Cannot get IP address with nictype=macvlan

vic-t · February 26, 2018, 11:03pm

I’m using Ubuntu Server 16.04 with LXD 2.0.11. This is a fresh install for testing purposes on bare metal.

Following the official guide, I created a container successfully, so there is no general issue with the configuration.

I have not changed the profiles, there are ‘default’ and ‘docker’. The ‘default’ profile is using lxdbr0 which is handing out addresses from a pool that was generated at random, I created container C1 that’s using it and I could connect to it fine.

What I’m trying to achieve now is to create containers that are in the same subnet as my host. From what I could find out so far, there are two ways of achieving that. Either I simply set the nictype to macvlan, or I create a new bridge that I reference in the configuration. Network configuration can be done either on a container directly or using a profile. Any changes in the container will override the profile. As this is just a test on a single container, I decided to do the change on the container directly.

At the moment, I’m stuck with the nictype=macvlan option and hope someone can help me out with this. I did the following on container C1:

$ sudo lxc stop C1
$ sudo lxc config device add C1 eth0 nic nictype=macvlan parent=eno1 ### eno1 being my host nic with a static IP address 'iface eno1 inet static'
$ sudo lxc start C1

In my understanding, C1 should now be getting an IP from my local dhcp server (which is not on the host machine, by the way - I understand that wouldn’t work with macvlan), but it’s not.

What could be the issue? Do I have to somehow manually kickstart the dhcp client in the container or is something else entirely?

simos · February 27, 2018, 10:35am

Hi!

You can make your non-root user account to be a member of the lxd group, and then you can run the lxc commands without sudo.
It is possible that your non-root account is already member of lxd. Run groups to check whether lxd is listed in there.

If you are not member of the lxd group, here is how to add your account to the group,

$ sudo usermod --append --groups lxd myusername
$ logout

When you log in again, your non-root account (let’s say, myusername) will be able to run lxc command without root.

Having said that, the command you have showed is fine. When you restart the container, it should get an IP address from the LAN DHCP server.
To verify,

$ lxc config --expanded show macvlan
architecture: x86_64
...
devices:
  eth0:
    nictype: macvlan
    parent: eno1
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

You do not mention whether the container gets an IP address at all or whether it gets an IP address from LXD’s dnsmasq.
Another potential issue is that, if your host connects to the local network over WiFi (with encryption?), then the WiFi router does not accept more than one MAC address from the same secure connection.
Yet another potential issue is that some LAN routers may take their time in handing out an IP address. Can take 10 or more seconds.

vic-t · February 27, 2018, 10:57am

Thanks for the reply, Simos.

I indeed am already part of the LXD group, so will skip the sudo in the future.

$ lxc config --expanded show C1
architecture: x86_64
config:
[...]
devices:
  eth0:
    nictype: macvlan
    parent: eno1
    type: nic
  root:
    path: /
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

This container is not getting any IP address, at all.

$ lxc list
+-----------+---------+------+------+------------+-----------+
|   NAME    |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+------+------+------------+-----------+
|    C1     | RUNNING |      |      | PERSISTENT | 0         |
+-----------+---------+------+------+------------+-----------+

My host is connected via cable to a WiFi bridge that in turn is connected to the router. I have several devices connected to that WiFi bridge and they all connect fine.

Any other configuration options on the host I might be missing?

stgraber · February 27, 2018, 3:20pm

It may be useful to see:

ifconfig eno1
ls -lh /sys/class/net/eno1/device/

I’ve seen this kind of behavior before and it’s usually either some kind of MAC filtering somewhere or a problem with macvlan support on the underlying NIC.

simos · February 27, 2018, 3:23pm

Can you also post a link to that product?

vic-t · February 27, 2018, 3:48pm

$ ifconfig eno1
eno1      Link encap:Ethernet  HWaddr 3c:a8:2a:a0:b5:f0
          inet addr:192.168.0.99  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::3ea8:2aff:fea0:b5f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:109929 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5865 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15535527 (15.5 MB)  TX bytes:543034 (543.0 KB)
          Interrupt:16

$ ls -lh /sys/class/net/eno1/device
lrwxrwxrwx 1 root root 0 Feb 26 23:17 /sys/class/net/eno1/device -> ../../../0000:03:00.0

vic-t · February 27, 2018, 3:50pm

It’s a ubiquity AP but I’m running OpenWRT on it. I haven’t touched the configuration in years though - it just works.

stgraber · February 27, 2018, 4:05pm

You missed the trailing slash in your ls, I’d like:

ls -lh /sys/class/net/eno1/device/

vic-t · February 27, 2018, 4:13pm

Sorry about that.

