Cannot to download some files from Internet to container

microcoder · September 13, 2022, 7:05am

Hello! Please help me.

I cannot to download some files from Internet to container.

I can to download next a file from a container, download is ok:

lxc exec jupyter -- wget https://hsto.org/r/w1560/webt/l8/3u/km/l83ukmshtxtanhyi4src9hmnqkm.png
Connecting to hsto.org (188.114.99.192:443)
saving to 'l83ukmshtxtanhyi4src9hmnqkm.png'
l83ukmshtxtanhyi4src 100% |*****************************************************************************************************************| 19734  0:00:00 ETA
'l83ukmshtxtanhyi4src9hmnqkm.png' saved

I cannot to download a file from a container:

lxc exec jupyter -- wget https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
Connecting to dl-cdn.alpinelinux.org (151.101.86.133:443)

Log file on the host system:

sudo tail -n3 -f /var/log/lxd/jupyter/lxc.log
/src/lxc/attach.c:get_attach_context:477 - No security context received

No security context received - What does it mean?

However I can to download the file from host system:

wget https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
--2022-09-13 10:01:24--  https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving dl-cdn.alpinelinux.org (dl-cdn.alpinelinux.org)... 151.101.86.133, 2a04:4e42:14::645
Connecting to dl-cdn.alpinelinux.org (dl-cdn.alpinelinux.org)|151.101.86.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 655179 (640K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’

APKINDEX.tar.gz                          100%[===============================================================================>] 639,82K  --.-KB/s    in 0,1s    

2022-09-13 10:01:29 (4,81 MB/s) - ‘APKINDEX.tar.gz’ saved [655179/655179]

tomp · September 15, 2022, 3:04pm

Can you do lxc exec jupyter -- ping 151.101.86.133?

microcoder · September 15, 2022, 3:33pm

Ping doesn’t have trouble :

lxc exec jupyter -- ping 151.101.86.133
PING 151.101.86.133 (151.101.86.133): 56 data bytes
64 bytes from 151.101.86.133: seq=0 ttl=59 time=24.214 ms
64 bytes from 151.101.86.133: seq=1 ttl=59 time=24.323 ms
64 bytes from 151.101.86.133: seq=2 ttl=59 time=24.349 ms
^C
--- 151.101.86.133 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 24.214/24.295/24.349 ms

tomp · September 16, 2022, 8:22am

Please show lxc config show <instance> --expanded and the output of ip a and ip r from both the LXD host and inside the container. Thanks

microcoder · September 16, 2022, 8:35am

$ lxc config show jupyter --expanded
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine 3.16 amd64 (20220912_13:01)
  image.os: Alpine
  image.release: "3.16"
  image.requirements.secureboot: "false"
  image.serial: "20220912_13:01"
  image.type: squashfs
  image.variant: default
  volatile.base_image: d5a4e7b523f1e2ba509124bcfbef0eba7fbbc6d46da0f082c355447d162cb9c5
  volatile.cloud-init.instance-id: e1cb408e-3bdd-4f1c-ad89-b9109fbb3a79
  volatile.eth0.host_name: vethb5bc917d
  volatile.eth0.hwaddr: 00:16:3e:2d:ef:89
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":65536}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 52a038df-cc73-45ab-b3fe-2ca886f9271f
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: ssdpool
    type: disk
ephemeral: false
profiles:
- default
- ssdroot
stateful: false
description: ""

from host

[dv@manjaro ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:ee:7b:5a:6b:44 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
4: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:37:58:f0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.5.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
6: vethb5bc917d@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 86:1b:ed:9f:4d:f7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet 188.164.160.199 peer 188.164.163.254/32 scope global ppp0
       valid_lft forever preferred_lft forever
    inet6 fe80::580e:80e3:4342:fa0e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[dv@manjaro ~]$ ip r
default via 188.164.163.254 dev ppp0 proto static metric 101 
10.0.5.0/24 dev lxdbr0 proto kernel scope link src 10.0.5.1 
188.164.163.254 dev ppp0 proto kernel scope link src 188.164.160.199 
188.164.163.254 dev ppp0 proto kernel scope link src 188.164.160.199 metric 101

from the container:

[dv@manjaro ~]$ lxc exec jupyter -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:16:3e:2d:ef:89 brd ff:ff:ff:ff:ff:ff
    inet 10.0.5.68/24 brd 10.0.5.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe2d:ef89/64 scope link 
       valid_lft forever preferred_lft forever

[dv@manjaro ~]$ lxc exec jupyter -- ip r
default via 10.0.5.1 dev eth0  metric 205 
10.0.5.0/24 dev eth0 scope link  src 10.0.5.68

tomp · September 16, 2022, 9:03am

OK thanks.

