Server configuration¶
The server configuration is a simple set of key and values.
The key/value configuration is namespaced with the following namespaces currently supported:
backups(backups configuration)candid(External user authentication through Candid)cluster(cluster configuration)core(core daemon configuration)images(image configuration)maas(MAAS integration)rbac(Role Based Access Control through external Candid + Canonical RBAC)
Key |
Type |
Scope |
Default |
Description |
|---|---|---|---|---|
back ups. comp ress ion_ algo rith m |
string |
global |
gzip |
Compression algorithm to use for new images (bzip2, gzip, lzma, xz or none) |
cand id.a pi.k ey |
string |
global |
Public key of the candid server (required for HTTP-only servers) |
|
cand id.a pi.u rl |
string |
global |
URL of the the external authentication endpoint using Candid |
|
cand id.d omai ns |
string |
global |
Comma-separated list of allowed Candid domains (empty string means all domains are valid) |
|
cand id.e xpir y |
intege r |
global |
3600 |
Candid macaroon expiry in seconds |
clus ter. http s_ad dres s |
string |
local |
Address to use for clustering traffic |
|
clus ter. imag es_m inim al_r epli ca |
intege r |
global |
3 |
Minimal numbers of cluster members with a copy of a particular image (set 1 for no replication, -1 for all members) |
clus ter. max_ stan dby |
intege r |
global |
2 |
Maximum number of cluster members that will be assigned the database stand-by role |
clus ter. max_ vote rs |
intege r |
global |
3 |
Maximum number of cluster members that will be assigned the database voter role |
clus ter. offl ine_ thre shol d |
intege r |
global |
20 |
Number of seconds after which an unresponsive node is considered offline |
core .bgp _add ress |
string |
local |
Address to bind the BGP server to (BGP) |
|
core .bgp _asn |
string |
global |
The BGP Autonomous System Number to use for the local server |
|
core .bgp _rou teri d |
string |
local |
A unique identifier for this BGP server (formatted as an IPv4 address) |
|
core .deb ug_a ddre ss |
string |
local |
Address to bind the pprof debug server to (HTTP) |
|
core .htt ps_a ddre ss |
string |
local |
Address to bind for the remote API (HTTPS) |
|
core .htt ps_a llow ed_c rede ntia ls |
boolea n |
global |
Whether to set Access-Control-Allow-Cr edentials http header value to “true” |
|
core .htt ps_a llow ed_h eade rs |
string |
global |
Access-Control-Allow-He aders http header value |
|
core .htt ps_a llow ed_m etho ds |
string |
global |
Access-Control-Allow-Me thods http header value |
|
core .htt ps_a llow ed_o rigi n |
string |
global |
Access-Control-Allow-Or igin http header value |
|
core .htt ps_t rust ed_p roxy |
string |
global |
Comma-separated list of IP addresses of trusted servers to provide the client’s address through the proxy connection header |
|
core .met rics _add ress |
string |
global |
Address to bind the metrics server to (HTTPS) |
|
core .pro xy_h ttps |
string |
global |
https proxy to use, if any (falls back to HTTPS_PROXY environment variable) |
|
core .pro xy_h ttp |
string |
global |
http proxy to use, if any (falls back to HTTP_PROXY environment variable) |
|
core .pro xy_i gnor e_ho sts |
string |
global |
hosts which don’t need the proxy for use (similar format to NO_PROXY, e.g. 1.2.3.4,1.2.3.5, falls back to NO_PROXY environment variable) |
|
core .shu tdow n_ti meou t |
intege r |
global |
5 |
Number of minutes to wait for running operations to complete before LXD server shut down |
core .tru st_c a_ce rtif icat es |
boolea n |
global |
Whether to automatically trust clients signed by the CA |
|
core .tru st_p assw ord |
string |
global |
Password to be provided by clients to setup a trust |
|
imag es.a uto_ upda te_c ache d |
boolea n |
global |
true |
Whether to automatically update any image that LXD caches |
imag es.a uto_ upda te_i nter val |
intege r |
global |
6 |
Interval in hours at which to look for update to cached images (0 disables it) |
imag es.c ompr essi on_a lgor ithm |
string |
global |
gzip |
Compression algorithm to use for new images (bzip2, gzip, lzma, xz or none) |
imag es.d efau lt_a rchi tect ure |
string |
Default architecture which should be used in mixed architecture cluster |
||
imag es.r emot e_ca che_ expi ry |
intege r |
global |
10 |
Number of days after which an unused cached remote image will be flushed |
maas .api .key |
string |
global |
API key to manage MAAS |
|
maas .api .url |
string |
global |
URL of the MAAS server |
|
maas .mac hine |
string |
local |
hostname |
Name of this LXD host in MAAS |
netw ork. ovn. inte grat ion_ brid ge |
string |
global |
br-int |
OVS integration bridge to use for OVN networks |
netw ork. ovn. nort hbou nd_c onne ctio n |
string |
global |
unix:/var/run /ovn/ovnnb_db .sock |
OVN northbound database connection string |
rbac .age nt.p riva te_k ey |
string |
global |
The Candid agent private key as provided during RBAC registration |
|
rbac .age nt.p ubli c_ke y |
string |
global |
The Candid agent public key as provided during RBAC registration |
|
rbac .age nt.u rl |
string |
global |
The Candid agent url as provided during RBAC registration |
|
rbac .age nt.u sern ame |
string |
global |
The Candid agent username as provided during RBAC registration |
|
rbac .api .exp iry |
intege r |
global |
RBAC macaroon expiry in seconds |
|
rbac .api .key |
string |
global |
Public key of the RBAC server (required for HTTP-only servers) |
|
rbac .api .url |
string |
global |
URL of the external RBAC server |
|
stor age. back ups_ volu me |
string |
local |
Volume to use to store the backup tarballs (syntax is POOL/VOLUME) |
|
stor age. imag es_v olum e |
string |
local |
Volume to use to store the image tarballs (syntax is POOL/VOLUME) |
Those keys can be set using the lxc tool with:
lxc config set <key> <value>
When operating as part of a cluster, the keys marked with a global
scope will immediately be applied to all the cluster members. Those keys
with a local scope must be set on a per member basis using the
--target option of the command line tool.
Exposing LXD to the network¶
By default, LXD can only be used by local users through a UNIX socket.
To expose LXD to the network, you’ll need to set core.https_address.
All remote clients can then connect to LXD and access any image which
was marked for public use.
Trusted clients can be manually added to the trust store on the server
with lxc config trust add or the core.trust_password key can be
set allowing for clients to self-enroll into the trust store at
connection time by providing the confgiured password.
More details about authentication can be found here.
External authentication¶
LXD when accessed over the network can be configured to use external authentication through Candid.
Setting the candid.* configuration keys above to the values matching
your Candid deployment will allow users to authenticate through their
web browsers and then get trusted by LXD.
For those that have a Canonical RBAC server in front of their Candid
server, they can instead set the rbac.* configuration keys which are
a superset of the candid.* ones and allow for LXD to integrate with
the RBAC service.
When integrated with RBAC, individual users and groups can be granted various level of access on a per-project basis. All of this is driven externally through the RBAC service.
More details about authentication can be found here.