$ ls -lh /sys/class/net/eno1/device/
total 0
-rw-r--r-- 1 root root 4.0K Feb 27 17:11 broken_parity_status
-r--r--r-- 1 root root 4.0K Feb 26 23:18 class
-rw-r--r-- 1 root root 4.0K Feb 26 23:17 config
-r--r--r-- 1 root root 4.0K Feb 27 17:11 consistent_dma_mask_bits
-rw-r--r-- 1 root root 4.0K Feb 27 17:11 d3cold_allowed
-r--r--r-- 1 root root 4.0K Feb 26 23:17 device
-r--r--r-- 1 root root 4.0K Feb 27 17:11 dma_mask_bits
lrwxrwxrwx 1 root root    0 Feb 26 23:17 driver -> ../../../../bus/pci/drivers/tg3
-rw-r--r-- 1 root root 4.0K Feb 27 17:11 driver_override
-rw-r--r-- 1 root root 4.0K Feb 27 17:11 enable
-r--r--r-- 1 root root 4.0K Feb 26 23:17 index
-r--r--r-- 1 root root 4.0K Feb 27 17:11 irq
-r--r--r-- 1 root root 4.0K Feb 26 23:17 label
-r--r--r-- 1 root root 4.0K Feb 27 17:11 local_cpulist
-r--r--r-- 1 root root 4.0K Feb 26 23:18 local_cpus
-r--r--r-- 1 root root 4.0K Feb 27 17:11 modalias
-rw-r--r-- 1 root root 4.0K Feb 27 17:11 msi_bus
drwxr-xr-x 2 root root    0 Feb 26 23:18 msi_irqs
drwxr-xr-x 3 root root    0 Feb 26 23:17 net
-rw-r--r-- 1 root root 4.0K Feb 26 23:18 numa_node
drwxr-xr-x 2 root root    0 Feb 27 17:11 power
drwxr-xr-x 3 root root    0 Feb 26 23:17 ptp
--w--w---- 1 root root 4.0K Feb 27 17:11 remove
--w--w---- 1 root root 4.0K Feb 27 17:11 rescan
--w------- 1 root root 4.0K Feb 27 17:11 reset
-r--r--r-- 1 root root 4.0K Feb 27 17:11 resource
-rw------- 1 root root  64K Feb 27 17:11 resource0
-rw------- 1 root root  64K Feb 27 17:11 resource0_wc
-rw------- 1 root root  64K Feb 27 17:11 resource2
-rw------- 1 root root  64K Feb 27 17:11 resource2_wc
-rw------- 1 root root  64K Feb 27 17:11 resource4
-rw------- 1 root root  64K Feb 27 17:11 resource4_wc
-rw------- 1 root root 128K Feb 27 17:11 rom
lrwxrwxrwx 1 root root    0 Feb 26 23:17 subsystem -> ../../../../bus/pci
-r--r--r-- 1 root root 4.0K Feb 26 23:18 subsystem_device
-r--r--r-- 1 root root 4.0K Feb 26 23:18 subsystem_vendor
-rw-r--r-- 1 root root 4.0K Feb 26 23:17 uevent
-r--r--r-- 1 root root 4.0K Feb 26 23:17 vendor
-rw------- 1 root root  32K Feb 27 17:11 vpd

stgraber · February 28, 2018, 3:37am

I don’t know how well macvlan works with the tg3 (broadcom?) wired driver and it’s not super easy to check because of the way macvlan works… The easiest way to see what’s going on would be to run tcpdump on that wireless bridge to see whether any packet from the container actually makes it out of your server’s NIC.

tcpdump on the server itself is useless as traffic from a macvlan won’t show up when dumping its parent…

vic-t · March 9, 2018, 10:12pm

Sorry for the late reply, I had to choose the right moment to break open my wifi gateway when I wouldn’t depend on it. And it then took me quite a while to understand how to navigate and configure OpenWRT. I set it up more than 3 years ago and never again had another look.

As I can now confirm, the problem is with the gateway. It’s not properly relaying dhcp messages even though it seems correctly configured. So, the lxc container indeed sends out a dhcp discover message and the server returns an offer but that offer gets stuck at the gateway.

So my issue has nothing to do with macvlan being the nictype. If my gateway would properly relay the broadcasted messages, it would work.

I hope it’s ok if I ask a follow up question. Now that it became clear that I cannot use my dhcp server to assign static leases, is there another, maybe more direct way that I could give lxc containers static IPs in the same subnet as the host? It was easily possible using lxc1 but I can’t seem to find a straightforward way of doing it with lxd.

stgraber · March 10, 2018, 11:15pm

The preferred way to feed the static IP configuration to the container is using cloud-init’s network-config which can be passed through the user.network-config LXD config key.

This does assume a cloud-init enabled image though, like ubuntu:16.04 for example.

Another option is to use raw.lxc to set the ipv4/ipv6 config directly on the container’s interface, but that’s not something we usually recommend as not all distros deal too well with such pre-configured networking.