Did something crazy, install Incus client in Windows

Tony_Anytime · January 2, 2024, 8:53pm

How do I access my cluster? Trying : incus list
This client hasn’t been configured to use a remote server yet.
As your platform can’t run native Linux instances, you must connect to a remote server.
If you already added a remote server, make it the default with “incus remote switch NAME”.
incus version
Client version: 0.4
Server version: unreachable|
incus info
This client hasn’t been configured to use a remote server yet.
As your platform can’t run native Linux instances, you must connect to a remote server.
If you already added a remote server, make it the default with “incus remote switch NAME”.
incus remote switch RRSOC
Error: Remote RRSOC doesn’t exist
incus remote switch rrterabk
Error: Remote rrterabk doesn’t exist
incus remote switch 192.168.1.18
Error: Remote 192.168.1.18 doesn’t exist

Obviously, I am doing something wrong here, and can find Server Cluster.

stgraber · January 2, 2024, 9:05pm

Run incus config trust add CLIENT-NAME on your server, then run incus remote add SERVER-NAME TOKEN

CLIENT-NAME for the first command is the name that will identify your client in the future, so either the hostname of your Windows system or something like that.

SERVER-NAME for the second command is the name your server will be identified as in the command line client on your Windows machine.

Once that’s done, you can incus remote switch SERVER-NAME on the Windows system to make your server the default remote it operates against, at which point all commands should behave as if you’re on the server.

Tony_Anytime · January 2, 2024, 9:15pm

Cool, works like a charm

kees · March 15, 2024, 10:05am

I’ve tried this with a new incus setup on a Windows system. I’ve created a token on my cluster and then used that in incus remote add mycluster token-blabla

However, this gives:

Error: Failed to create certificate: not authorized

stgraber · March 15, 2024, 10:36am

Do you currently see that token in incus config trust list-tokens?

kees · March 15, 2024, 10:39am

Yes. In fact I now have two, because I thought the first one expired.

stgraber · March 15, 2024, 10:40am

Can you run incus monitor --pretty on the cluster side and then run the incus remote add so we can see what hits the cluster?

stgraber · March 15, 2024, 10:41am

Maybe also run incus remote add with --debug for good measure.

kees · March 15, 2024, 11:03am

Just FYI. The server is LXD 5.0, incus windows client is 0.6

The monitor log on the server side isn’t very intesting with regard to this issue. Just two Allowing untrusted GETs and one Allowing untrusted POST.

On the client side debug log I see two times a GET Sending request to Incus followed by a Got responce struct from Incus. Then a POST Sending request to Incus with the token. After that it breaks off with the error message (see above).

stgraber · March 15, 2024, 2:04pm

Ah, so that’d be why, this should work fine if dealing with LXD on both sides or Incus on both sides.

Otherwise, our HTTP headers have differed when handling token authentication.

You can still make it work but instead of using a token to add your client certificate, you’ll need to do it the old school way and send your client system’s “client.crt” over to one of the servers on your client and then do “lxc config trust add client.crt --name windows-client” on there.

With your client’s certificate trusted by the server, you can then add it with “incus remote add lxd-cluster 1.2.3.4” (so using the IP of the server instead of providing a token).

kees · March 15, 2024, 2:06pm

Ah thanks. I’ll give that a try.

kees · March 20, 2024, 9:52am

@stgraber Do we have to wait for incus 0.7 in order to generate the client.crt and client.key? Because I can’t find client.crt anywhere.

stgraber · March 20, 2024, 9:57am

Incus 0.7 will have the new incus remote generate-certificate.

Until then you can force its generation with something like incus remote add foo 1.2.3.4 which will trigger the generation of the certificate and then fail due to it not being a valid remote.

kees · March 20, 2024, 10:02am

We tried that, but it doesn’t work, with the error I mentioned earlier. I’m now being to suspect that incus tries to create the client.crt and that it fails with that.

stgraber · March 20, 2024, 10:11am

Hmm, what error are you getting exactly?
It’s working here, but then again, I’m running it on Linux.

kees · March 20, 2024, 10:16am

Error: Failed to create certificate: not authorized

Let me be a bit more precise. I ran it again just now.

PS C:\Windows\System32> incus remote add my_cluster https://angstel.example.com:8443
Trust token for my_cluster: eyJjbGllbnRfbmFtZSI6ImFuZHJlYkBBQlNJTl...DM3OTkzMjY4MDc0MDRlZCJ9
Error: not authorized
PS C:\Windows\System32>

stgraber · March 20, 2024, 10:29am

Can you run incus remote add foo 1.2.3.4 literally?

kees · March 20, 2024, 10:54am

On windows

PS C:\Windows\System32> incus remote add foo 1.2.3.4
Error: Get "https://1.2.3.4:8443": Unable to connect to: 1.2.3.4:8443 ([dial tcp 1.2.3.4:8443: i/o timeout])

On Linux (as expected)

$ incus remote add foo 1.2.3.4
Generating a client certificate. This may take a minute...
Error: Get "https://1.2.3.4:8443": Unable to connect to: 1.2.3.4:8443 ([dial tcp 1.2.3.4:8443: i/o timeout])

stgraber · March 20, 2024, 11:02am

Right but it wouldn’t show the generation message if it’s already done it in the past.

Did you make sure you dont’t have a client.crt file somewhere in AppData or wherever Windows stores stuff these days?

I’d expect either in AppData or in some kind of .incus directory (so may be hidden) inside your user’s directory.

I’m on my phone so I can’t easily check the code or look at a Windows system to see where that gets stored.

Stéphane

kees · March 20, 2024, 11:47am

Ah, we found it searching the whole disk, ha ha

BTW It was in C:\Users\<user>\.config\incus