electrical
characters
incus
recently i’ve been reading about incus. i run some applications at home on proxmox, and thought i would try it out.
incus:
- is a container manager
- is a VM manager
- supports linux containers
- supports OCI containers (i.e. docker)
- is based around a REST API
it seems like you can use it somewhere between
client certificate & key
incus requires you provide a backup client certificate for access, even if you use OIDC. so this generally would be a self signed certificate. lets go about creating one:
1.) we create our certificate authority key and cert 2.) create a new client key and certificate signing request 3.) create a client cert (with said rqeuesT) and a PKCS#12 format file
#!/usr/bin/env bash
set -xeuo pipefail
KEY=ca.key
CERT=ca.crt
CLIENT_KEY=client.key
CLIENT_CSR=client.csr
CLIENT_CERT=client.crt
CLIENT_PFX=client.pfx
COMMON_NAME=metasyn
COUNTRY=US
LOCATION=CALIFORNIA
DAYS=1825
# Create Key
openssl genrsa \
-out "${KEY}" \
2048
# Create Cert
openssl req \
-x509 \
-new \
-nodes \
-subj "/CN=${COMMON_NAME}/C=${COUNTRY}/L=${LOCATION}" \
-key "${KEY}" \
-sha256 \
-days "${DAYS}" \
-out "${CERT}"
# Client Key
openssl genpkey \
-algorithm RSA \
-out "${CLIENT_KEY}"
# Client Certificate Signing Request
openssl req \
-new \
-subj "/CN=${COMMON_NAME}/C=${COUNTRY}/L=${LOCATION}" \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}"
# Use CSR to create Cert
openssl x509 \
-req \
-in "${CLIENT_CSR}" \
-CA "${CERT}" \
-CAkey "${KEY}" \
-CAcreateserial \
-out "${CLIENT_CERT}" \
-days 365 \
-sha256
# Create .pfx file (different format)
openssl pkcs12 \
-export \
-out "${CLIENT_PFX}" \
-inkey "${CLIENT_KEY}" \
-in "${CLIENT_CERT}" \
-certfile "${CERT}"
incus seed file
you can read about the seed file format here
we need to create
- install.yaml (can be empty)
- incus.yaml (with client cert)
- put them into a
seed.tar
note: the docs say you can use json files, but i ran into an error (see discussion here) so just stuck with yaml files which seemed to work
#!/usr/bin/env python3
import argparse
import json
import tarfile
import io
from pathlib import Path
def main():
p = argparse.ArgumentParser()
p.add_argument("cert", type=Path)
args = p.parse_args()
if not args.cert.is_file():
p.error("certificate must be an existing file")
cert = args.cert.read_text().strip()
if "BEGIN CERTIFICATE" not in cert:
p.error("not a valid PEM certificate")
doc = {
"apply_defaults": True,
"preseed": {
"certificates": [
{
"name": "metasyn",
"type": "client",
"certificate": cert,
}
]
},
}
data = json.dumps(doc, indent=2).encode()
with tarfile.open("seed.tar", "w") as tar:
info = tarfile.TarInfo("incus.json")
info.size = len(data)
tar.addfile(info, io.BytesIO(data))
install = "install.json"
Path(install).touch()
info = tarfile.TarInfo(install)
tar.addfile(info, b"")
if __name__ == "__main__":
main()
print("Created seed.tar!")
then
python3 create-incus-seed.py client.crt
incus flsher tool
install:
go install github.com/lxc/incus-os/incus-osd/cmd/flasher-tool@latest
utilize:
flasher-tool -f iso -s seed.tar
now you have an ISO you can boot, preloaded with your client cert.
installing in proxmox
- a few gotchas here
- disable pre-enroll keys
- ensure you use a UEFI
- remove the ISO after booting