Beginner networking questions re manual cloud

Hi, I am new to Juju/K8s, and have some newbie questions…

We are running a number of bare metal co-located servers distributed amongst 4 datacenter(s) in different geographical regions. These machines currently each have several public IPs (no other networking) and are running several lxc containers on them, with some iptables duct-tape to make them all reachable where necessary.

I would like to use juju to do this just a little more organised, perhaps also with k8s so we can move from lxc do lxd on juju and then move some bits out of lxd containers to k8s as and where appropriate.

I was hoping I can create a manual cloud with some of the existing machines and grow from there.

My understanding however is that juju really needs to be run with machines that are all on an internal (and safe) network; with some mechanism that dishes out floating public IPs. Do I understand things correctly? Or can I put all these machines in a manual cloud using their public IPs, relying on juju to set up an encrypted network that can possibly span datacenters from different providers?

It seems like if you add a machine via ssh in a manual cloud, that juju will spin up units as lxd containers on that machine? Is this correct? Because if so, what’s the point of being able to use a remote lxd cloud / cluster?

Thanks!

Juju creates a CA certificate for the controller and issues certificates used by Mongo and the API server. Then each machine agent and unit agent uses that CA certificate only when dialing back to the controller(s). So technically they can all use a public facing network safely.

The things I would be concerned about is ensuring the controller is at least firewalled to the public IPs of your manual cloud and your client IPs. Mongo ports should only allow connections from the controllers/mongo.

Not necessarily, units are deployed to a “machine”. Machines can be containers, but they could also be the bare metal servers themselves. Where things get confusing is that it is also possible add further machines, that are containers, within your current machines (juju add-machine lxd or, less commonly, juju add-machine kvm).

Adding a remote LXD cluster as a cloud has an advantage that it has its own concept of availability zones. A potential disadvantage is that all applications will deployed to containers.

It sounds like what you probably want though is MAAS. That gives you access to your bare metal servers as machines if you need them, the ability to use LXD containers and more automation.

If you would like to use the manual though, that’s an option too. For each data center, run juju add-cloud, then juju add-machine ssh:<user>@<host> for each node.

Happy to provide more info if that would be useful. Sorry that there’s so much to cover before you get started.

Ah, thanks for all the answers.

I guess I am looking at this with Docker-coloured glasses and somehow just expect a unit to be a container, which is not true.

Yes, I have started looking at MAAS, but I’m not so sure it is possible to run MAAS if you don’t have more control over the datacenter? Either way, I do not need to provision bare metal machines and their hardware on the fly. I really just need to manage the applications on the machines that are already there a bit better.