Adding a LXC remote server to Incus Server


We are beginning our testing of Incus as a possible replacement for LXC to determine if creating our own container images and remaining with LXC is preferable to the complete migration to Incus. We have two servers with Incus installed and after some trial an error managed to get the linked as remote so we can copy containers to one and another via the network. What we would like to know, is there a way and how to add an LXC server as a remote server to an Incus server or are the frameworks to different to allow that?

We have attempted adding (on the Incus server) trust add via:

incus config trust add server_name

and took the token on the LXC server to add the remote server

lxc remote add server_name token

but we get a Error: Failed to create certificate: not authorized

and when we try

lxc remote add server_name --password=token

we get a Error: not authorized

What are we missing if this is even possible? There are other ways to accomplish the goals by creating an image and then moving the files from one server to another.

Your best bet to have the Incus client talk to LXD or the LXD client talk to Incus is to go for the basic TLS authentication.

Transfer your client’s client.crt (~/.config/incus/client.crt for the one from the Incus client) over to your server and then add it to the trust store with either lxc config trust add client.crt or incus config trust add-certificate client.crt.

Thank you for your reply. I copied the client.crt from the incus server and added it to the trust list. Then I reattempt to add the remote incus server to the LXC server by (using the token created in my first post):

lxc remote add server_name long_alpha_numeric_token

I still get an Error: Failed to create certificate: not authorized. Did I miss something?

I do apologize for my ignorance. I am still new to LXC and containers.

If you copied the client.crt from the Incus server and added it to the trust list of the LXD server, then the Incus client should now be able to add your LXD server (not the reverse).

Tokens will not work, so you’ll need to just use incus remote add lxd-server https://IP:8443 it should prompt to confirm the server fingerprint and then get added successfully as the server will already be trusting the certificate.

If you want the reverse to work, then you need to transfer the client.crt from your user on the LXD server (look for it somewhere under ~/snap/lxd/common), then transfer it to the Incus server and get it trusted there. After that lxc remote add incus-server https://IP:8443 should similarly work.

I was successful in adding the incus server as a remote on the LXC server. I am not sure If I made a mistake or not the first time I tried it, but when renamed it to certificate to something more recognizable (IE: server_name-incus.crt) it would not connect. When I renamed the certificate back to client.crt, it worked. Is that by designed or did I just mistyped something.

I also could not add the LXC server as a remote server on the incus server, is this because the core.tust_password is set? I get a connection refused.

Connection refused would usually be because of a missing core.https_address configuration.
core.trust_password being set will definitely cause a problem, but that would happen a bit later.

ahh… Yeah I see the issue on my end. I ran into another issue with “json: cannot unmarshal bool into Go struct field Server.config of type string”, but since we were able to add the incus server as a remote server on the LXC server, it will help us with the migration process if we decide to migrate from LXC to Incus (most likely will).

Can the client.crt be renamed on the incus server or does the name have to match what is on the LXC? I haven’t had to retest yet.

The name doesn’t matter, it’s just there as a convenience since most folks don’t remember long fingerprints :slight_smile: