Adding a lxd remote, messing with credentials

I have found no good documentation yet as how to setup a juju client with a lxd remote. Maybe I’m missing something, but lxd with juju is fantastic and especially with a remote lxd.

Here is some feedback on this process, which unfortunately is really tedious and error prone. Made easy, it is an absolute killer!

My comment on this, is that the adding all the components of an remote LXD cloud credentials is very tedious and not very well documented.

The process setting up juju after you have your remote lxd host setup as you like it, before you are able to “juju bootstrap” you need to go through a process like this:

  1. You must generate (or have it available at ~/snap/lxd/current/.config/lxc ) a client.crt + client.key files which are unique to your client lxc.

(This is not documented on the juju docs at all nor referenced, but unless you have these it will fail except for localhost lxd).

I normally run “lxc remote add …” and abort the process in the middle. This seems to generate a client.crt. I assume you use the snap version of lxc.

  1. I add the client.crt to the server side lxd trust and verify its good to go.

lxc config trust add client.crt
lxc config trust list

  1. Retrieve the the server.crt from the remote lxd host and sending it over to the client. The server.crt is located here on the lxd server:


  1. Now you put all these three files (client.crt, client.key and server.crt) into the “credentials.yaml” of juju, Like…

auth-type: certificate
client-cert: |
client-key: |
server-cert: |

  1. Now you can add this cloud to your juju client (call it lxdcloud):

juju add-cloud --client

The “juju-add cloud” process or “juju add-credential” does not support asking for files here during the registration (unless you already have it all in a credentials.yaml file), so I always end up having to manually edit this/a file with this information. This typically generates linting errors incomprehensible errors as a consequence with I mess up and its an aweful experience for non juju gurus.

To be able to supply files (client.crt, client.key and server.crt) would be a huge improvement.

  1. Now you should be able to bootstrap your new juju cloud

juju bootstrap lxdcloud

  1. Remove the possibility to use “trust password” with lxd as part of a production grade installation (you can always set a new one if you need it later)

lxc config unset core.trust_password

Having this process documented as part of the juju docs would be great. Perhaps it is.

@erik-lonroth thank-you for the detailed post. I’m looking at the LXD documentation at the moment, I’ll be sure to integrate this into the documentation to make it clearer. Hopefully there is some ways we can simplify this process.

1 Like

Totally, I could provide more details as how to setup the LXD aswell with an external router that provides DHCP etc. Setting up a LXD host in a good way is now covered very well either…

Unfortunately, the hardcore version with a LXD cluster is nothing I’ve tested yet - but that would be an absolute amazing setup… Perhaps in the future when I have some more time to dig into that…