Attach LXD container to VLAN

gabrik · April 8, 2019, 9:13am

Hi all,

I was trying to attach an LXD container to a VLAN, in order to do this I have create the VLAN interfaces over the physical one, then added this interface to a LinuxBridge and attached the container to the Linux Bridge.
I made up a script to do this thing

#!/usr/bin/env bash

sudo ip link add link $1 name $1.$2 type vlan id $2
sudo ip link add vnet$2 type bridge

sudo ip link set vnet$2 up
sudo ip link set $1.$2 up

sudo ip link set dev $1.$2 master vnet$2


lxc profile copy default vlan$2
lxc profile device set vlan$2 eth0 parent vnet$2

lxc launch images:alpine/edge testc -p vlan$2
sleep 3
lxc exec testc -- ifconfig eth0 $3


read -n 1 -s -r -p "Press any key to destroy..."

lxc stop testc
lxc delete testc
lxc profile delete vlan$2
sudo ip link del vnet$2
sudo ip link del $1.$2

The setup follows this figure

I’m unable from the second server to ping the container, worth to say that if I just use the VLAN without LXD (meaning the two servers using VID 2) they can reach each other.
Any suggestion?
Maybe I have to configure something in the profile?

theshades · July 17, 2019, 4:59am

Interestingly enough, when I do this, when I tell lxc to use vnet11 it says doesnt exist, but it show in ip a. Looking into this.

tomp · July 17, 2019, 7:55am

Hi,

How does your Alpine LXD container get an IP address? Is there a DHCP server in your VLAN somewhere?

Thanks
Tom

gabrik · July 17, 2019, 8:52am

Hi,

For that particular test I was setting the IP address manually using lxc exec testc -- ifconfig eth0 $3

You think that this can be an issue?

tomp · July 17, 2019, 9:29am

@gabrik I dont think you provided the value of $3.

However assuming its a static IP and subnet, then I suggest you perform some network diagnostics using tcpdump command at various places to check where the packets are dropping out and report back here.

I would also suggest you spin up a 2nd container on the host’s bridge and check they can communicate with each other locally before exploring the wider cross-host communication.

You’d want to check that ICMP ping packets are arriving at the host’s physical interface (and that ARP resolution has succeeded).

I suggest running tcpdump -nn -i {interface} host {container IP} at various places on your 2 hosts to see where the problem is.

gabrik · July 17, 2019, 10:06am

Thanks @tomp

I will setup a new experiment and do another check with tcpdump on the various interfaces, and using also another container in the same host.

From what I remeber of that setup, for some reason the ARP packets were dropped by the vnet2 bridge.
So neither the physical host nor the container where able to get the MAC address to send the ICMP ping