Skip to main content

Contexts

Contexts are a way to communicate with different nanocl daemon

For example you may have a nanocl daemon running on your local machine and another one running on a remote server. You can use contexts to switch between them.

We need to enable the daemon to be available from internet. There is multiple ways to do it, but the easiest is to use a ProxyRule.

First, you need to generate your own SSL/TLS certificate.
This certificate will ensure only client with a specific certificate generated from the CA can access the daemon.
For obvious security reasons.

For your convenience, we created a Statefile that will generate the necessary certificate and setup the ProxyRule for you.

Automatic setup

You can apply the following Statefile to generate the certificates and apply the ProxyRule:

nanocl state apply -fs nhnr.io/v0.16/sys/enable-remote-nanocld.yml

Once the Statefile applied, you can create the context to switch between the different daemons. But first you need to retrieve the client certificate generated by the Statefile.

You can retrieve the client certificate by running:

nanocl secret inspect cert.client.nanocl.io

This will output the client certificate and key.

Manual setup

Generate the certificates

You can use the following commands to generate the certificates:

openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -nodes -subj "/CN=NanoclCA"
openssl req -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj "/CN=*"
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
openssl req -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj "/CN=NanoclClient"
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

Then move the certificates to the correct location on the remote server where nanocl is running:

sudo mkdir -p /var/lib/nanocl/proxy/certs
sudo mv ca.crt /var/lib/nanocl/proxy/certs/nanocl_ca.crt
sudo mv server.crt /var/lib/nanocl/proxy/certs/nanocl_server.crt
sudo mv server.key /var/lib/nanocl/proxy/certs/nanocl_server.key

Apply the ProxyRule

Next you need to apply a ProxyRule to expose the daemon to the internet.

Create a nanocld-proxy.yml file:


Apply the ProxyRule by running:

nanocl apply -s nanocld-proxy.yml

Create the Context

Move your client certificate to the correct location on your host machine:

mkdir -p ~/.nanocl/certs
mv client.crt ~/.nanocl/certs/nanocl_client.crt
mv client.key ~/.nanocl/certs/nanocl_client.key

Finally, you can create the context to switch between the different daemons.

Let create a my-secure-context.yml file:


note

Make sure to replace my-remote-server with the actual IP address or domain name of your remote server.
And replace my-user with your actual username.

You can import the context by running:

nanocl context from my-secure-context.yml

To switch between contexts, you can use the following command:

nanocl context use my-secure-context

You can also list existing contexts:

nanocl context list

In a more general way use the following command:

nanocl context --help

To get more information about the context command.