/
proc
/
1387183
/
root
/
snap
/
lxd
/
35616
/
share
/
lxd-documentation
/
authentication
/
File Upload :
llllll
Current File: //proc/1387183/root/snap/lxd/35616/share/lxd-documentation/authentication/index.html
<!doctype html> <html class="no-js" lang="en" data-content_root="../"> <head><meta charset="utf-8"/> <meta name="viewport" content="width=device-width,initial-scale=1"/> <meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" /> <meta property="og:title" content="Remote API authentication" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://documentation.ubuntu.com/lxd/latest/authentication/" /> <meta property="og:site_name" content="LXD documentation" /> <meta property="og:description" content="Remote communications with the LXD daemon happen using JSON over HTTPS. This requires the LXD API to be exposed over the network; see How to expose LXD to the network for instructions. To be able t..." /> <meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/tag.png" /> <meta property="og:image:alt" content="LXD documentation" /> <meta name="description" content="Remote communications with the LXD daemon happen using JSON over HTTPS. This requires the LXD API to be exposed over the network; see How to expose LXD to the network for instructions. To be able t..." /> <link rel="index" title="Index" href="../genindex/" /><link rel="search" title="Search" href="../search/" /><link rel="next" title="Remote API authorization" href="../explanation/authorization/" /><link rel="prev" title="lxc show and info" href="../explanation/lxc_show_info/" /> <link rel="canonical" href="https://documentation.ubuntu.com/lxd/authentication/" /> <link rel="shortcut icon" href="../_static/favicon.ico"/><!-- Generated with Sphinx 8.2.3 and Furo 2025.07.19 --> <title>Remote API authentication</title> <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=d111a655" /> <link rel="stylesheet" type="text/css" href="../_static/styles/furo.css?v=25af2a20" /> <link rel="stylesheet" type="text/css" href="../_static/copybutton.css?v=76b2166b" /> <link rel="stylesheet" type="text/css" href="../_static/youtube.css" /> <link rel="stylesheet" type="text/css" href="../_static/related-links.css" /> <link rel="stylesheet" type="text/css" href="../_static/terminal-output.css" /> <link rel="stylesheet" type="text/css" href="../_static/config-options.css" /> <link rel="stylesheet" type="text/css" href="../_static/sphinx-design.min.css?v=95c83b7e" /> <link rel="stylesheet" type="text/css" href="../_static/tabs.css?v=a5c4661c" /> <link rel="stylesheet" type="text/css" href="../_static/styles/furo-extensions.css?v=8dab3a3b" /> <link rel="stylesheet" type="text/css" href="../_static/custom.css?v=66d86e9d" /> <link rel="stylesheet" type="text/css" href="../_static/header.css?v=84f70f09" /> <link rel="stylesheet" type="text/css" href="../_static/github_issue_links.css?v=af88fb93" /> <link rel="stylesheet" type="text/css" href="../_static/furo_colors.css?v=c4ccdb8a" /> <link rel="stylesheet" type="text/css" href="../_static/footer.css?v=bd05fc90" /> <link rel="stylesheet" type="text/css" href="../_static/cookie-banner.css?v=b74831ab" /> </head> <body> <header id="header" class="p-navigation"> <script type="module" src="../_static/js/bundle.js"> </script> <!-- Google Tag Manager --> <script> (function(w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0]; var j = d.createElement(s); var dl = ''; if (l != 'dataLayer') { dl = '&l=' + l; } j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC'); </script> <div class="p-navigation__nav" role="menubar"> <ul class="p-navigation__links" role="menu"> <li> <a class="p-logo" href="https://canonical.com/lxd" aria-current="page"> <img src="../_static/tag.png" alt="Logo" class="p-logo-image"> <div class="p-logo-text p-heading--4">LXD </div> </a> </li> <li class="nav-ubuntu-com"> <a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a> </li> <li> <a href="#" class="p-navigation__link nav-more-links">More resources</a> <ul class="more-links-dropdown"> <li> <a href="https://ubuntu.com/lxd/install/" class="p-navigation__sub-link p-dropdown__link">Install LXD</a> </li> <li> <a href="https://ubuntu.com/lxd/manage/" class="p-navigation__sub-link p-dropdown__link">Manage LXD</a> </li> <li> <a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Forum</a> </li> <li> <a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a> </li> </ul> </li> </ul> </div> </header> <script> document.body.dataset.theme = localStorage.getItem("theme") || "auto"; </script> <svg xmlns="http://www.w3.org/2000/svg" style="display: none;"> <symbol id="svg-toc" viewBox="0 0 24 24"> <title>Contents</title> <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024"> <path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/> </svg> </symbol> <symbol id="svg-menu" viewBox="0 0 24 24"> <title>Menu</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu"> <line x1="3" y1="12" x2="21" y2="12"></line> <line x1="3" y1="6" x2="21" y2="6"></line> <line x1="3" y1="18" x2="21" y2="18"></line> </svg> </symbol> <symbol id="svg-arrow-right" viewBox="0 0 24 24"> <title>Expand</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right"> <polyline points="9 18 15 12 9 6"></polyline> </svg> </symbol> <symbol id="svg-sun" viewBox="0 0 24 24"> <title>Light mode</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun"> <circle cx="12" cy="12" r="5"></circle> <line x1="12" y1="1" x2="12" y2="3"></line> <line x1="12" y1="21" x2="12" y2="23"></line> <line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line> <line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line> <line x1="1" y1="12" x2="3" y2="12"></line> <line x1="21" y1="12" x2="23" y2="12"></line> <line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line> <line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line> </svg> </symbol> <symbol id="svg-moon" viewBox="0 0 24 24"> <title>Dark mode</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon"> <path stroke="none" d="M0 0h24v24H0z" fill="none" /> <path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" /> </svg> </symbol> <symbol id="svg-sun-with-moon" viewBox="0 0 24 24"> <title>Auto light/dark, in light mode</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-custom-derived-from-feather-sun-and-tabler-moon"> <path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/> <line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/> <line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/> <line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/> <line x1="19" y1="14.05" x2="20.414" y2="15.464"/> <line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/> <line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/> <line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/> <line x1="19" y1="5.05" x2="20.414" y2="3.636"/> <circle cx="14.5" cy="9.55" r="3.6"/> </svg> </symbol> <symbol id="svg-moon-with-sun" viewBox="0 0 24 24"> <title>Auto light/dark, in dark mode</title> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-custom-derived-from-feather-sun-and-tabler-moon"> <path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/> <line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/> <line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/> <line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/> <line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/> <line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/> <line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/> <line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/> <line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/> <circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/> </svg> </symbol> <symbol id="svg-pencil" viewBox="0 0 24 24"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code"> <path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" /> <path d="M13.5 6.5l4 4" /> <path d="M20 21l2 -2l-2 -2" /> <path d="M17 17l-2 2l2 2" /> </svg> </symbol> <symbol id="svg-eye" viewBox="0 0 24 24"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code"> <path stroke="none" d="M0 0h24v24H0z" fill="none" /> <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" /> <path d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" /> <path d="M20 21l2 -2l-2 -2" /> <path d="M17 17l-2 2l2 2" /> </svg> </symbol> </svg> <input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation"> <input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc"> <label class="overlay sidebar-overlay" for="__navigation"> <div class="visually-hidden">Hide navigation sidebar</div> </label> <label class="overlay toc-overlay" for="__toc"> <div class="visually-hidden">Hide table of contents sidebar</div> </label> <a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a> <div class="page"> <header class="mobile-header"> <div class="header-left"> <label class="nav-overlay-icon" for="__navigation"> <div class="visually-hidden">Toggle site navigation sidebar</div> <i class="icon"><svg><use href="#svg-menu"></use></svg></i> </label> </div> <div class="header-center"> <a href="../"><div class="brand">LXD</div></a> </div> <div class="header-right"> <div class="theme-toggle-container theme-toggle-header"> <button class="theme-toggle"> <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div> <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg> <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg> <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg> <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg> </button> </div> <label class="toc-overlay-icon toc-header-icon" for="__toc"> <div class="visually-hidden">Toggle table of contents sidebar</div> <i class="icon"><svg><use href="#svg-toc"></use></svg></i> </label> </div> </header> <aside class="sidebar-drawer"> <div class="sidebar-container"> <div class="sidebar-sticky"><a class="sidebar-brand" href="../"> </a><form class="sidebar-search-container" method="get" action="../search/" role="search"> <input class="sidebar-search" placeholder="Search" name="q" aria-label="Search"> <input type="submit" value="Go"> <input type="hidden" name="check_keywords" value="yes"> <input type="hidden" name="area" value="default"> </form> <div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree"> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="../">LXD</a></li> <li class="toctree-l1 has-children"><a class="reference internal" href="../tutorial/">Tutorials</a><input class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><div class="visually-hidden">Toggle navigation of Tutorials</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l2"><a class="reference internal" href="../tutorial/first_steps/">First steps with LXD</a></li> <li class="toctree-l2"><a class="reference internal" href="../tutorial/ui/">Getting started with the UI</a></li> </ul> </li> <li class="toctree-l1 has-children"><a class="reference internal" href="../howto/">How-to guides</a><input class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><div class="visually-hidden">Toggle navigation of How-to guides</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l2 has-children"><a class="reference internal" href="../getting_started/">Getting started</a><input class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><div class="visually-hidden">Toggle navigation of Getting started</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../installing/">Install LXD</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/initialize/">Initialize LXD</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/access_ui/">Access the UI</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/access_documentation/">Access documentation locally</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../operation/">LXD server and client</a><input class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><div class="visually-hidden">Toggle navigation of LXD server and client</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/server_expose/">Expose LXD to the network</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/server_configure/">Configure the LXD server</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/oidc_auth0/">Configure OIDC authentication with Auth0</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/oidc_ory/">Configure OIDC authentication with Ory Hydra</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/oidc_keycloak/">Configure OIDC authentication with Keycloak</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/oidc_entra_id/">Configure OIDC authentication with Microsoft Entra ID</a></li> <li class="toctree-l3"><a class="reference internal" href="../remotes/">Add remote servers</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/lxc_alias/">Add command aliases</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../instances/">Instances</a><input class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><div class="visually-hidden">Toggle navigation of Instances</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_create/">Create instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_configure/">Configure instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_manage/">Manage instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../profiles/">Use profiles</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_troubleshoot/">Troubleshoot errors</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_access_files/">Access files</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_console/">Access the console</a></li> <li class="toctree-l3"><a class="reference internal" href="../instance-exec/">Run commands</a></li> <li class="toctree-l3"><a class="reference internal" href="../cloud-init/">Use cloud-init</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_routed_nic_vm/">Add a routed NIC to a VM</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_backup/">Back up instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_migrate/">Migrate instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/import_machines_to_instances/">Import existing machines</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../images/">Images</a><input class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><div class="visually-hidden">Toggle navigation of Images</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/images_remote/">Use remote images</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/images_manage/">Manage images</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/images_profiles/">Associate profiles</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/images_copy/">Copy and import images</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/images_create/">Create images</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../projects/">Projects</a><input class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><div class="visually-hidden">Toggle navigation of Projects</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/projects_create/">Create and configure</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/projects_work/">Work with projects</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/projects_confine/">Confine