Stéphane Graber
on 12 April 2016
This is part 6 of a series about LXD 2.0: remote protocols, security and moving containers.
Remote protocols
LXD 2.0 supports two protocols:
- LXD 1.0 API: That’s the REST API used between the clients and a LXD daemon as well as between LXD daemons when copying/moving images and containers.
- Simplestreams: The Simplestreams protocol is a read-only, image-only protocol used by both the LXD client and daemon to get image information and import images from some public image servers (like the Ubuntu images).
Everything below will be using the first of those two.
Security
Authentication for the LXD API is done through client certificate authentication over TLS 1.2 using recent ciphers. When two LXD daemons must exchange information directly, a temporary token is generated by the source daemon and transferred through the client to the target daemon. This token may only be used to access a particular stream and is immediately revoked so cannot be re-used.
To avoid Man In The Middle attacks, the client tool also sends the certificate of the source server to the target. That means that for a particular download operation, the target server is provided with the source server URL, a one-time access token for the resource it needs and the certificate that the server is supposed to be using. This prevents MITM attacks and only give temporary access to the object of the transfer.
Network requirements
LXD 2.0 uses a model where the target of an operation (the receiving end) is connecting directly to the source to fetch the data.
This means that you must ensure that the target server can connect to the source directly, updating any needed firewall along the way.
We have a plan to allow this to be reversed and also to allow proxying through the client itself for those rare cases where draconian firewalls are preventing any communication between the two hosts.
Interacting with remote hosts
Rather than having our users have to always provide hostname or IP addresses and then validating certificate information whenever they want to interact with a remote host, LXD is using the concept of “remotes”.
By default, the only real LXD remote configured is “local:” which also happens to be the default remote (so you don’t have to type its name). The local remote uses the LXD REST API to talk to the local daemon over a unix socket.
Adding a remote
Say you have two machines with LXD installed, your local machine and a remote host that we’ll call “foo”.
First you need to make sure that “foo” is listening to the network and has a password set, so get a remote shell on it and run:
lxc config set core.https_address [::]:8443 lxc config set core.trust_password something-secure
Now on your local LXD, we just need to make it visible to the network so we can transfer containers and images from it:
lxc config set core.https_address [::]:8443
Now that the daemon configuration is done on both ends, you can add “foo” to your local client with:
lxc remote add foo 1.2.3.4
(replacing 1.2.3.4 by your IP address or FQDN)
You’ll see something like this:
stgraber@dakara:~$ lxc remote add foo 2607:f2c0:f00f:2770:216:3eff:fee1:bd67 Certificate fingerprint: fdb06d909b77a5311d7437cabb6c203374462b907f3923cefc91dd5fce8d7b60 ok (y/n)? y Admin password for foo: Client certificate stored at server: foo
You can then list your remotes and you’ll see “foo” listed there:
stgraber@dakara:~$ lxc remote list +-----------------+-------------------------------------------------------+---------------+--------+--------+ | NAME | URL | PROTOCOL | PUBLIC | STATIC | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | foo | https://[2607:f2c0:f00f:2770:216:3eff:fee1:bd67]:8443 | lxd | NO | NO | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | images | https://images.linuxcontainers.org:8443 | lxd | YES | NO | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | local (default) | unix:// | lxd | NO | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | YES | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | YES | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+
Interacting with it
Ok, so we have a remote server defined, what can we do with it now?
Well, just about everything you saw in the posts until now, the only difference being that you must tell LXD what host to run against.
For example:
lxc launch ubuntu:14.04 c1
Will run on the default remote (“lxc remote get-default”) which is your local host.
lxc launch ubuntu:14.04 foo:c1
Will instead run on foo.
Listing running containers on a remote host can be done with:
stgraber@dakara:~$ lxc list foo: +------+---------+---------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +------+---------+---------------------+-----------------------------------------------+------------+-----------+ | c1 | RUNNING | 10.245.81.95 (eth0) | 2607:f2c0:f00f:2770:216:3eff:fe43:7994 (eth0) | PERSISTENT | 0 | +------+---------+---------------------+-----------------------------------------------+------------+-----------+
One thing to keep in mind is that you have to specify the remote host for both images and containers. So if you have a local image called “my-image” on “foo” and want to create a container called “c2” from it, you have to run:
lxc launch foo:my-image foo:c2
Finally, getting a shell into a remote container works just as you would expect:
lxc exec foo:c1 bash
Copying containers
Copying containers between hosts is as easy as it sounds:
lxc copy foo:c1 c2
And you’ll have a new local container called “c2” created from a copy of the remote “c1” container. This requires “c1” to be stopped first, but you could just copy a snapshot instead and do it while the source container is running:
lxc snapshot foo:c1 current lxc copy foo:c1/current c3
Moving containers
Unless you’re doing live migration (which will be covered in a later post), you have to stop the source container prior to moving it, after which everything works as you’d expect.
lxc stop foo:c1 lxc move foo:c1 local:
This example is functionally identical to:
lxc stop foo:c1 lxc move foo:c1 c1
How this all works
Interactions with remote containers work as you would expect, rather than using the REST API over a local Unix socket, LXD just uses the exact same API over a remote HTTPs transport.
Where it gets a bit trickier is when interaction between two daemons must occur, as is the case for copy and move.
In those cases the following happens:
- The user runs “lxc move foo:c1 c1”.
- The client contacts the local: remote to check for an existing “c1” container.
- The client fetches container information from “foo”.
- The client requests a migration token from the source “foo” daemon.
- The client sends that migration token as well as the source URL and “foo”‘s certificate to the local LXD daemon.
- The local LXD daemon then connects directly to “foo” using the provided token
- It connects to a first control websocket
- It negotiates the filesystem transfer protocol (zfs send/receive, btrfs send/receive or plain rsync)
- If available locally, it unpacks the image which was used to create the source container. This is to avoid needless data transfer.
- It then transfers the container and any of its snapshots as a delta.
- If succesful, the client then instructs “foo” to delete the source container.
Try all this online
Don’t have two machines to try remote interactions and moving/copying containers?
That’s okay, you can test it all online using our demo service.
The included step-by-step walkthrough even covers it!
Extra information
The main LXD website is at: https://linuxcontainers.org/lxd
Development happens on Github at: https://github.com/lxc/lxd
Mailing-list support happens on: https://lists.linuxcontainers.org
IRC support happens in: #lxcontainers on irc.freenode.net