Lxd clustering and remote access

geodb27 · June 19, 2019, 7:55am

Hi !
I’m wondering what would be the best way to be able to access any member of a lxd cluster if one of the node (or more) are down.
Here is my setup :
I have a three nodes lxd cluster. lxd1-1, lxd1-2 and lxd1-3.
I also have another lxd machine that is out of the cluster.
For my needs, this last one is used to setup and configure a container before it goes in production in the cluster. So, this machine must be able to access any one of the cluster nodes in order to push the containers when they are ready.
To ensure that this can be done, what would be the way to go ?
Have a floating IP (setup via corosync+pcs) that is launched on one of the lxd nodes and find a way to change the configuration setting of the node so that the core.https_address is setup to this floating IP on the machine that has it ?
Have some kind of “routing” machine (we have a F5 box) that handles a virtual server that forwards to every one of the nodes ?
Another solution that I haven’t thought of ?
Thanks for your advices.

stgraber · June 19, 2019, 7:13pm

Round-robin DNS record does the job quite well usually. Alternatively you could use something like haproxy too or indeed do that dance with a VIP.

geodb27 · June 20, 2019, 8:13am

Thanks for your kind answer Stéphane.

Well, I might have done something wrong, because it doesn’t work as expected.
In my setup, let’s say that lxd1-1 has ip address set to 192.168.0.11, lxd1-2 to 192.168.0.12, lxd1-3 to 192.168.0.13 and the vip is 192.168.0.10 and resolves to lxd1.

In production and normal state, the vip is handled on lxd1-1. So, since it handles the vip, I set the core.https_address to lxd1 on each members of the cluster.
If I shut down this machine, the floating ip goes to one of the other nodes. Let’s say that it goes to lxd1-2.
The problem here is that since lxd on this machine couldn’t bind to 192.168.0.10 on startup, then my full cluster can’t be reached unless I restart lxd (snap restart lxd) on the second node, to follow my example.
Either there is something I did wrong, or a logic that misunderstood.

stgraber · June 20, 2019, 11:52pm

Indeed not having the address be bindable will be a problem for LXD.
Easiest way around it would be to use 0.0.0.0:8443 as the address and firewall off any address that you don’t want to see used.