users to projects</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../storage/">Storage</a><input class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><div class="visually-hidden">Toggle navigation of Storage</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_pools/">Manage pools</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_volumes/">Manage volumes</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_buckets/">Manage buckets</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_create_instance/">Create an instance in a pool</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_backup_volume/">Back up a volume</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/storage_move_volume/">Move or copy a volume</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../networks/">Networking</a><input class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><div class="visually-hidden">Toggle navigation of Networking</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/network_create/">Create a network</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_configure/">Configure a network</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_bgp/">Configure as BGP server</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_acls/">Configure network ACLs</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_forwards/">Configure forwards</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_zones/">Configure network zones</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_firewalld/">Configure your firewall</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_resolved/">Integrate with resolved</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_ovn_setup/">Set up OVN</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_load_balancers/">Configure load balancers</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_ovn_peers/">Configure peer routing</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_ipam/">Display IPAM information</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../clustering/">Clustering</a><input class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><div class="visually-hidden">Toggle navigation of Clustering</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_form/">Form a cluster</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_manage/">Manage a cluster</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_config_networks/">Configure networks</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_config_storage/">Configure storage</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_manage_instance/">Manage instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_groups/">Set up cluster groups</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/cluster_recover/">Recover a cluster</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../production-setup/">Production setup</a><input class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><div class="visually-hidden">Toggle navigation of Production setup</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/benchmark_performance/">Benchmark performance</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/network_increase_bandwidth/">Increase bandwidth</a></li> <li class="toctree-l3"><a class="reference internal" href="../metrics/">Monitor metrics</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/logs_loki/">Send logs to Loki</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/grafana/">Set up Grafana</a></li> <li class="toctree-l3"><a class="reference internal" href="../backup/">Back up a server</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/disaster_recovery/">Recover instances</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../howto/snap/">Manage the snap</a></li> <li class="toctree-l2 has-children"><a class="reference internal" href="../howto/troubleshoot/">Troubleshooting</a><input class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><div class="visually-hidden">Toggle navigation of Troubleshooting</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_firewalld/">Configure your firewall</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/instances_troubleshoot/">Troubleshoot instances</a></li> <li class="toctree-l3"><a class="reference internal" href="../howto/dqlite_troubleshoot/">Troubleshoot Dqlite</a></li> <li class="toctree-l3"><a class="reference internal" href="../debugging/">Debug LXD</a></li> <li class="toctree-l3"><a class="reference internal" href="../faq/">Frequently asked</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../support/">Get support</a></li> <li class="toctree-l2"><a class="reference internal" href="../contributing/">Contribute to LXD</a></li> </ul> </li> <li class="toctree-l1 current has-children"><a class="reference internal" href="../explanation/">Explanation</a><input checked="" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><div class="visually-hidden">Toggle navigation of Explanation</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="../explanation/lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/instances/">Containers and VMs</a></li> <li class="toctree-l2"><a class="reference internal" href="../image-handling/">Local and remote images</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/storage/">Storage pools, volumes, and buckets</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/networks/">Networking setups</a></li> <li class="toctree-l2"><a class="reference internal" href="../database/">The LXD Dqlite database</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li> <li class="toctree-l2 current current-page"><a class="current reference internal" href="#">Remote API authentication</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/authorization/">Remote API authorization</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/projects/">Instances grouping with projects</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/clusters/">Clusters</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/performance_tuning/">Performance tuning</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/security/">Security</a></li> <li class="toctree-l2"><a class="reference internal" href="../explanation/bpf/">Privilege delegation using BPF Token</a></li> </ul> </li> <li class="toctree-l1 has-children"><a class="reference internal" href="../reference/">Reference</a><input class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><div class="visually-hidden">Toggle navigation of Reference</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l2"><a class="reference internal" href="../requirements/">Requirements</a></li> <li class="toctree-l2"><a class="reference internal" href="../architectures/">Architectures</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/releases-snap/">Releases and snap</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/remote_image_servers/">Remote image servers</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/image_format/">Image format</a></li> <li class="toctree-l2"><a class="reference internal" href="../guest-os-compatibility/">Guest OS compatibility</a></li> <li class="toctree-l2"><a class="reference internal" href="../container-environment/">Container environment</a></li> <li class="toctree-l2"><a class="reference internal" href="../config-options/">Configuration option index</a></li> <li class="toctree-l2"><a class="reference internal" href="../server/">Server configuration</a></li> <li class="toctree-l2 has-children"><a class="reference internal" href="../explanation/instance_config/">Instance