Candid + LXD 4.23 using an ipv4 only subnet

BeRoots · February 27, 2022, 10:13pm

Hello

I try to follow this how to on my laptop using libvirt VMs on the same network (10.0.1.0/24):
https://ubuntu.com/tutorials/candid-authentication-lxd

The only difference I have is I have defined my own IPv4 subnet range (10.0.2.1/24) for lxc containers during the lxd init (page bottom of Candid authentication for LXD | Ubuntu)

My problem is to configure the network on the server VM to route the candid container on that VM through its IP (doing http://10.0.0.1:8081 on the client VM to access to the container located into the LXD subnet).

Is there a way to do this directly when configuring lxd init or I have to configure this myself with something like IP forwarding or NAT on the host VM ?

NB. This howto seems to not allow LXD to be available over the network and in my case I don’t want to use same network IPs for VM and containers

tomp · March 1, 2022, 8:19am

If you don’t want to connect your container directly to the external network (e.g. via an unmanaged bridge or a macvlan NIC connected to the external interface) then you can instead use the proxy device on the specific container to listen on an IP/port(s) of the LXD host and forward inbound connections into the container.

It can operate in NAT mode, which allows the source IP address to be maintained, but this requires that your container’s NIC device is configured with a static DHCP allocation on the managed parent bridge (likely lxdbr0).

E.g.

lxc network show lxdbr0 # Look for ipv4.address to indicate the subnet of the managed bridge
lxc config device override c1 eth0 ipv4.address=<n.n.n.n> # A free IP in the bridge's network subnet.
lxc config device add c1 myproxy proxy listen=tcp:<host_ip>:<host_port> connect=tcp:<container_ip>:<container_port> nat=true

Please see Using proxy device to forward network connections from host to container in NAT mode and Instance configuration - LXD documentation for more info.