Creates and manages a simplestreams lxd image server on top of nginx. If installed as a debian package, a new service is created and it monitors if there are any changes in the image directory and updates json files.
-
Python: Version 3.5.2 or higher.
-
Nginx
-
OpenSSL
To build lxd-image-server, first, install the build dependencies:
# debhelper >= 9
# dh-virtualenv >= 9
apt-get install debhelper dh-exec python3 python-dev dh-virtualenv
Then build the package:
dpkg-buildpackage -us -uc -b
To build lxd-image-server itself in a Docker container, call docker build:
docker build --tag lxd-image-server-builder .
This will build the DEB package for Ubuntu focal by default. Add e.g. --build-arg distro=ubuntu:focal to build for Ubuntu focal.
The resulting files must be copied out of the build container, using these commands:
docker run --rm lxd-image-server-builder tar -C /dpkg -c . | tar -C dist -xv
The debian package that you have built will automatically copy the source files, create the user lxdadm to upload the files and setup the nginx server with its configuration (included a self signed ssl certificate).
dpkg -i lxd-image-server_0.0.4~focal_all.deb
Note this method requires you to have uploaded your built package to a repo or requires the repo maintainer to have this package available
apt-get install lxd-image-server
After the installation of the package, a rsa key has to be generated at /home/lxdadm/.ssh to control the upload of images:
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # use /home/lxdadm/.ssh/id_rsa
...
The generated id_rsa key will be used to upload files to the server.
Clone the repository and run:
python setup.py install
The subcommand init generates all the default directories, ssl keys and links nginx configuration (when using default configuration it is recommended to use debian installation)
Lxd-image-server is not just a new remote for your lxd, it also allows you to distribute your images to different mirrors. Clients will update new images to the master server and the master will mirror the image on the mirrors defined on the configuration file.
The following picture describes, the master server which replicates images to other two servers. Clients can get images from any of them but they can only upload new images to the master.
The configuration file would be:
[mirrors]
[mirror1]
user = "lxdadm"
remote = "mirror1.xxxxxxx.com"
key_path = "/etc/lxd-image-server/lxdhub.key"
[mirror2]
user = "lxdadm"
remote = "mirror2.xxxxxxx.com"
key_path = "/etc/lxd-image-server/lxdhub.key"
The installed service on the master will automatically monitor the image directory and update all the required metadata. No further commands are needed.
This is the structure the simplestreams server needs to have.
- /var/www # document root
`- simplestreams
|- images # images folder
| `- ubuntu # operating system
| `- focal # release
| `- amd64 # architecture
| `- default # box type
| `- 20180716_12:00 # version 1
| |- lxd.tar.xz # index and templates
| `- rootfs.squashfs # rootfs of container
`- streams
`- v1
|- index.json # index of products
`- images.json # info with versions of products
The command lxd-image-server
can be used to manage the server manually:
Usage: lxd-image-server [OPTIONS] COMMAND [ARGS]...
Options:
--verbose Sets log level to debug
--help Show this message and exit.
Commands:
init
update
watch
Default paths:
- Index files: /var/www/simplestreams/streams/v1
- Image dirs: /var/www/simplestreams/images
The logging via configuration. The default configuration is defined here.
Init creates default configuration needed for the server. See Installation section for more info.
Update recreates all the metadata from scratch, and recalculate the sha256 info for all the images. This option is only intended as a safeguard or in case the service is not running.
Watch will start the monitoring of the directory. It is intended to be used only if the service is not running.
Once your own image server is running, you can add it as new remote on lxc:
lxc remote add $remote_name $lxc_image_server_url --protocol=simplestreams
Remember add the certificate on the lxc server
# download the self-signed ssl cert
openssl s_client -showcerts -connect $lxc_image_server_url:8443 </dev/null 2>/dev/null | openssl x509 -outform PEM > my-lxd-image-server.cert
# add it to your certificate authorities
cp my-lxc-image-server.cert /user/local/share/ca-certificates
# update
update-ca-certificates
# restart service
systemctl restart lxd
Let's Encrypt can also be used as a signed alternative to your server https://letsencrypt.org/ Once the Let's Encrypt cert is created ensure it's in the following paths
/etc/nginx/ssl/nginx.crt;
/etc/nginx/ssl/nginx.key;
or update /etc/nginx/sites-available/simplestreams.conf and update
ssl_certificate
and ssl_certificate_key
to match the path of the certificate and key.
Now, any client can create an image container and publish it on the master server. Here:
lxc launch lxc:ubuntu/focal/amd64 n1
lxc exec n1 -- apt-get -y install vim
lxc stop n1
lxc publish --public n1 --alias=focal-vim
lxc image copy focal-vim <url>
Now, you can use your image in a new container
lxc launch focal-vim ntest
lxc exec ntest -- vim -c "smile"
For more information Here.