How to control LXD host from inside a container?

,

I’m new to LXD and I’m planning to use it to host multiple websites using Nginx and HaProxy.

The problem that I’m facing is that I’d like to have a dashboard that allow me to control each container (this dashboard can be used by many users), so I can delete/create new containers but I don’t know where should I put this dashboard so I would have access to the LXD host. For example, let’s say that I have these containers:

site1 (a website)
site2 (a website)
panel (the panel that I want to create)
haproxy (load balancer)

The problem that I see with this approach is that since the panel is inside a container, it won’t have access to the LXD host, so it won’t be able to use commands to create/delete an instance.
One possible way to solve that would be by using SSH to connect to the host, but I’m not sure if it’s safe or if it would be a good solution.

Another possible solution is to create a ‘master’ container where I would install the panel and add all other containers in it, using a nested LXD architecture. But I’m not sure if I would lose much performance and if it would be possible to use Nginx + HaProxy to have multiple websites running, because they’re nested containers, I don’t know how I would configure in a way to make it works.

How can I control a LXD host from inside a container? Which approach would be better? Do you have any other solution?

This is an interesting question.

I suggest to put the dashboard on your own (personal?) computer, and connect to the LXD server remotely using the REST API.
See more at https://stgraber.org/2016/04/12/lxd-2-0-remote-hosts-and-container-migration-612/

Thank you for your suggestion, but unfortunately that won’t works for me because I’d like to have a SaaS application in which users would use the dashboard to control their containers, so I have to put it in a server.

You can initially put the dashboard on the host (where LXD is running) and implement it to use the REST API to control any containers (i.e. not run shell commands, etc).

When you are about to scale this so that each customer has their own VPS with LXD, you can make a dashboard server. That is, a server with LXD and each container is an individual dashboard. Those individual dashboard will be controlling remotely an LXD server.

How can I control a LXD host from inside a container?
Which approach would be better? Do you have any other solution?

This should be doable by installing the “lxd” server in a container, and then establishing a trust between the “LXD bare metal” server and the “LXD in a container” server as documented in https://stgraber.org/2016/03/15/lxd-2-0-installing-and-configuring-lxd-212/ and then running “lxc remote add $baremetal” from the container.

Using this setup it should be possible to send commands to the “LXD bare metal” server (or any other trusted LXD servers for that matter) from the container using “lxc exec”.

You can initially put the dashboard on the host (where LXD is running) and implement it to use the REST API to control any containers (i.e. not run shell commands, etc).

When you are about to scale this so that each customer has their own VPS with LXD, you can make a dashboard server. That is, a server with LXD and each container is an individual dashboard. Those individual dashboard will be controlling remotely an LXD server.

Interesting, I’m going to test it locally to check if it’s possible to configure HaProxy to works with this configuration.

This should be doable by installing the “lxd” server in a container, and then establishing a trust between the “LXD bare metal” server and the “LXD in a container” server as documented in https://stgraber.org/2016/03/15/lxd-2-0-installing-and-configuring-lxd-212/ and then running “lxc remote add $baremetal” from the container.

Using this setup it should be possible to send commands to the “LXD bare metal” server (or any other trusted LXD servers for that matter) from the container using “lxc exec”.

I didn’t understand very well. Did you suggest to create a container (for example, named ‘master’) and inside this ‘master’ container, we create a container to my dashboard (for example, named ‘dashboard’), after that I add my ‘master’ container as a remote for the ‘dashboard’ container?

In this case, we are going to have nested containers that look like this:

  • master (master container which contains all other containers)
    • dashboard (dashboard container that added a remote pointing to ‘master’ container)
    • site1
    • site2
    • haproxy

Did I understand correct?


EDIT: I think that you suggested a different configuration, that would looks like this:

  • master (master container which contains all other containers)
  • site1
  • site2
  • haproxy
  • dashboard (dashboard container that added a remote pointing to ‘master’ container)

So master and dashboard are in the same level.

Hello,

More like

bare_metal (with lxd installed)
- container#1 site1
- container#2 site2
- container#3 haproxy
- container#4 dashboard, with lxd installed but no “sub-containers” below container#4

If a trust is in place between container#4 lxd and bare_metal lxd, then container#4 can run pretty much any command on bare_metal: container creation, exec etc.

For the dashboard, would would ideally need to create a LXD API client, like those at https://linuxcontainers.org/lxd/rest-api/
Each dashboard LXD client would need to get a trust password with their own individual LXD server.

There is an issue that LXD does not support yet multiple users.


This means that currently, you either allocate a separate LXD server per customer/user, therefore each user would get a separate instance of the dashboard that can access one (or more) whole, not-shared, LXD containers
Or, you would need to implement in the Dashboard software the facility to enforce which containers each user can control.

Most likely, you would implement now the multiple-users logic inside the dashboard web application (one instance only).
It would look like @Darcache wrote above, I am paraphrasing here:

bare_metal (with LXD installed)

  • container#1 HAProxy
  • container#2 dashboard app (connection coming from HAProxy), trusted password with LXD server
  • container#3 mysql/mariadb
  • container#4 site 1
  • container#5 site 2