So now please run sudo tcpdump -i lxdbr0 -nn host 10.0.5.68 on the LXD host and then retry the failing connection and then please show what you get?

Thanks

microcoder · September 16, 2022, 12:30pm

Ok. No problem.

[dv@manjaro ~]$ lxc exec jupyter -- wget -S https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
Connecting to dl-cdn.alpinelinux.org (151.101.86.133:443)

TCP Dump:

[dv@manjaro ~]$ sudo tcpdump -i lxdbr0 -nn host 10.0.5.68
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lxdbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:27:51.561357 IP 10.0.5.68.53785 > 10.0.5.1.53: 29990+ A? dl-cdn.alpinelinux.org. (40)
15:27:51.561392 IP 10.0.5.68.53785 > 10.0.5.1.53: 30198+ AAAA? dl-cdn.alpinelinux.org. (40)
15:27:51.735559 IP 10.0.5.1.53 > 10.0.5.68.53785: 29990 2/4/4 CNAME dualstack.d.sni.global.fastly.net., A 151.101.86.133 (239)
15:27:51.736131 IP 10.0.5.1.53 > 10.0.5.68.53785: 30198 2/4/4 CNAME dualstack.d.sni.global.fastly.net., AAAA 2a04:4e42:14::645 (251)
15:27:51.736230 IP 10.0.5.68.48238 > 151.101.86.133.443: Flags [S], seq 3726525161, win 64240, options [mss 1460,sackOK,TS val 3865243230 ecr 0,nop,wscale 7], length 0
15:27:51.760396 IP 151.101.86.133.443 > 10.0.5.68.48238: Flags [S.], seq 1751475093, ack 3726525162, win 65535, options [mss 1460,sackOK,TS val 638934573 ecr 3865243230,nop,wscale 9], length 0
15:27:51.760421 IP 10.0.5.68.48238 > 151.101.86.133.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 3865243254 ecr 638934573], length 0
15:27:51.772056 IP 10.0.5.68.48238 > 151.101.86.133.443: Flags [P.], seq 1:325, ack 1, win 502, options [nop,nop,TS val 3865243266 ecr 638934573], length 324
15:27:51.796226 IP 151.101.86.133.443 > 10.0.5.68.48238: Flags [.], ack 325, win 285, options [nop,nop,TS val 638934608 ecr 3865243266], length 0
15:27:51.798532 IP 151.101.86.133.443 > 10.0.5.68.48238: Flags [P.], seq 4333:4429, ack 325, win 285, options [nop,nop,TS val 638934611 ecr 3865243266], length 96
15:27:51.798539 IP 10.0.5.68.48238 > 151.101.86.133.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 3865243292 ecr 638934608,nop,nop,sack 1 {4333:4429}], length 0
15:27:56.823742 ARP, Request who-has 10.0.5.68 tell 10.0.5.1, length 28
15:27:56.823822 ARP, Reply 10.0.5.68 is-at 00:16:3e:2d:ef:89, length 28
15:28:51.795449 IP 151.101.86.133.443 > 10.0.5.68.48238: Flags [F.], seq 4429, ack 325, win 285, options [nop,nop,TS val 638994608 ecr 3865243292], length 0
15:28:51.795466 IP 10.0.5.68.48238 > 151.101.86.133.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 3865303289 ecr 638934608,nop,nop,sack 1 {4333:4430}], length 0
15:28:56.983703 ARP, Request who-has 10.0.5.68 tell 10.0.5.1, length 28
15:28:56.983695 ARP, Request who-has 10.0.5.1 tell 10.0.5.68, length 28
15:28:56.983732 ARP, Reply 10.0.5.1 is-at 00:16:3e:37:58:f0, length 28
15:28:56.983735 ARP, Reply 10.0.5.68 is-at 00:16:3e:2d:ef:89, length 28

tomp · September 16, 2022, 1:13pm

I’m wondering if this is a MTU issue as it looks like you’ve got a ppp connection with an 1492 MTU on the internet interface.

