Hi, I wonder what’s the best practice to sync images between several lxd servers on seperate machines? e.g. I have one server that runs no container, but only keeps updated images. And a few “worker” servers that has no internat connection, and are supposed to fetch images from the former one.
I’ve tried to combine lxc image list -f csv with lxc image export, then keep files accessible to the workers by NFS or SCP or HTTP or anything. However I found the imported images on the worker servers just don’t have aliases.
So what’s the best practice to do the syncing? Should I expose lxd on the image server to all worker server?
Exposing that lxd image server to the others would definitely be easiest as they could then just use lxc launch remote-server:some-image blah which would cause LXD to pull the image if needed, then cache it locally.
If your images are marked as “public” on that LXD server, then the others will be able to pull those images from it without needing to authenticate and so without having any kind of privileges against that LXD server which I suspect is something that matters to you.
An alternative would be to have a static web server accessible to all servers and then setup simplestreams index files for your images. Setup HTTPS on that server and you’ll have something that LXD can use as an image server. That’s effectively what we use for the high bandwidth production image server (https://images.linuxcontainers.org and https://cloud-images.ubuntu.com).
This solution needs a bit more custom logic to generate, those index files, cleanup old images, … but it may be easier to get past a security audit as what’s exposed would just be a static web server with HTTPS access.
I ended with setting up listen port and trust password, and manually added the remotes to all worker servers. Then run lxc image copy --copy-aliases within a for loop.
And thank you for pointing out that a public image can be retrived without authenticating, by lxc remote add --public. Then I can lxc image pull from it without typing any password.