configuration</a><input class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><div class="visually-hidden">Toggle navigation of Instance configuration</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../reference/instance_properties/">Instance properties</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/instance_options/">Instance options</a></li> <li class="toctree-l3 has-children"><a class="reference internal" href="../reference/devices/">Devices</a><input class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><div class="visually-hidden">Toggle navigation of Devices</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l4"><a class="reference internal" href="../reference/standard_devices/">Standard devices</a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li> <li class="toctree-l4"><a class="reference internal" href="../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li> </ul> </li> <li class="toctree-l3"><a class="reference internal" href="../reference/instance_units/">Units for storage and network limits</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/projects/">Project configuration</a></li> <li class="toctree-l2 has-children"><a class="reference internal" href="../reference/storage_drivers/">Storage drivers</a><input class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><div class="visually-hidden">Toggle navigation of Storage drivers</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../reference/networks/">Networks</a><input class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><div class="visually-hidden">Toggle navigation of Networks</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../reference/network_bridge/">Bridge network</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/network_ovn/">OVN network</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/network_macvlan/">Macvlan network</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/network_physical/">Physical network</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/network_sriov/">SR-IOV network</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../reference/cluster_member_config/">Cluster configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/server_settings/">Production server settings</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/provided_metrics/">Provided metrics</a></li> <li class="toctree-l2"><a class="reference internal" href="../reference/permissions/">Permissions</a></li> <li class="toctree-l2 has-children"><a class="reference internal" href="../restapi_landing/">REST API</a><input class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><div class="visually-hidden">Toggle navigation of REST API</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../rest-api/">Main API documentation</a></li> <li class="toctree-l3"><a class="reference internal" href="../api/">Main API specification</a></li> <li class="toctree-l3"><a class="reference internal" href="../api-extensions/">Main API extensions</a></li> <li class="toctree-l3"><a class="reference internal" href="../events/">Events API documentation</a></li> <li class="toctree-l3"><a class="reference internal" href="../dev-lxd/">Instance API</a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../reference/manpages/">Man pages</a><input class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><div class="visually-hidden">Toggle navigation of Man pages</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li> </ul> </li> <li class="toctree-l2 has-children"><a class="reference internal" href="../internals/">Internals</a><input class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><div class="visually-hidden">Toggle navigation of Internals</div><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></label><ul> <li class="toctree-l3"><a class="reference internal" href="../environment/">Environment variables</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/uefi_variables/">UEFI variables for VMs</a></li> <li class="toctree-l3"><a class="reference internal" href="../daemon-behavior/">Daemon behavior</a></li> <li class="toctree-l3"><a class="reference internal" href="../syscall-interception/">System call interception</a></li> <li class="toctree-l3"><a class="reference internal" href="../userns-idmap/">User namespace setup</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/ovn-internals/">OVN implementation</a></li> <li class="toctree-l3"><a class="reference internal" href="../reference/vm_live_migration_internals/">VM live migration implementation</a></li> </ul> </li> <li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li> <li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li> </ul> </li> </ul> </div> </div> </div> </div> </aside> <div class="main"> <div class="content"> <div class="article-container"> <a href="#" class="back-to-top muted-link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path> </svg> <span>Back to top</span> </a> <div class="content-icon-container"> <div class="view-this-page"> <a class="muted-link" href="../_sources/authentication.md.txt" title="View this page"> <svg><use href="#svg-eye"></use></svg> <span class="visually-hidden">View this page</span> </a> </div> <div class="theme-toggle-container theme-toggle-content"> <button class="theme-toggle"> <div class="visually-hidden">Toggle Light / Dark / Auto color theme</div> <svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg> <svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg> <svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg> <svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg> </button> </div> <label class="toc-overlay-icon toc-content-icon" for="__toc"> <div class="visually-hidden">Toggle table of contents sidebar</div> <i class="icon"><svg><use href="#svg-toc"></use></svg></i> </label> </div> <article role="main" id="furo-main-content"> <section id="remote-api-authentication"> <span id="authentication"></span><h1>Remote API authentication<a class="headerlink" href="#remote-api-authentication" title="Link to this heading">¶</a></h1> <p>Remote communications with the LXD daemon happen using JSON over HTTPS. This requires the LXD API to be exposed over the network; see <a class="reference internal" href="../howto/server_expose/#server-expose"><span class="std std-ref">How to expose LXD to the network</span></a> for instructions.</p> <p>To be able to access the remote API, clients must authenticate with the LXD server. The following authentication methods are supported:</p> <ul class="simple"> <li><p><a class="reference internal" href="#authentication-tls-certs"><span class="std std-ref">TLS client certificates</span></a></p></li> <li><p><a class="reference internal" href="#authentication-openid"><span class="std std-ref">OpenID Connect authentication</span></a></p></li> </ul> <section id="tls-client-certificates"> <span id="authentication-tls-certs"></span><h2>TLS client certificates<a class="headerlink" href="#tls-client-certificates" title="Link to this heading">¶</a></h2> <p class="youtube_link"> <a href="https://www.youtube.com/watch?v=4iNpiL-lrXU" target="_blank"> <span title="LXD token based remote authentication - YouTube" class="play_icon">▶</span> <span title="LXD token based remote authentication - YouTube">Watch on YouTube</span> </a> </p><p>When using <abbr title="Transport Layer Security">TLS</abbr> client certificates for authentication, both the client and the server will generate a key pair the first time they’re launched. The server will use that key pair for all HTTPS connections to the LXD socket. The client will use its certificate as a client certificate for any client-server communication.