Comments (1)
I'll write a short document under spec/ for that.
Basically the current thought is to support two setups:
-
SSH style, lxd and lxc both generate their own certificates. On first connection to a server, the fingerprint is shown and the user prompted about it. Then they proceed to password authentication (or not if already trusted by the server) and their public key is added to the server's trust store.
-
PKI style, certificates are generated centrally and manually added to the server and client, including a CA. All checks are performed against the CA, including certificate type checking and the CommonName field. If all checks out, the connection is allowed without user intervention, if something doesn't, the connection fails. The user would then be able to override the failing behaviour through environment or a similarly difficult path.
from lxd.
Related Issues (20)
- Cluster Recovery Process misuses dqlite HOT 2
- Replace `square/go-jose` by `go-jose/go-jose` HOT 5
- Restricted users fail to load projects with recursion HOT 3
- Storage does not creates directory tree in all cluster members HOT 2
- Allow volumes to be moved from offline members regardless of the storage driver
- Storage volume backup handlers are not forwarding requests when the `target` parameter is remote
- Etag check is missing for storage bucket update handler
- Networks of type physical managed do not expose state HOT 2
- Can't start containers / zpool didn't mount HOT 2
- Unused flags when adding TPM to VMs HOT 2
- port 53 forwarding kept giving internal dns names HOT 1
- Restricted users loading all operations causing 500
- Apparmor DENIED for name="/sys/devices/system/node/" and comm="qemu-img" HOT 9
- image source image_type is empty string HOT 3
- `security.devlxd.images` regressed somewhere after `5.0`
- Potential duplicate QEMU device ID when using long device names HOT 1
- doc: Incorrect unit for limits.memory
- LXD is missing support for `binfmt_misc` namespace HOT 1
- storage pool create failure due to ext4's lost+found directory HOT 1
- Enable `security.nesting` by default for unprivileged containers and modern enough images HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lxd.