HOWTO: Classic, apt-based Ubuntu 16.04 LTS Server on the rpi2!

Classic Ubuntu 16.04 LTS, on an rpi2Hopefully by now you’re well aware of Ubuntu Core — the snappiest way to run Ubuntu on a Raspberry Pi…But have you ever wanted to run classic (apt/deb) Ubuntu Server on a RaspberryPi2?Well, you’re in luck! &n…

Entroware Releases Powerful Linux Gaming Laptop with Ubuntu or Ubuntu MATE 16.04

Athena, Entroware’s first 17-inch Linux gaming laptop that comes with either the Ubuntu 16.04 LTS (Xenial Xerus) with the modern Unity interface or Ubuntu MATE 16.04 LTS for those who want a more customizable and lightweight desktop environment on their already high-performant workstation. Entroware Athena is a high-performant gaming laptop. Why? Because it ships with

Logic Supply Launches CL100 Ultra-Compact Mini-PC Powered by Ubuntu or Windows

The CL100 was supposed to be unveiled at the Digital Signage Expo 2016 at the end of March, and now it is finally available for purchase from the company’s website for the mere price of $302 (€270) without a primary storage device or $347 (€310) with a 32GB mSATA SSD. Commercialized by Logic Supply as

Ubuntu Core Now Ready for Screenly, a Digital Signage Solution for Raspberry Pi

Canonical has announced a partnership with Screenly to bring the Snappy Ubuntu Core operating system to the world’s most popular digital signage solution for the Raspberry Pi. As many of you are already aware from our previous coverage, Snappy Ubuntu Core is a slimmed-down version of the Ubuntu Linux operating system, engineered by Canonical for

New Android malware disguises itself as a Chrome update

There’s a new info-stealing malware hiding out there in a familiar cloak, waiting to infect your Android device. Zscaler’s security research team, ThreatLabZ, discovered the malware, which hides in the form of an Android Google Chrome update. The domains used by the infostealer look like file names for Google updates, but each URL is only

10 cool accessories for the Aquaris M10 Ubuntu Edition tablet

In the office we’ve been using the Aquaris M10 Ubuntu Edition tablet and have a few accessories to recommend with it! Check out the list below. Bluetooth Keyboard Bluetooth mouse Or even this bluetooth mouse! 4-Port Micro USB to USB Hub Micro-HDMI to HDMI Cable NexDock – world’s most affordable laptop that converges with the […]

LXD 2.0: Remote hosts and container migration [6/12]

This is the sixth blog post in this series about LXD 2.0.

LXD logo

Remote protocols

LXD 2.0 supports two protocols:

  • LXD 1.0 API: That’s the REST API used between the clients and a LXD daemon as well as between LXD daemons when copying/moving images and containers.
  • Simplestreams: The Simplestreams protocol is a read-only, image-only protocol used by both the LXD client and daemon to get image information and import images from some public image servers (like the Ubuntu images).

Everything below will be using the first of those two.

Security

Authentication for the LXD API is done through client certificate authentication over TLS 1.2 using recent ciphers. When two LXD daemons must exchange information directly, a temporary token is generated by the source daemon and transferred through the client to the target daemon. This token may only be used to access a particular stream and is immediately revoked so cannot be re-used.

To avoid Man In The Middle attacks, the client tool also sends the certificate of the source server to the target. That means that for a particular download operation, the target server is provided with the source server URL, a one-time access token for the resource it needs and the certificate that the server is supposed to be using. This prevents MITM attacks and only give temporary access to the object of the transfer.

Network requirements

LXD 2.0 uses a model where the target of an operation (the receiving end) is connecting directly to the source to fetch the data.

This means that you must ensure that the target server can connect to the source directly, updating any needed firewall along the way.

We have a plan to allow this to be reversed and also to allow proxying through the client itself for those rare cases where draconian firewalls are preventing any communication between the two hosts.

Interacting with remote hosts

Rather than having our users have to always provide hostname or IP addresses and then validating certificate information whenever they want to interact with a remote host, LXD is using the concept of “remotes”.

By default, the only real LXD remote configured is “local:” which also happens to be the default remote (so you don’t have to type its name). The local remote uses the LXD REST API to talk to the local daemon over a unix socket.

Adding a remote

Say you have two machines with LXD installed, your local machine and a remote host that we’ll call “foo”.