</p> <p>To cause certificates to be regenerated, simply remove the old ones. On the next connection, a new certificate is generated.</p> <section id="communication-protocol"> <h3>Communication protocol<a class="headerlink" href="#communication-protocol" title="Link to this heading">¶</a></h3> <p>The supported protocol must be TLS 1.3 or better.</p> <p>All communications must use perfect forward secrecy, and ciphers must be limited to strong elliptic curve ones (such as ECDHE-RSA or ECDHE-ECDSA).</p> <p>Any generated key should be at least 4096 bit RSA, preferably 384 bit ECDSA. When using signatures, only SHA-2 signatures should be trusted.</p> <p>Since we control both client and server, there is no reason to support any backward compatibility to broken protocol or ciphers.</p> </section> <section id="trusted-tls-clients"> <span id="authentication-trusted-clients"></span><h3>Trusted TLS clients<a class="headerlink" href="#trusted-tls-clients" title="Link to this heading">¶</a></h3> <p>The workflow to authenticate with the server is similar to that of SSH, where an initial connection to an unknown server triggers a prompt:</p> <ol class="arabic simple"> <li><p>When the user adds a server with <a class="reference internal" href="../reference/manpages/lxc/remote/add/#lxc-remote-add-md"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">remote</span> <span class="pre">add</span></code></span></a>, the server is contacted over HTTPS, its certificate is downloaded and the fingerprint is shown to the user.</p></li> <li><p>The user is asked to confirm that this is indeed the server’s fingerprint, which they can manually check by connecting to the server or by asking someone with access to the server to run the info command and compare the fingerprints.</p></li> <li><p>The server attempts to authenticate the client:</p> <ul class="simple"> <li><p>If the client certificate is in the server’s trust store, the connection is granted.</p></li> <li><p>If the client certificate is not in the server’s trust store, the server prompts the user for a token. If the provided token matches, the client certificate is added to the server’s trust store and the connection is granted. Otherwise, the connection is rejected.</p></li> </ul> </li> </ol> <p>See <a class="reference internal" href="../howto/server_expose/#server-expose"><span class="std std-ref">How to expose LXD to the network</span></a> and <a class="reference internal" href="../howto/server_expose/#server-authenticate"><span class="std std-ref">Authenticate with the LXD server</span></a> for instructions on how to configure TLS authentication and add trusted clients.</p> </section> <section id="using-a-pki-system"> <span id="authentication-pki"></span><h3>Using a PKI system<a class="headerlink" href="#using-a-pki-system" title="Link to this heading">¶</a></h3> <p>In a <abbr title="Public key infrastructure">PKI</abbr> setup, a system administrator manages a central PKI that issues client certificates for all the LXD clients and server certificates for all the LXD daemons.</p> <p>In PKI mode, TLS authentication requires that client certificates are signed be the <abbr title="Certificate authority">CA</abbr>. This requirement does not apply to clients that authenticate via <a class="reference internal" href="#authentication-openid"><span class="std std-ref">OIDC</span></a>.</p> <p>The steps for enabling PKI mode differ slightly depending on whether you use an ACME provider in addition (see <a class="reference internal" href="#authentication-server-certificate"><span class="std std-ref">TLS server certificate</span></a>).</p> <div class="sphinx-tabs docutils container"> <div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-0-T25seSBQS0k=" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-0-T25seSBQS0k=" name="T25seSBQS0k=" role="tab" tabindex="0">Only PKI</button><button aria-controls="panel-0-UEtJIGFuZCBBQ01F" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-0-UEtJIGFuZCBBQ01F" name="UEtJIGFuZCBBQ01F" role="tab" tabindex="-1">PKI and ACME</button></div><div aria-labelledby="tab-0-T25seSBQS0k=" class="sphinx-tabs-panel group-tab" id="panel-0-T25seSBQS0k=" name="T25seSBQS0k=" role="tabpanel" tabindex="0"><p>If you use a PKI system, both the server and client certificates are issued by intermediate CA(s). The <code class="docutils literal notranslate"><span class="pre">client.ca</span></code> file contains the certificate used by the client to verify the server certificate it receives when making a connection to a remote. The <code class="docutils literal notranslate"><span class="pre">server.ca</span></code> file contains the certificate used by the server to verify the client certificate associated with an incoming connection.</p> <p>Both files contain trust anchors used to evaluate if the received leaf certificate from the other end of the connection is to be trusted or not. If the leaf certificate’s chain of trust leads to one of the trusted anchors it will be trusted (unless revoked).</p> <ol class="arabic"> <li><p>Add the CA certificate to all machines:</p> <ul> <li><p>Place the <code class="docutils literal notranslate"><span class="pre">client.ca</span></code> file in the clients’ configuration directories (<code class="docutils literal notranslate"><span class="pre">~/.config/lxc</span></code> or <code class="docutils literal notranslate"><span class="pre">~/snap/lxd/common/config</span></code> for snap users).</p></li> <li><p>Place the <code class="docutils literal notranslate"><span class="pre">server.ca</span></code> file in the server’s configuration directory (<code class="docutils literal notranslate"><span class="pre">/var/lib/lxd</span></code> or <code class="docutils literal notranslate"><span class="pre">/var/snap/lxd/common/lxd</span></code> for snap users).</p> <div class="admonition note"> <p class="admonition-title">Note</p> <p>In a cluster setup, the CA certificate must be named <code class="docutils literal notranslate"><span class="pre">cluster.ca</span></code>, and the same file must be added to all cluster members.</p> </div> </li> </ul> </li> <li><p>Place the certificates issued by the CA in the clients’ configuration directories, replacing the automatically generated <code class="docutils literal notranslate"><span class="pre">client.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">client.key</span></code> files.</p></li> <li><p>If you want clients to automatically trust the server, place the certificates issued by the CA in the server’s configuration directory, replacing the automatically generated <code class="docutils literal notranslate"><span class="pre">server.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">server.key</span></code> files.</p> <div class="admonition note"> <p class="admonition-title">Note</p> <p>In a cluster setup, the certificate files must be named <code class="docutils literal notranslate"><span class="pre">cluster.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">cluster.key</span></code>. They must be identical on all cluster members.</p> </div> <p>When a client adds a PKI-enabled server or cluster as a remote, it checks the server certificate and prompts the user to trust the server certificate only if the certificate has not been signed by the CA.</p> </li> <li><p>Restart the LXD daemon.