LXD security luks ssh sync

From UVOO Tech Wiki
Jump to navigation Jump to search

To sync your SSH configuration and keys across your LXD cluster (the Ubuntu 24.04 node and your older 22.04 nodes), you can use a combination of LXD's built-in file push and a simple Bash alias.

Since your 6-disk ZFS mirror is likely your "main" node, we’ll use it as the source of truth.

1. The Manual Sync (Quickest)

LXD allows you to push files directly into a container or across nodes if they are part of the same cluster. If you want to push your updated config to a specific container: 

lxc file push ~/.ssh/config my-alpine-container/root/.ssh/config

2. The Cluster-Wide Sync Script

If you want to ensure every node in your cluster has the same SSH shortcuts, you can run this loop from your primary node. It iterates through all nodes and updates their local ~/.ssh/config. 

for node in $(lxc cluster list --format csv -c Name); do
  scp ~/.ssh/config $node:~/.ssh/config
done

3. Using "SSH Agent Forwarding" (Recommended)

Instead of copying your Private Keys to every node (which is a security risk), you should use Agent Forwarding. This allows you to keep your keys on your local machine but "lend" them to the cluster nodes as you jump between them.

Update your ~/.ssh/config on your local machine: 

Host lxd-cluster-*
    ForwardAgent yes
    User busk
    IdentityFile ~/.ssh/id_ed25519_personal

How it works: 1. You SSH into Node A. 2. From Node A, you want to git clone or SSH into Node B. 3. Node A "asks" your local machine to sign the request using your key. 4. The private key never leaves your laptop.

4. Syncing via a Git "Dotfiles" Repo

Since we just set up your Git SSH access, the most professional way to manage this is to create a private "dotfiles" repository.

  1. Create a private repo on GitHub called dotfiles.
  2. Push your config: bash git add ~/.ssh/config git commit -m "update ssh config" git push
  3. Pull on other nodes: On any new node in your cluster, just git pull to get your latest shortcuts and host definitions.

5. Security Warning for ZFS Pools

If you are syncing these files to a directory on your tank pool, ensure the ZFS dataset permissions are restricted. SSH will fail to work if the permissions are too "open" (e.g., if a group has write access). 

# Ensure the ZFS mount for your home dir is strict
sudo chmod 700 /home/busk/.ssh

Summary Checklist

Method Best For... Security Level
Agent Forwarding Jumping between nodes High (Keys stay local)
LXC File Push Quick fixes to containers Medium
Git Dotfiles Long-term cluster management High (If repo is private)

Would you like me to show you how to automate the "Git Pull" of your config files every time you log into a node?

Retrieved from "https://tech.uvoo.io/index.php?title=LXD_security_luks_ssh_sync&oldid=5665"