I am trying to add a remote server for a container migration.
$ lxc remote add lko 192.168.1.111
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Admin password for lko:
Error: Certificate already in trust store
The remote server ‘lko’ does not get added,
$ lxc remote list
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC | GLOBAL |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
| images | https://images.linuxcontainers.org | simplestreams | none | YES | NO | NO |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
| local (current) | unix:// | lxd | file access | NO | YES | NO |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
| ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | none | YES | YES | NO |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
| ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | none | YES | YES | NO |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+--------+
$ lxd sql global "SELECT * FROM certificates;"
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+----+-------------+------+------+-------------+------------+
| id | fingerprint | type | name | certificate | restricted |
+----+-------------+------+------+-------------+------------+
+----+-------------+------+------+-------------+------------+
$ lxc config trust ls
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+--------------+-------------+------------------------------+------------------------------+
| FINGERPRINT | COMMON NAME | ISSUE DATE | EXPIRY DATE |
+--------------+-------------+------------------------------+------------------------------+
| 96430c120df1 | usr@nas | May 9, 2021 at 1:07am (UTC) | May 7, 2031 at 1:07am (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| bef30861f69c | usr@nas | Jun 2, 2019 at 2:25pm (UTC) | May 30, 2029 at 2:25pm (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| cd4c4e3ea708 | usr@nas | Feb 9, 2019 at 5:01am (UTC) | Feb 6, 2029 at 5:01am (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| fe17385b206e | root@nas | May 23, 2020 at 2:52pm (UTC) | May 21, 2030 at 2:52pm (UTC) |
+--------------+-------------+------------------------------+------------------------------+
ok, tried this. Got a different message this time.
$ lxc remote add lko 192.168.1.111
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Admin password for lko:
Error: Server doesn't trust us after authentication
On the server (fingerprint entry gets added after a remote add request),
$ lxc config trust ls
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+--------------+-------------+------------------------------+------------------------------+
| FINGERPRINT | COMMON NAME | ISSUE DATE | EXPIRY DATE |
+--------------+-------------+------------------------------+------------------------------+
| 96430c120df1 | usr@nas | May 9, 2021 at 1:07am (UTC) | May 7, 2031 at 1:07am (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| bef30861f69c | usr@nas | Jun 2, 2019 at 2:25pm (UTC) | May 30, 2029 at 2:25pm (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| cd4c4e3ea708 | usr@nas | Feb 9, 2019 at 5:01am (UTC) | Feb 6, 2029 at 5:01am (UTC) |
+--------------+-------------+------------------------------+------------------------------+
| fe17385b206e | root@nas | May 23, 2020 at 2:52pm (UTC) | May 21, 2030 at 2:52pm (UTC) |
+--------------+-------------+------------------------------+------------------------------+
$ lxc config show
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
config:
core.https_address: 192.168.1.111:8443
core.trust_password: true
Are you using those other usr@nas certs, if not I would remove them from the trust store too.
They might be other existing clients though so double check.
$ lxc config trust ls
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+-------------+-------------+------------+-------------+
| FINGERPRINT | COMMON NAME | ISSUE DATE | EXPIRY DATE |
+-------------+-------------+------------+-------------+
On the client,
$ lxc remote add lko 192.168.1.111
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Admin password for lko:
Error: Server doesn't trust us after authentication
Server now shows,
$ lxc config trust ls
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+--------------+-------------+-----------------------------+-----------------------------+
| FINGERPRINT | COMMON NAME | ISSUE DATE | EXPIRY DATE |
+--------------+-------------+-----------------------------+-----------------------------+
| 96430c120df1 | usr@nas | May 9, 2021 at 1:07am (UTC) | May 7, 2031 at 1:07am (UTC) |
+--------------+-------------+-----------------------------+-----------------------------+
I just tested a fresh install of LXD 4.13 and adding remotes works fine. Also tested 4.14 as there have been some changes to that subsystem in there, and thats working fine also.
The Allowing untrusted POST bit is what your client does after entering the trust password to add its cert to the trust store (which we can see succeeding), and afterwards it does the request to GET /1.0 to check its authenticated. But at this stage it still isn’t despite its cert being in the trust store.
Ok. Let me take a step back. I have a firewall rule so that the client (172.16.1.5) can talk to the remote server (192.168.1.111), however the server is not allowed to initiate connection to 172.16.1.5.