</p></li> </ol> </div><div aria-labelledby="tab-0-UEtJIGFuZCBBQ01F" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-0-UEtJIGFuZCBBQ01F" name="UEtJIGFuZCBBQ01F" role="tabpanel" tabindex="0"><p>If you use a PKI system alongside an ACME provider, the server certificates are issued by the ACME provider, and the client certificates are issued by a secondary CA.</p> <ol class="arabic"> <li><p>Place the CA certificate for the server (<code class="docutils literal notranslate"><span class="pre">server.ca</span></code>) in the server’s configuration directory (<code class="docutils literal notranslate"><span class="pre">/var/lib/lxd</span></code> or <code class="docutils literal notranslate"><span class="pre">/var/snap/lxd/common/lxd</span></code> for snap users), so that the server can authenticate the clients.</p> <div class="admonition note"> <p class="admonition-title">Note</p> <p>In a cluster setup, the CA certificate must be named <code class="docutils literal notranslate"><span class="pre">cluster.ca</span></code>, and the same file must be added to all cluster members.</p> </div> </li> <li><p>Place the certificates issued by the CA in the clients’ configuration directories, replacing the automatically generated <code class="docutils literal notranslate"><span class="pre">client.crt</span></code> and <code class="docutils literal notranslate"><span class="pre">client.key</span></code> files.</p></li> <li><p>Restart the LXD daemon.</p></li> </ol> </div></div> <section id="trusting-certificates"> <h4>Trusting certificates<a class="headerlink" href="#trusting-certificates" title="Link to this heading">¶</a></h4> <p>CA-signed client certificates are not automatically trusted. You must still add them to the server in one of the ways described in <a class="reference internal" href="#authentication-trusted-clients"><span class="std std-ref">Trusted TLS clients</span></a>.</p> <p>To automatically trust CA-signed client certificates, set the <a class="configref reference internal" href="../server/#server-core:core.trust_ca_certificates"><code class="docutils literal notranslate"><span class="pre">core.trust_ca_certificates</span></code></a> server configuration to true. When <code class="docutils literal notranslate"><span class="pre">core.trust_ca_certificates</span></code> is enabled, any new clients with a CA-signed certificate will have full access to LXD.</p> </section> <section id="revoking-certificates"> <h4>Revoking certificates<a class="headerlink" href="#revoking-certificates" title="Link to this heading">¶</a></h4> <p>To revoke certificates via the PKI, place a certificate revocation list in the server’s configuration directory as <code class="docutils literal notranslate"><span class="pre">ca.crl</span></code> and restart the LXD daemon. A client with a CA-signed certificate that has been revoked, and is present in <code class="docutils literal notranslate"><span class="pre">ca.crl</span></code>, will not be able to authenticate with LXD, nor add LXD as a remote via <a class="reference internal" href="#authentication-trusted-clients"><span class="std std-ref">mutual TLS</span></a>.</p> </section> </section> </section> <section id="openid-connect-authentication"> <span id="authentication-openid"></span><h2>OpenID Connect authentication<a class="headerlink" href="#openid-connect-authentication" title="Link to this heading">¶</a></h2> <p>LXD supports using <a class="reference external" href="https://openid.net/developers/how-connect-works/">OpenID Connect</a> to authenticate users through an <abbr title="OpenID Connect">OIDC</abbr> Identity Provider.</p> <p>To configure LXD to use OIDC authentication, set the <a class="reference internal" href="../server/#server-options-oidc"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">oidc.*</span></code></span></a> server configuration options. Your OIDC provider must be configured to enable the <a class="reference external" href="https://oauth.net/2/device-flow/">Device Authorization Grant</a> type.</p> <p>To add a remote pointing to a LXD server configured with OIDC authentication, run <a class="reference internal" href="../reference/manpages/lxc/remote/add/#lxc-remote-add-md"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">remote</span> <span class="pre">add</span> <span class="pre"><remote_name></span> <span class="pre"><remote_address></span></code></span></a>. You are then prompted to authenticate through your web browser, where you must confirm that the device code displayed in the browser matches the device code that is displayed in the terminal window. The LXD client then retrieves and stores an access token, which it provides to LXD for all interactions. The identity provider might also provide a refresh token. In this case, the LXD client uses this refresh token to attempt to retrieve another access token when the current access token has expired.</p> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p>Only set <code class="docutils literal notranslate"><span class="pre">oidc.client.secret</span></code> if required by the Identity Provider. Once set, this key allows the LXD UI client to authenticate. However, the secret is not shared with other LXD clients (such as the LXD CLI).</p> </div> <p>When an OIDC client initially authenticates with LXD, it does not have access to the majority of the LXD API. OIDC clients must be granted access by an administrator, see <a class="reference internal" href="../explanation/authorization/#fine-grained-authorization"><span class="std std-ref">Fine-grained authorization</span></a>.</p> </section> <section id="tls-server-certificate"> <span id="authentication-server-certificate"></span><h2>TLS server certificate<a class="headerlink" href="#tls-server-certificate" title="Link to this heading">¶</a></h2> <p>LXD supports issuing server certificates using <abbr title="Automatic Certificate Management Environment">ACME</abbr> services, for example, <a class="reference external" href="https://letsencrypt.org/">Let’s Encrypt</a>.</p> <p>To enable this feature, set the following server configuration:</p> <ul class="simple"> <li><p><a class="configref reference internal" href="../server/#server-acme:acme.domain"><code class="docutils literal notranslate"><span class="pre">acme.domain</span></code></a>: The domain for which the certificate should be issued.</p></li> <li><p><a class="configref reference internal" href="../server/#server-acme:acme.email"><code class="docutils literal notranslate"><span class="pre">acme.email</span></code></a>: The email address used for the account of the ACME service.</p></li> <li><p><a class="configref reference internal" href="../server/#server-acme:acme.agree_tos"><code class="docutils literal notranslate"><span class="pre">acme.agree_tos</span></code></a>: Must be set to <code class="docutils literal notranslate"><span class="pre">true</span></code> to agree to the ACME service’s terms of service.</p></li> <li><p><a class="configref reference internal" href="../server/#server-acme:acme.ca_url"><code class="docutils literal notranslate"><span class="pre">acme.ca_url</span></code></a>: The directory URL of the ACME service. By default, LXD uses “Let’s Encrypt”.</p></li> </ul> <p>For this feature to work, LXD must be reachable from port 80. This can be achieved by using a reverse proxy such as <a class="reference external" href="http://www.haproxy.org/">HAProxy</a>.</p> <p>Here’s a minimal HAProxy configuration that uses <code class="docutils literal notranslate"><span class="pre">lxd.example.net</span></code> as the domain. After the certificate has been issued, LXD will be reachable from <code class="docutils literal notranslate"><span class="pre">https://lxd.example.net/</span></code>.