Can you do doing lxc network set lxdbr0 bridge.mtu=1492 and then restart the container and see if that helps.

microcoder · September 16, 2022, 1:49pm

Don’t helps. Connection is hangs:

[dv@manjaro ~]$ sudo tcpdump -i lxdbr0 -nn host 10.0.5.68
[sudo] password for dv:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lxdbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:44:44.633247 IP 10.0.5.68.35994 > 10.0.5.1.53: 16626+ A? dl-cdn.alpinelinux.org. (40)
16:44:44.633266 IP 10.0.5.68.35994 > 10.0.5.1.53: 16840+ AAAA? dl-cdn.alpinelinux.org. (40)
16:44:44.916578 ARP, Request who-has 10.0.5.68 tell 10.0.5.1, length 28
16:44:44.916591 ARP, Reply 10.0.5.68 is-at 00:16:3e:2d:ef:89, length 28
16:44:44.916593 IP 10.0.5.1.53 > 10.0.5.68.35994: 16840 2/4/4 CNAME dualstack.d.sni.global.fastly.net., AAAA 2a04:4e42:14::645 (251)
16:44:45.010200 IP 10.0.5.1.53 > 10.0.5.68.35994: 16626 2/4/4 CNAME dualstack.d.sni.global.fastly.net., A 151.101.86.133 (239)
16:44:45.010471 IP 10.0.5.68.55806 > 151.101.86.133.443: Flags [S], seq 2130057972, win 64240, options [mss 1460,sackOK,TS val 25417229
18 ecr 0,nop,wscale 7], length 0
16:44:45.034687 IP 151.101.86.133.443 > 10.0.5.68.55806: Flags [S.], seq 3897295795, ack 2130057973, win 65535, options [mss 1460,sackO
K,TS val 3498623582 ecr 2541722918,nop,wscale 9], length 0
16:44:45.034707 IP 10.0.5.68.55806 > 151.101.86.133.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 2541722943 ecr 3498623582],
length 0
16:44:45.045541 IP 10.0.5.68.55806 > 151.101.86.133.443: Flags [P.], seq 1:325, ack 1, win 502, options [nop,nop,TS val 2541722953 ecr
3498623582], length 324
16:44:45.069743 IP 151.101.86.133.443 > 10.0.5.68.55806: Flags [.], ack 325, win 285, options [nop,nop,TS val 3498623617 ecr 2541722953
], length 0
16:44:45.074388 IP 151.101.86.133.443 > 10.0.5.68.55806: Flags [P.], seq 4333:4429, ack 325, win 285, options [nop,nop,TS val 349862362
1 ecr 2541722953], length 96
16:44:45.074400 IP 10.0.5.68.55806 > 151.101.86.133.443: Flags [.], ack 1, win 502, options [nop,nop,TS val 2541722982 ecr 3498623617,n
op,nop,sack 1 {4333:4429}], length 0

For example:

[dv@manjaro ~]$ lxc exec jupyter -- wget -T20 https://hsto.org/r/w1560/webt/l8/3u/km/l83ukmshtxtanhyi4src9hmnqkm.png
Connecting to hsto.org (188.114.99.192:443)
saving to 'l83ukmshtxtanhyi4src9hmnqkm.png'
l83ukmshtxtanhyi4src 100% |***************************************************************************************| 19734  0:00:00 ETA
'l83ukmshtxtanhyi4src9hmnqkm.png' saved

