Stéphane Graber
on 6 March 2017
The LXD demo server
The LXD demo server is the service behind https://linuxcontainers.org/lxd/try-it.
We use it to showcase LXD by leading visitors through an interactive tour of LXD’s features.
Rather than use some javascript simulation of LXD and its client tool, we give our visitors a real root shell using a LXD container with nesting enabled. This environment is using all of LXD’s resource limits as well as a very strict firewall to prevent abuses and offer everyone a great experience.
This is done using lxd-demo-server which can be found at: https://github.com/lxc/lxd-demo-server
The lxd-demo-server is a daemon that offers a public REST API for use from a web browser.
It supports:
- Creating containers from an existing container or from a LXD image
- Choose what command to execute in the containers on connection
- Lets you choose specific profiles to apply to the containers
- An API to record user feedback
- An API to fetch usage statistics for reporting
- A number of resource restrictions:
- CPU
- Disk quota (if using btrfs or zfs as the LXD storage backend)
- Processes
- Memory
- Number of sessions per IP
- Time limit for the session
- Total number of concurrent sessions
- Requiring the user to read and agree to terms of service
- Recording all sessions in a sqlite3 database
- A maintenance mode
All of it is configured through a simple yaml configuration file.
Setting up your own
The LXD demo server is now available as a snap package and interacts with the snap version of LXD. To install it on your own system, all you need to do is:
Make sure you don’t have the deb version of LXD installed
ubuntu@djanet:~$ sudo apt remove --purge lxd lxd-client Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: lxd* lxd-client* 0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded. After this operation, 25.3 MB disk space will be freed. Do you want to continue? [Y/n] (Reading database ... 59776 files and directories currently installed.) Removing lxd (2.0.9-0ubuntu1~16.04.2) ... Warning: Stopping lxd.service, but it can still be activated by: lxd.socket Purging configuration files for lxd (2.0.9-0ubuntu1~16.04.2) ... Removing lxd-client (2.0.9-0ubuntu1~16.04.2) ... Processing triggers for man-db (2.7.5-1) ...
Install the LXD snap
ubuntu@djanet:~$ sudo snap install lxd lxd 2.8 from 'canonical' installed
Then configure LXD
ubuntu@djanet:~$ sudo lxd init Name of the storage backend to use (dir or zfs) [default=zfs]: Create a new ZFS pool (yes/no) [default=yes]? Name of the new ZFS pool [default=lxd]: Would you like to use an existing block device (yes/no) [default=no]? Size in GB of the new loop device (1GB minimum) [default=43]: Would you like LXD to be available over the network (yes/no) [default=no]? Would you like stale cached images to be updated automatically (yes/no) [default=yes]? Would you like to create a new network bridge (yes/no) [default=yes]? What should the new bridge be called [default=lxdbr0]? What IPv4 address should be used (CIDR subnet notation, “auto” or “none”) [default=auto]? What IPv6 address should be used (CIDR subnet notation, “auto” or “none”) [default=auto]? LXD has been successfully configured.
And finally install lxd-demo-server itself
ubuntu@djanet:~$ sudo snap install lxd-demo-server lxd-demo-server git from 'stgraber' installed ubuntu@djanet:~$ sudo snap connect lxd-demo-server:lxd lxd:lxd
At that point, you can hit http://127.0.0.1:8080 and will be greeted with this:
To change the configuration, use:
ubuntu@djanet:~$ sudo lxd-demo-server.configure
And that’s it, you have your own instance of the demo server.
Security
As mentioned at the beginning, the demo server comes with a number of options to prevent users from using all the available resources themselves and bringing the whole thing down.
Those should be tweaked for your particular needs and should also update the total number of concurrent sessions so that you don’t end up over-committing on resources.
On the network side of things, the demo server itself doesn’t do any kind of firewalling or similar network restrictions. If you plan on offering sessions to anyone online, you should make sure that the network which LXD is using is severely restricted and that the host this is running on is also placed in a very restricted part of your network.
Containers handed to strangers should never be using “security.privileged” as that’d be a straight route to getting root privileges on the host. You should also stay away from bind-mounting any part of the host’s filesystem into those containers.
I would also very strongly recommend setting up very frequent security updates on your host and kernel live patching or at least automatic reboot when a new kernel is installed. This should avoid a new kernel security issue from being immediately exploited in your environment.
Conclusion
The LXD demo server was initially written as a quick hack to expose a LXD instance to the Internet so we could let people try LXD online and also offer the upstream team a reliable environment we could have people attempt to reproduce their bugs into.
It’s since grown a bit with new features contributed by users and with improvements we’ve made to the original experience on our website.
We’ve now served over 36000 sessions to over 26000 unique visitors. This has been a great tool for people to try and experience LXD and I hope it will be similarly useful to other projects.
Extra information
The main LXD website is at: https://linuxcontainers.org/lxd
Development happens on Github at: https://github.com/lxc/lxd
Mailing-list support happens on: https://lists.linuxcontainers.org
IRC support happens in: #lxcontainers on irc.freenode.net
Try LXD online: https://linuxcontainers.org/lxd/try-it