</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Global configuration</span> <span class="k">global</span> <span class="n">log</span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">log</span> <span class="n">local0</span> <span class="n">chroot</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">haproxy</span> <span class="n">stats</span> <span class="n">socket</span> <span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">haproxy</span><span class="o">/</span><span class="n">admin</span><span class="o">.</span><span class="n">sock</span> <span class="n">mode</span> <span class="mi">660</span> <span class="n">level</span> <span class="n">admin</span> <span class="n">stats</span> <span class="n">timeout</span> <span class="mi">30</span><span class="n">s</span> <span class="n">user</span> <span class="n">haproxy</span> <span class="n">group</span> <span class="n">haproxy</span> <span class="n">daemon</span> <span class="n">ssl</span><span class="o">-</span><span class="n">default</span><span class="o">-</span><span class="n">bind</span><span class="o">-</span><span class="n">options</span> <span class="n">ssl</span><span class="o">-</span><span class="nb">min</span><span class="o">-</span><span class="n">ver</span> <span class="n">TLSv1</span><span class="mf">.2</span> <span class="n">tune</span><span class="o">.</span><span class="n">ssl</span><span class="o">.</span><span class="n">default</span><span class="o">-</span><span class="n">dh</span><span class="o">-</span><span class="n">param</span> <span class="mi">2048</span> <span class="n">maxconn</span> <span class="mi">100000</span> <span class="c1"># Default settings</span> <span class="n">defaults</span> <span class="n">mode</span> <span class="n">tcp</span> <span class="n">timeout</span> <span class="n">connect</span> <span class="mi">5</span><span class="n">s</span> <span class="n">timeout</span> <span class="n">client</span> <span class="mi">30</span><span class="n">s</span> <span class="n">timeout</span> <span class="n">client</span><span class="o">-</span><span class="n">fin</span> <span class="mi">30</span><span class="n">s</span> <span class="n">timeout</span> <span class="n">server</span> <span class="mi">120</span><span class="n">s</span> <span class="n">timeout</span> <span class="n">tunnel</span> <span class="mi">6</span><span class="n">h</span> <span class="n">timeout</span> <span class="n">http</span><span class="o">-</span><span class="n">request</span> <span class="mi">5</span><span class="n">s</span> <span class="n">maxconn</span> <span class="mi">80000</span> <span class="c1"># Default backend - Return HTTP 301 (TLS upgrade)</span> <span class="n">backend</span> <span class="n">http</span><span class="o">-</span><span class="mi">301</span> <span class="n">mode</span> <span class="n">http</span> <span class="n">redirect</span> <span class="n">scheme</span> <span class="n">https</span> <span class="n">code</span> <span class="mi">301</span> <span class="c1"># Default backend - Return HTTP 403</span> <span class="n">backend</span> <span class="n">http</span><span class="o">-</span><span class="mi">403</span> <span class="n">mode</span> <span class="n">http</span> <span class="n">http</span><span class="o">-</span><span class="n">request</span> <span class="n">deny</span> <span class="n">deny_status</span> <span class="mi">403</span> <span class="c1"># HTTP dispatcher</span> <span class="n">frontend</span> <span class="n">http</span><span class="o">-</span><span class="n">dispatcher</span> <span class="n">bind</span> <span class="p">:</span><span class="mi">80</span> <span class="n">mode</span> <span class="n">http</span> <span class="c1"># Backend selection</span> <span class="n">tcp</span><span class="o">-</span><span class="n">request</span> <span class="n">inspect</span><span class="o">-</span><span class="n">delay</span> <span class="mi">5</span><span class="n">s</span> <span class="c1"># Dispatch</span> <span class="n">default_backend</span> <span class="n">http</span><span class="o">-</span><span class="mi">403</span> <span class="n">use_backend</span> <span class="n">http</span><span class="o">-</span><span class="mi">301</span> <span class="k">if</span> <span class="p">{</span> <span class="n">hdr</span><span class="p">(</span><span class="n">host</span><span class="p">)</span> <span class="o">-</span><span class="n">i</span> <span class="n">lxd</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">net</span> <span class="p">}</span> <span class="c1"># SNI dispatcher</span> <span class="n">frontend</span> <span class="n">sni</span><span class="o">-</span><span class="n">dispatcher</span> <span class="n">bind</span> <span class="p">:</span><span class="mi">443</span> <span class="n">mode</span> <span class="n">tcp</span> <span class="c1"># Backend selection</span> <span class="n">tcp</span><span class="o">-</span><span class="n">request</span> <span class="n">inspect</span><span class="o">-</span><span class="n">delay</span> <span class="mi">5</span><span class="n">s</span> <span class="c1"># require TLS</span> <span class="n">tcp</span><span class="o">-</span><span class="n">request</span> <span class="n">content</span> <span class="n">reject</span> <span class="n">unless</span> <span class="p">{</span> <span class="n">req</span><span class="o">.</span><span class="n">ssl_hello_type</span> <span class="mi">1</span> <span class="p">}</span> <span class="c1"># Dispatch</span> <span class="n">default_backend</span> <span class="n">http</span><span class="o">-</span><span class="mi">403</span> <span class="n">use_backend</span> <span class="n">lxd</span><span class="o">-</span><span class="n">nodes</span> <span class="k">if</span> <span class="p">{</span> <span class="n">req</span><span class="o">.</span><span class="n">ssl_sni</span> <span class="o">-</span><span class="n">i</span> <span class="n">lxd</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">net</span> <span class="p">}</span> <span class="c1"># LXD nodes</span> <span class="n">backend</span> <span class="n">lxd</span><span class="o">-</span><span class="n">nodes</span> <span class="n">mode</span> <span class="n">tcp</span> <span class="n">option</span> <span class="n">tcp</span><span class="o">-</span><span class="n">check</span> <span class="c1"># Multiple servers should be listed when running a cluster</span> <span class="n">server</span> <span class="n">lxd</span><span class="o">-</span><span class="n">node01</span> <span class="mf">1.2.3.4</span><span class="p">:</span><span class="mi">8443</span> <span class="n">check</span> <span class="n">server</span> <span class="n">lxd</span><span class="o">-</span><span class="n">node02</span> <span class="mf">1.2.3.5</span><span class="p">:</span><span class="mi">8443</span> <span class="n">check</span> <span class="n">server</span> <span class="n">lxd</span><span class="o">-</span><span class="n">node03</span> <span class="mf">1.2.3.6</span><span class="p">:</span><span class="mi">8443</span> <span class="n">check</span> </pre></div> </div> </section> <section id="failure-scenarios"> <h2>Failure scenarios<a class="headerlink" href="#failure-scenarios" title="Link to this heading">¶</a></h2> <p>In the following scenarios, authentication is expected to fail.</p> <section id="server-certificate-changed"> <h3>Server certificate changed<a class="headerlink" href="#server-certificate-changed" title="Link to this heading">¶</a></h3> <p>The server certificate might change in the following cases:</p> <ul class="simple"> <li><p>The server was fully reinstalled and therefore got a new certificate.