Getting started
LXD installation details
At the time of writing this role (December 2019) LXD was not available natively in Debian. Packaging efforts are ongoing, however there's no telling if LXD will be included in the next Debian release (Bullseye). The upstream developers suggest installation on Debian via Snap, however this brings its own set of issues which are offtopic here.
Instead, on Debian hosts the debops.lxd role utilizes the debops.golang role to install the lxd and lxc binaries from upstream git repository by compiling them from source. The role will configure the rest of the needed infrastructure (systemd unit files, logrotate and sysctl configuration, POSIX groups, log directory, etc.) so that the LXD service should work out of the box on Debian without the need of a Snap installation.
The debops.golang configuration for building and installing LXD is
defined in the lxd__golang__dependent_packages
variable.
Due to the build dependency on the lxc-dev
APT package, which pulls the
lxc
APT package automatically, the debops.lxc role and its
dependencies will be used to configure the LXC environment. The lxcbr0
network bridge will be automatically disabled in this case.
Warning
Merge commits in the lxc/lxd GitHub repository might be signed
with the GPG key issued by GitHub, used for signing commits done in the web
interface. It has to be done, because tagged LXD releases have problems
with their dependency chains and due to that the debops.lxd role
relies on stable branches in the LXD repository. The trust is limited to the
_golang
UNIX account and might have an impact for any Go applications
built in that specific environment.
Example inventory
To enable LXD support on a host, it needs to be added to the
[debops_service_lxd]
Ansible inventory group:
[debops_all_hosts:children]
lxd_hosts
lxd_containers
[debops_service_lxd:children]
lxd_hosts
[lxd_hosts]
lxd-host ansible_host=lxd-host.example.org
[lxd_containers]
webserver ansible_host=webserver.example.org
By default, containers will use the lxdbr0
bridge managed by the LXD
service, with their own internal lxd
subdomain. You can use the
debops.ifupdown Ansible role to configure additional network bridges on
the LXD host, if you want to attach the containers to the public network.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.lxd
role:
---
- name: Manage LXD service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_lxd' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: root_account
tags: [ 'role::root_account', 'skip::root_account' ]
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
keyring__dependent_gpg_keys:
- '{{ golang__keyring__dependent_gpg_keys }}'
golang__dependent_packages: # noqa var-naming[no-role-prefix]
- '{{ lxd__golang__dependent_packages }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ golang__apt_preferences__dependent_list }}'
- '{{ lxc__apt_preferences__dependent_list }}'
- role: golang
tags: [ 'role::golang', 'skip::golang' ]
golang__dependent_packages:
- '{{ lxd__golang__dependent_packages }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ lxd__logrotate__dependent_config }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ lxc__ferm__dependent_rules }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::lxc' ]
python__dependent_packages3:
- '{{ lxc__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ lxc__python__dependent_packages2 }}'
- role: sysctl
tags: [ 'role::sysctl', 'skip::sysctl' ]
sysctl__dependent_parameters:
- '{{ lxc__sysctl__dependent_parameters }}'
- '{{ lxd__sysctl__dependent_parameters }}'
- role: lxc
tags: [ 'role::lxc', 'skip::lxc' ]
- role: lxd
tags: [ 'role::lxd', 'skip::lxd' ]
# If a host has 'debops.dnsmasq' or 'debops.unbound' roles configured, execute
# its playbook in case that configuration applied by the 'lxd' role needs to be
# applied to 'dnsmasq' or 'unbound' services. This should ensure that the
# '*.lxd' subdomain for internal LXD containers is resolvable on the LXD host.
#
# If the host is not in the Ansible inventory groups required by the
# 'dnsmasq.yml' or the 'unbound.yml' playbooks, this should not impact
# anything.
- name: Configure dnsmasq service
import_playbook: 'dnsmasq.yml'
- name: Configure unbound service
import_playbook: 'unbound.yml'
Other resources
List of other useful resources related to the debops.lxd
Ansible role:
Manual pages: lxc(7)
LXD page in Debian Wiki, with packaging information and current progress
LXD page in Arch Linux Wiki
LXD page in Ubuntu Wiki
LXD 2.0 blog post series written by Stéphane Graber