SSH key management in LXD

I've found my experience with LXD on Ubuntu 24.04 LTS to be extremely pleasant so far. Having recently moved on from HashiCorp's Vagrant and VirtualBox setup, I did so for two primary reasons. The first was the overhead associated with installing both tools, and the second was the resource-intensive nature of running full virtual machines within VirtualBox. While I had a positive experience with my Vagrant and VirtualBox setup on my robust home lab workstation, moving to LXD (installed as a snap) on my Ubuntu system has unlocked a wealth of possibilities for my various home lab projects. The ease of using both LXC containers and KVM/QEMU virtual machines has provided a local, cloud-esque environment, significantly reducing the need for costly cloud hosting.

Provisioning SSH public keys to Vagrant/VirtualBox VMs involved either a sequence of shell commands or leveraging Ansible's local provisioner in conjunction with Vagrant. This repetitive process, though manageable, was a standard part of the workflow. When it comes to LXD setup for ssh key management, there is a simple way to achieve it.

LXD comes with default profile after the initial setup process. Run the following command to view it.

tyla@e32:~$ lxc profile show default

Here is what it looks like.

name: default
description: Default LXD profile
config: {}
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
used_by: []

The config: {} key has no value at the moment. Let's edit the default profile with the following command.

tyla@e32:~$ lxc profile edit default

It will open the default profile YAML config file in nano so update it as shown below.

name: default
description: Default LXD profile
config:
  user.user-data: |
    #cloud-config
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEw29dm54JK5se8JxdWdt2MC8CSw8VICRcBQBZPxYAbS tyla
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
used_by: []

After updating the config file, verify it with lxc profile show default to ensure that it takes the configuration correctly. Then let's spin up some LXC containers and KVM/QEMU virtual machines to test the ssh key authentication as below.

# Spin up 3 LXC containers to test
tyla@e32:~$ for i in {1..3}; do lxc launch ubuntu:24.04 ct$i; done
Launching ct1
Launching ct2
Launching ct3

# Check the ip address of ct1 container
tyla@e32:~$ lxc list 
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| ct1  | RUNNING | 10.18.34.39 (eth0)  | fd42:2751:df65:31e1:216:3eff:fe06:7a59 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| ct2  | RUNNING | 10.18.34.23 (eth0)  | fd42:2751:df65:31e1:216:3eff:fed7:a586 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| ct3  | RUNNING | 10.18.34.187 (eth0) | fd42:2751:df65:31e1:216:3eff:fed3:881c (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+

# SSH into ct1 with the username ubuntu
tyla@e32:~$ ssh [email protected]
The authenticity of host '10.18.34.39 (10.18.34.39)' can't be established.
ED25519 key fingerprint is SHA256:JOm+4h6HAWWQdsnrzOBJeCb4vn9kmBMUYtTysFAhPQQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.18.34.39' (ED25519) to the list of known hosts.
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun May 25 09:18:55 UTC 2025

  System load:           0.52
  Usage of /:            2.7% of 17.63GB
  Memory usage:          0%
  Swap usage:            0%
  Temperature:           39.0 C
  Processes:             22
  Users logged in:       0
  IPv4 address for eth0: 10.18.34.39
  IPv6 address for eth0: fd42:2751:df65:31e1:216:3eff:fe06:7a59

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@ct1:~$
logout
Connection to 10.18.34.39 closed.

# Verify the default profile's used_by: key
tyla@e32:~$ lxc profile show default 
name: default
description: Default LXD profile
config:
  user.user-data: |
    #cloud-config
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEw29dm54JK5se8JxdWdt2MC8CSw8VICRcBQBZPxYAbS tyla
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
used_by:
- /1.0/instances/ct1
- /1.0/instances/ct2
- /1.0/instances/ct3


# Cleanup the containers
tyla@e32:~$ for i in {1..3}; do lxc delete ct$i --force; done

# Spin up 3 KVM/QEMU virtual machines to test
tyla@e32:~$ for i in {1..3}; do lxc launch ubuntu:24.04 vm$i --vm; done
Launching vm1
Launching vm2
Launching vm3

# Check the ip address of vm1
tyla@e32:~$ lxc list 
+------+---------+----------------------+-------------------------------------------------+-----------------+-----------+
| NAME |  STATE  |         IPV4         |                      IPV6                       |      TYPE       | SNAPSHOTS |
+------+---------+----------------------+-------------------------------------------------+-----------------+-----------+
| vm1  | RUNNING | 10.18.34.22 (enp5s0) | fd42:2751:df65:31e1:216:3eff:fe98:d591 (enp5s0) | VIRTUAL-MACHINE | 0         |
+------+---------+----------------------+-------------------------------------------------+-----------------+-----------+
| vm2  | RUNNING | 10.18.34.88 (enp5s0) | fd42:2751:df65:31e1:216:3eff:fe65:2fbc (enp5s0) | VIRTUAL-MACHINE | 0         |
+------+---------+----------------------+-------------------------------------------------+-----------------+-----------+
| vm3  | RUNNING | 10.18.34.69 (enp5s0) | fd42:2751:df65:31e1:216:3eff:fe36:f7bb (enp5s0) | VIRTUAL-MACHINE | 0         |
+------+---------+----------------------+-------------------------------------------------+-----------------+-----------+

# SSH into the vm1 with username ubuntu
tyla@e32:~$ ssh [email protected]
The authenticity of host '10.18.34.22 (10.18.34.22)' can't be established.
ED25519 key fingerprint is SHA256:mmZsuBe9nrnWyePdUSOTn/ad+26iTd1KgQ7e5vL7Hco.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.18.34.22' (ED25519) to the list of known hosts.
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun May 25 09:27:40 UTC 2025

  System load:             0.42
  Usage of /:              18.2% of 8.65GB
  Memory usage:            19%
  Swap usage:              0%
  Processes:               121
  Users logged in:         0
  IPv4 address for enp5s0: 10.18.34.22
  IPv6 address for enp5s0: fd42:2751:df65:31e1:216:3eff:fe98:d591

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@vm1:~$ 
logout
Connection to 10.18.34.22 closed.

# Verify the default profile's used_by: key
tyla@e32:~$ lxc profile show default 
name: default
description: Default LXD profile
config:
  user.user-data: |
    #cloud-config
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEw29dm54JK5se8JxdWdt2MC8CSw8VICRcBQBZPxYAbS tyla
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
used_by:
- /1.0/instances/vm1
- /1.0/instances/vm2
- /1.0/instances/vm3

# Cleanup the virtual machines
tyla@e32:~$ for i in {1..3}; do lxc delete vm$i --force; done

PreviousChanging hostnames and IP addresses of nodes in Proxmox cluster NextCustomise VM template with cloud-init on Proxmox

Last updated 6 months ago

Was this helpful?