</p></li> <li><p>The connection is being intercepted (<abbr title="Machine in the middle">MITM</abbr>).</p></li> </ul> <p>In such cases, the client will refuse to connect to the server because the certificate fingerprint does not match the fingerprint in the configuration for this remote.</p> <p>It is then up to the user to contact the server administrator to check if the certificate did in fact change. If it did, the certificate can be replaced by the new one, or the remote can be removed altogether and re-added.</p> </section> <section id="server-trust-relationship-revoked"> <h3>Server trust relationship revoked<a class="headerlink" href="#server-trust-relationship-revoked" title="Link to this heading">¶</a></h3> <p>The server trust relationship is revoked for a client if another trusted client or the local server administrator removes the trust entry for the client on the server.</p> <p>In this case, the server still uses the same certificate, but all API calls return a 403 code with an error indicating that the client isn’t trusted.</p> </section> </section> <section id="related-topics"> <h2>Related topics<a class="headerlink" href="#related-topics" title="Link to this heading">¶</a></h2> <p>Explanation:</p> <ul class="simple"> <li><p><a class="reference internal" href="../explanation/security/#exp-security"><span class="std std-ref">Security</span></a></p></li> </ul> <p>How-to guides:</p> <ul class="simple"> <li><p><a class="reference internal" href="../howto/server_expose/#server-expose"><span class="std std-ref">How to expose LXD to the network</span></a></p></li> </ul> </section> </section> </article> </div> <footer> <div class="related-pages"> <a class="next-page" href="../explanation/authorization/"> <div class="page-info"> <div class="context"> <span>Next</span> </div> <div class="title">Remote API authorization</div> </div> <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg> </a> <a class="prev-page" href="../explanation/lxc_show_info/"> <svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg> <div class="page-info"> <div class="context"> <span>Previous</span> </div> <div class="title"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></div> </div> </a> </div> <div class="bottom-of-page"> <div class="left-details"> <div class="copyright"> Copyright © 2014-2025 LXD contributors </div> <div class="last-updated"> Last updated on Sep 08, 2025</div> <div class="show-source"> <a class="muted-link" href="../_sources/authentication.md.txt" rel="nofollow">Show source</a> </div> </div> <div> <a class="display-contributors">Thanks to the 8 contributors!</a> <div id="overlay"></div> <ul class="all-contributors"> <li> <a href="https://github.com/canonical/lxd/commit/b15618883058d334807ab0c35502928cd03d8947" class="contributor">Kadin Sayani</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/e8ec61eee553e286f726fc762c9bd29391378660" class="contributor">Mark Laing</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/8f2f29b51feeec0830c031df03d8223d7f22ee62" class="contributor">Minae Lee</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/7c43c9a295ba0adc235ae72502f43030661c7587" class="contributor">Nikita Mezhenskyi</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/241070cb934b680b5e738158b8d94a2b41fbae56" class="contributor">Ruth Fuchss</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/16433b68b66b7b03c8cbbc70a92721aea6c40f34" class="contributor">Simon Deziel</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/35db929d9e988c478efdd9420a224e20ac9459d0" class="contributor">Stéphane Graber</a> </li> <li> <a href="https://github.com/canonical/lxd/commit/0901cd61cc4b3d313a0be41f4d4e8e25f04b849e" class="contributor">Thomas Hipp</a> </li> </ul> </div> <div class="right-details"> <div class="ask-discourse"> <a class="muted-link" href="https://discourse.ubuntu.com/c/lxd/">Ask a question on Discourse</a> </div> <div class="ask-matrix"> <a class="muted-link" href="https://matrix.to/#/#documentation:ubuntu.com">Ask a question on Matrix</a> </div> <div class="issue-github"> <a class="muted-link" href="https://github.com/canonical/lxd/issues/new?title=doc%3A+ADD+A+TITLE&body=DESCRIBE+THE+ISSUE%0A%0A---%0ADocument: authentication.md">Open a GitHub issue for this page</a> </div> <div class="edit-github"> <a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/authentication.md">Edit this page on GitHub</a> </div> </div> </div> </div> </footer> </div> <aside class="toc-drawer"> <div class="toc-sticky toc-scroll"> <div class="toc-title-container"> <span class="toc-title"> Contents </span> </div> <div class="toc-tree-container"> <div class="toc-tree"> <ul> <li><a class="reference internal" href="#">Remote API authentication</a><ul> <li><a class="reference internal" href="#tls-client-certificates">TLS client certificates</a><ul> <li><a class="reference internal" href="#communication-protocol">Communication protocol</a></li> <li><a class="reference internal" href="#trusted-tls-clients">Trusted TLS clients</a></li> <li><a class="reference internal" href="#using-a-pki-system">Using a PKI system</a><ul> <li><a class="reference internal" href="#trusting-certificates">Trusting certificates</a></li> <li><a class="reference internal" href="#revoking-certificates">Revoking certificates</a></li> </ul> </li> </ul> </li> <li><a class="reference internal" href="#openid-connect-authentication">OpenID Connect authentication</a></li> <li><a class="reference internal" href="#tls-server-certificate">TLS server certificate</a></li> <li><a class="reference internal" href="#failure-scenarios">Failure scenarios</a><ul> <li><a class="reference internal" href="#server-certificate-changed">Server certificate changed</a></li> <li><a class="reference internal" href="#server-trust-relationship-revoked">Server trust relationship revoked</a></li> </ul> </li> <li><a class="reference internal" href="#related-topics">Related topics</a></li> </ul> </li> </ul> </div> </div> <div class="relatedlinks-title-container"> <span class="relatedlinks-title"> Related links </span> </div> <div class="relatedlinks-container"> <div class="relatedlinks"> <ul><li><a href="https://discuss.linuxcontainers.org/t/13114" target="_blank">Token based remote connection</a></li><li><a href="https://discuss.linuxcontainers.org/t/15142" target="_blank">ACME support for server certificate</a></li></ul> <ul><li><a href="https://www.youtube.com/watch?v=6O0q3rSWr8A" target="_blank">LXD for multi-user systems - YouTube</a></li></ul> </div> </div> </div> </aside> </div> </div><script src="../_static/jquery.js?v=5d32c60e"></script> <script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script> <script src="../_static/documentation_options.js?v=187304be"></script> <script src="../_static/doctools.js?v=9bcbadda"></script> <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <script src="../_static/scripts/furo.js?v=46bd48cc"></script> <script src="../_static/clipboard.min.js?v=a7894cd8"></script> <script src="../_static/copybutton.js?v=f281be69"></script> <script src="../_static/config-options.js"></script> <script src="../_static/design-tabs.js?v=f930bc37"></script> <script src="../_static/tabs.js?v=3030b3cb"></script> <script src="../_static/header-nav.js?v=e117ad08"></script> <script src="../_static/footer.js?v=5acea47a"></script> <script src="../_static/github_issue_links.js?v=32bb732f"></script> <script src="../_static/js/bundle.js?v=a4d88309"></script> <script> const github_url = "https://github.com/canonical/lxd"; </script> </body> </html>
Copyright ©2k19 -
Hexid
|
Tex7ure