First you need to make sure that “foo” is listening to the network and has a password set, so get a remote shell on it and run:

lxc config set core.https_address [::]:8443 lxc config set core.trust_password something-secure

Now on your local LXD, we just need to make it visible to the network so we can transfer containers and images from it:

lxc config set core.https_address [::]:8443

Now that the daemon configuration is done on both ends, you can add “foo” to your local client with:

lxc remote add foo 1.2.3.4

(replacing 1.2.3.4 by your IP address or FQDN)

You’ll see something like this:

stgraber@dakara:~$ lxc remote add foo 2607:f2c0:f00f:2770:216:3eff:fee1:bd67 Certificate fingerprint: fdb06d909b77a5311d7437cabb6c203374462b907f3923cefc91dd5fce8d7b60 ok (y/n)? y Admin password for foo: Client certificate stored at server: foo

You can then list your remotes and you’ll see “foo” listed there:

stgraber@dakara:~$ lxc remote list +-----------------+-------------------------------------------------------+---------------+--------+--------+ | NAME | URL | PROTOCOL | PUBLIC | STATIC | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | foo | https://[2607:f2c0:f00f:2770:216:3eff:fee1:bd67]:8443 | lxd | NO | NO | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | images | https://images.linuxcontainers.org:8443 | lxd | YES | NO | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | local (default) | unix:// | lxd | NO | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | YES | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+ | ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | YES | YES | +-----------------+-------------------------------------------------------+---------------+--------+--------+

Interacting with it

Ok, so we have a remote server defined, what can we do with it now?

Well, just about everything you saw in the posts until now, the only difference being that you must tell LXD what host to run against.

For example:

lxc launch ubuntu:14.04 c1

Will run on the default remote (“lxc remote get-default”) which is your local host.

lxc launch ubuntu:14.04 foo:c1

Will instead run on foo.

Listing running containers on a remote host can be done with:

stgraber@dakara:~$ lxc list foo: +------+---------+---------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +------+---------+---------------------+-----------------------------------------------+------------+-----------+ | c1 | RUNNING | 10.245.81.95 (eth0) | 2607:f2c0:f00f:2770:216:3eff:fe43:7994 (eth0) | PERSISTENT | 0 | +------+---------+---------------------+-----------------------------------------------+------------+-----------+

One thing to keep in mind is that you have to specify the remote host for both images and containers. So if you have a local image called “my-image” on “foo” and want to create a container called “c2” from it, you have to run:

lxc launch foo:my-image foo:c2

Finally, getting a shell into a remote container works just as you would expect:

lxc exec foo:c1 bash

Copying containers

Copying containers between hosts is as easy as it sounds:

lxc copy foo:c1 c2

And you’ll have a new local container called “c2” created from a copy of the remote “c1” container. This requires “c1” to be stopped first, but you could just copy a snapshot instead and do it while the source container is running:

lxc snapshot foo:c1 current lxc copy foo:c1/current c3

Moving containers

Unless you’re doing live migration (which will be covered in a later post), you have to stop the source container prior to moving it, after which everything works as you’d expect.

lxc stop foo:c1 lxc move foo:c1 local:

This example is functionally identical to:

lxc stop foo:c1 lxc move foo:c1 c1

How this all works

Interactions with remote containers work as you would expect, rather than using the REST API over a local Unix socket, LXD just uses the exact same API over a remote HTTPs transport.

Where it gets a bit trickier is when interaction between two daemons must occur, as is the case for copy and move.

In those cases the following happens:

  1. The user runs “lxc move foo:c1 c1”.
  2. The client contacts the local: remote to check for an existing “c1” container.
  3. The client fetches container information from “foo”.
  4. The client requests a migration token from the source “foo” daemon.
  5. The client sends that migration token as well as the source URL and “foo”‘s certificate to the local LXD daemon.
  6. The local LXD daemon then connects directly to “foo” using the provided token
    1. It connects to a first control websocket
    2. It negotiates the filesystem transfer protocol (zfs send/receive, btrfs send/receive or plain rsync)
    3. If available locally, it unpacks the image which was used to create the source container. This is to avoid needless data transfer.
    4. It then transfers the container and any of its snapshots as a delta.
  7. If succesful, the client then instructs “foo” to delete the source container.

Try all this online

Don’t have two machines to try remote interactions and moving/copying containers?

That’s okay, you can test it all online using our demo service.
The included step-by-step walkthrough even covers it!

