How to expose LXD to the network#

By default, LXD can be used only by local users through a Unix socket.

To expose LXD to the network, set the core.https_address server configuration option. For example, to allow access to the LXD server on port 8443, enter the following command:

lxc config set core.https_address :8443

All remote clients can then connect to LXD and access any image that is marked for public use.

Authenticate with the LXD server#

To be able to access the remote API, clients must authenticate with the LXD server. There are several authentication methods; see Remote API authentication for detailed information.

The recommended method is to add the client’s TLS certificate to the server’s trust store through a trust token. To authenticate a client using a trust token, complete the following steps:

  1. On the server, enter the following command:

    lxc config trust add

    Enter the name of the client that you want to add. The command generates and prints a token that can be used to add the client certificate.

  2. On the client, add the server with the following command:

    lxc remote add <remote_name> <token>


If your LXD server is behind NAT, you must specify its external public address when adding it as a remote for a client:

lxc remote add <name> <IP_address>

When you are prompted for the admin password, specify the generated token.

When generating the token on the server, LXD includes a list of IP addresses that the client can use to access the server. However, if the server is behind NAT, these addresses might be local addresses that the client cannot connect to. In this case, you must specify the external address manually.

See Remote API authentication for detailed information and other authentication methods.