Server ID>.hostkey.in:443

Where <Server ID> is replaced by the specific identifier of the server instance. The service listens on port 443 externally, which is proxied to the internal LXD port 8443.

File and Directory Structure

The deployment utilizes the following directory structure for configuration, data, and certificates:

  • Nginx Configuration Directory: /data/nginx/user_conf.d/

    • Contains the specific server block configuration: lxd<Server ID>.hostkey.in.conf.

  • Docker Compose Directory: /root/nginx/

    • Contains the compose.yml file for the proxy and certificate management.

  • Nginx Environment File: /data/nginx/nginx-certbot.env

    • Stores environment variables for the Nginx-Certbot container.

  • Let's Encrypt Certificates: /etc/letsencrypt/

    • Mounted volume for SSL certificates managed by the Docker container.

  • LXD Data: Managed internally by the LXD snap, typically located under /var/snap/lxd/common/.

Application Installation Process

LXD is installed and configured using the Snap package manager. The process ensures the correct version and channel are applied:

  1. Install Dependencies: The system installs snapd and squashfs-tools.

  2. Install LXD Snap: The LXD package is installed from the Snap store using the channel 5.21/stable.

    • Command: snap install lxd --channel=5.21/stable

  3. Initialize LXD: If not already initialized, LXD is configured with minimal defaults.

    • Command: /snap/bin/lxd init --minimal

  4. Enable UI: The LXD web interface is enabled via the Snap configuration.

    • Command: snap set lxd ui.enable=true

  5. Configure Network Binding: The LXD daemon is configured to listen on the internal HTTPS port 8443 on all interfaces.

    • Command: /snap/bin/lxc config set core.https_address :8443

  6. Service Restart: The LXD daemon is restarted to apply UI and network changes.

    • Command: systemctl restart snap.lxd.daemon

Access Rights and Security

Security and access control are managed through user groups and optional firewall rules:

  • User Access: The administrative user is added to the lxd group to grant permission to manage LXD instances.

  • Firewall (UFW):

    • If lxd_manage_ufw is enabled, the ufw package is installed.

    • SSH access is allowed by default.

    • The LXD HTTPS port (8443) is allowed for all traffic or restricted to specific CIDR blocks if defined in the configuration.

    • Note: In the provided configuration, lxd_manage_ufw is set to false, meaning the firewall is not managed by this deployment script.

Docker Containers and Their Deployment

A Docker container is deployed to handle reverse proxying and SSL certificate management using Nginx and Certbot.

  • Container Image: jonasal/nginx-certbot:latest

  • Deployment Method: Docker Compose

  • Compose File Location: /root/nginx/compose.yml

  • Network Mode: host

  • Volumes:

    • nginx_secrets (external) mounted to /etc/letsencrypt

    • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d

  • Environment:

    • CERTBOT_EMAIL: [email protected]

    • Additional variables loaded from /data/nginx/nginx-certbot.env

The container is started using the following command: 

docker compose up -d
Executed from the /root/nginx directory.

Proxy Servers

The Nginx container acts as a reverse proxy to expose the LXD interface securely over HTTPS.

  • Proxy Configuration: The Nginx configuration file located at /data/nginx/user_conf.d/lxd<Server ID>.hostkey.in.conf is updated to forward traffic.

  • Proxy Pass: Traffic received on the external port is proxied to the internal LXD service.

    • Configuration line: proxy_pass https://127.0.0.1:8443;

  • SSL/TLS: Managed automatically by the Certbot component within the Docker container.

  • Domain Mapping: The proxy is configured for the domain lxd<Server ID>.hostkey.in.

Location of Configuration Files and Data

Key configuration files and data locations are as follows:

File/Directory Path Description
Nginx Server Config /data/nginx/user_conf.d/lxd<Server ID>.hostkey.in.conf Reverse proxy configuration for the specific domain.
Docker Compose /root/nginx/compose.yml Definition for the Nginx-Certbot container.
Nginx Environment /data/nginx/nginx-certbot.env Environment variables for the proxy container.
LXD Snap Config Managed via snap set LXD internal settings (UI, HTTPS address).
SSL Certificates /etc/letsencrypt/ SSL certificates issued by Let's Encrypt.

Available Ports for Connection

The following ports are utilized for the deployment:

  • Port 443 (External): The public-facing HTTPS port used by the Nginx proxy.

  • Port 8443 (Internal): The internal HTTPS port where the LXD daemon listens.

  • Port 22: SSH access (standard, allowed if UFW is managed).

Starting, Stopping, and Updating

Service management commands for the deployed components are as follows:

  • LXD Service:

    • Start/Restart: systemctl restart snap.lxd.daemon

    • Status: systemctl status snap.lxd.daemon

  • Docker Proxy Container:

    • Start/Restart: docker compose up -d (from /root/nginx)

    • Stop: docker compose down (from /root/nginx)

    • Update Image: docker compose pull followed by docker compose up -d

  • LXD Snap Updates:

    • Refresh: snap refresh lxd --channel=5.21/stable
question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×