Extra information

The main LXD website is at: https://linuxcontainers.org/lxd
Development happens on Github at: https://github.com/lxc/lxd
Mailing-list support happens on: https://lists.linuxcontainers.org
IRC support happens in: #lxcontainers on irc.freenode.net

WhatsApp 2.16.20 Download Available for Android Devices

WhatsApp is one of the most used mobile messaging applications out there, being used by millions of people every day. The application is now totally free, as Facebook, the owner of WhatsApp, has decided to remove the annual fee of 0.99 dollars. The new WhatsApp 2.16.20 APK (installation) file has 27MB in size and it

LXD networking: lxdbr0 explained

Recently, LXD stopped depending on lxc, and thus moved to using its own bridge, called lxdbr0. lxdbr0 behaves significantly differently than lxcbr0: it is ipv6 link local only by default (i.e. there is no ipv4 or ipv6 subnet configured by default), and only HTTP traffic is proxied over the network. This means that e.g. you […]

How many people use Ubuntu?

Discover the range of industries, people and services that are using Ubuntu right now. Netflix. Snapchat. Dropbox. Uber. Tesla…and the International space station – what do they all have in common? They run on Ubuntu. To celebrate our upcoming 16.04 LTS we wanted to shine a bit of light on how many people in the […]

How life appears when all your computing needs fit into one device

It’s been an exciting few weeks with the launch of our first fully converged device, the Aquaris M10 Ubuntu Edition tablet. To celebrate this and to gain deeper insights we held a competition last month that asked the community – what their life would look like if all their computing needs fitted into one device? […]

When a projector and app-enabled software-defined radio cross paths

We had a chat with our head of IoT, Maarten, to discover what happens when a projector crosses paths with an app-enabled software-defined radio (limeSDR.org) Below is a list of pretty cool insights when the two cross paths that include talking to drones via hand gestures, hacking into walkie talkies and finding coverage where it […]

Canonical Cloud Chatter: March 2016

The focus for March has been preparing for our presence at the OpenStack Summit next month. We also announced our collaboration with Tele2 on moving their Network and IT infrastructure to the cloud. As always, you can learn more about Juju, MAAS, LXD and partner ecosystem updates in this month’s newsletter. Webinar: Discover the Cloud […]

Still have questions about Bash and Ubuntu on Windows?

Still have questions about Ubuntu on Windows?Watch this Channel 9 session, recorded live at Build this week, hosted by Scott Hanselman, with questions answered by Windows kernel developers Russ Alexander, Ben Hillis, and myself representing Canonical a…

NFLabs joins the Charm Partner Programme

Canonical is excited to welcome NFLabs to the Charm Partner Programme.  The Charm Partner Programme enables Independent Software Vendors (ISVs) to use the full power of Juju, the award-winning cloud services modelling and application abstraction tool from Canonical. Juju is for IT architects, administrators, devops, developers, data scientists and, generally speaking, anyone interacting with applications […]

Ubuntu on Windows — The Ubuntu Userspace for Windows Developers

I’m in San Francisco this week, attending Microsoft’s Build developer conference, as a sponsored guest of Microsoft.That’s perhaps a bit odd for me, as I hadn’t used Windows in nearly 16 years.  But that changed a few months ago, as I embarked on …

Full Circle #107 is here!

This month: * Command & Conquer * How-To : Python, LibreOffice, Migrating From VAX, and The Pocket Server * Graphics : Inkscape * Chrome Cult: Apricity OS * Linux Labs: Building A 3D Printer * Ubuntu Devices * Review: Able2Extract 10, and Deepin OS * Ubuntu Games: Saints Row IV, and The Kindred plus: News,

Tele2 Adopts Canonical’s Ubuntu Open Source OpenStack Cloud for NFV

Canonical scored another major telecom partnership related to its open source Ubuntu Linux platform this week, when Tele2 announced that it is moving more operations to the cloud using Canonical’s Ubuntu-based OpenStack platform. Tele2 is a major European telecommunications provider. On Wednesday, it announced that it is migrating more of its infrastructure to the cloud

Employee OpenStack Spotlight – Bill Bauman

We caught up with Bill Bauman the Cloud Content Marketing Manager at Canonical to give us an insight into his work, and his love for technology. What do you do at Canonical I came from a technical background, but at Canonical I run content and strategy for our cloud marketing team. That means I get […]

MWC 2016: Our biggest show yet

  For the whole Canonical team, Mobile World Congress 2016 was a momentous event. Not only were we sitting alongside some of the biggest technology companies in the world in Hall 3, but our big, beautiful stand was the best yet; showing off our latest innovation perfectly. Mobile World Congress was the perfect place to […]