LXD: Looking for comprehensible description of simplestreams

Hi,
I’m looking for a plain and consistent description of the simplestreams protocol/file format and content description.

given problem:

I want to use LXD with several ubuntu- and other images in a local network. To avoid having every single machine downloading images over the internet, I want to have one central machine that keeps both the downloaded and locally generated images for other machines, but for security reasons read-only.

A simple solution would be to just let LXD listen on a port and open the port for the other machines, but I did not see how to make this read only. I didn’t test it yet, but the man pages suggest, that once a machine can read images, it can write as well.

Another solution would be to export images and put files an a simple webserver, not elegant and clean.

I then found several web pages considering LXD’s own protocol as somewhat deprecated and recommending simplestreams instead.

But then, it is really difficult to find a description revealing more than the general idea and some file names.

I found the simplestream-builder tool, but it’s description and help page are close to useless, they don’t explain, what the commands do, or even mention the order, in which to call them. It just points to an example at https://github.com/Sabayon/sbi-tasks/blob/master/lxd/tree-images.yaml, but that doesn’t explain anything, and the URLs seem to be not valid anymore, thus no chance to just look and see, how a simplestream server should look like and contain. I did not even find a running and publicly available simplestrams server to just have a look at it and its files.

So I am still trying to solve the problem how to build a local server offering LXD images to local machines read-only. I’m looking for a description about how to get from a local LXD having all the relevant images to somewhat (e.g. simplestreams) serving these images to machines in the same network.

And maybe a statement about what is the intended way to do that in future. Is the support for simplestreams in the lxc remote add command experimental or stable?

regards

That should be fine. You can add a LXD remote as a public, read-only server with:

lxc remote add some-name 1.2.3.4 --public

You’ll then be able to do lxc launch some-name:my-image blah and it will download the image from that LXD. This will not require any kind of certificate authentication, the client will be anonymous and will only be able to see images marked as public on that LXD server.

That’s only true for the large scale image servers that we operated where having static web servers pretend to be LXD servers was quite impractical and so we favor simplestreams for such use cases.

I think using a LXD server which all other systems use as their image source is probably the easiest in this case.

You definitely could use simplestreams instead but as you’ve noticed, there’s no real standard tooling for it. I remember seeing GitHub - MottainaiCI/simplestreams-builder: LXC/LXD/Incus Simplestreams Tree Builder some time ago but haven’t used it myself.

Our own image servers get their metadata put together by a big python script which scans our Jenkins for new images, handles image signing, generates the index files for both simplestreams and the LXC protocol (pre-LXD), then deals with filesystem snapshots and rsync configuration to expose things in a consistent way. So quite a system-specific solution which doesn’t make a ton of sense outside of our specific environment. My understanding is that roughly the same is true for cloud-images.ubuntu.com where images are instead built on Launchpad and some additional publication steps occur, so similarly custom publishing logic.