[dv@manjaro ~]$ sudo tcpdump -i lxdbr0 -nn host 10.0.5.68
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lxdbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:48:36.046851 IP 10.0.5.68.59919 > 10.0.5.1.53: 31083+ A? hsto.org. (26)
16:48:36.046872 IP 10.0.5.68.59919 > 10.0.5.1.53: 31253+ AAAA? hsto.org. (26)
16:48:36.046902 IP 10.0.5.1.53 > 10.0.5.68.59919: 31083 2/0/0 A 188.114.99.192, A 188.114.98.192 (58)
16:48:36.046923 IP 10.0.5.1.53 > 10.0.5.68.59919: 31253 2/0/0 AAAA 2a06:98c1:3122:c000::, AAAA 2a06:98c1:3123:c000:: (82)
16:48:36.047028 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [S], seq 3368761456, win 64240, options [mss 1460,sackOK,TS val 2871918000 ecr 0,nop,wscale 7], length 0
16:48:36.049368 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [S.], seq 250287147, ack 3368761457, win 64240, options [mss 1400,nop,nop,sackOK,nop,wscale 13], length 0
16:48:36.049386 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 1, win 502, length 0
16:48:36.059335 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [P.], seq 1:311, ack 1, win 502, length 310
16:48:36.061729 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], ack 311, win 8, length 0
16:48:36.087061 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 1461:2622, ack 311, win 8, length 1161
16:48:36.087072 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 1, win 502, options [nop,nop,sack 1 {1461:2622}], length 0
16:48:36.089060 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 1:1453, ack 311, win 8, length 1452
16:48:36.089063 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 1453:2622, ack 311, win 8, length 1169
16:48:36.089073 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 1453, win 495, options [nop,nop,sack 1 {1461:2622}], length 0
16:48:36.089078 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 2622, win 496, options [nop,nop,sack 1 {1461:2622}], length 0
16:48:36.089840 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [P.], seq 311:391, ack 2622, win 501, length 80
16:48:36.094219 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], ack 391, win 8, length 0
16:48:36.094232 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [P.], seq 391:537, ack 2622, win 501, length 146
16:48:36.097386 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], ack 537, win 8, length 0
16:48:36.107038 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 2622:4074, ack 537, win 8, length 1452
16:48:36.107041 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 4074:4463, ack 537, win 8, length 389
16:48:36.107075 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 4463, win 496, length 0
16:48:36.107289 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 4463:5915, ack 537, win 8, length 1452
16:48:36.107293 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 5915:7245, ack 537, win 8, length 1330
16:48:36.107300 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 7245, win 496, length 0
16:48:36.107528 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 7245:8636, ack 537, win 8, length 1391
16:48:36.107532 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 8636:10088, ack 537, win 8, length 1452
16:48:36.107539 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 10088, win 496, length 0
16:48:36.107790 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 10088:11418, ack 537, win 8, length 1330
16:48:36.107794 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 11418:12809, ack 537, win 8, length 1391
16:48:36.107800 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 12809, win 496, length 0
16:48:36.108039 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 12809:14261, ack 537, win 8, length 1452
16:48:36.108043 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 14261:15591, ack 537, win 8, length 1330
16:48:36.108045 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 15591:17043, ack 537, win 8, length 1452
16:48:36.108052 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 15591, win 496, length 0
16:48:36.108288 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 17043:18373, ack 537, win 8, length 1330
16:48:36.108291 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 18373:19764, ack 537, win 8, length 1391
16:48:36.108298 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 18373, win 501, length 0
16:48:36.108538 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], seq 19764:21216, ack 537, win 8, length 1452
16:48:36.108541 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 21216:22546, ack 537, win 8, length 1330
16:48:36.108548 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 21216, win 501, length 0
16:48:36.108789 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [P.], seq 22546:23828, ack 537, win 8, length 1282
16:48:36.108791 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [F.], seq 23828, ack 537, win 8, length 0
16:48:36.108799 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [.], ack 23828, win 501, length 0
16:48:36.109253 IP 10.0.5.68.50412 > 188.114.99.192.443: Flags [F.], seq 537, ack 23829, win 501, length 0
16:48:36.111943 IP 188.114.99.192.443 > 10.0.5.68.50412: Flags [.], ack 538, win 8, length 0
^C
46 packets captured
46 packets received by filter
0 packets dropped by kernel

tomp · September 16, 2022, 1:50pm

Please show ip a inside the container again.

microcoder · September 16, 2022, 1:53pm

I’m sorry… I didn’t restart the container after change MTU. Now it work!

[dv@manjaro ~]$ lxc exec jupyter -- wget -T20 https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gzConnecting to dl-cdn.alpinelinux.org (151.101.86.133:443)
saving to 'APKINDEX.tar.gz'
APKINDEX.tar.gz      100% |***************************************************************************************|  640k  0:00:00 ETA
'APKINDEX.tar.gz' saved

microcoder · September 16, 2022, 1:54pm

[dv@manjaro ~]$ lxc exec jupyter -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1492 qdisc noqueue state UP qlen 1000
    link/ether 00:16:3e:2d:ef:89 brd ff:ff:ff:ff:ff:ff
    inet 10.0.5.68/24 brd 10.0.5.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe2d:ef89/64 scope link 
       valid_lft forever preferred_lft forever

microcoder · September 16, 2022, 1:55pm

I didn’t understand the problem, but thanks for solving it!

tomp · September 16, 2022, 1:59pm

The TCP MSS being used from inside the container will be based on the MTU size of the container’s NIC (1500) and so when the target starts to send data it will not be able to fit down the smaller MTU of your PPP connection (1492).

PTMUD (Path MTU Discovery - Wikipedia) can help to allow the sender to detect this, but its commonly broken by firewalls along the path.

Also you could have solved this problem by adding a firewall rule on your LXD host that clamps the outbound TCP connections to the MSS suitable for your external PPP interface.

See Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)

But that would only help with TCP packets, and not outgoing UDP ones (such as larger DNS packets).
So by setting the LXD bridge’s MTU to match the external interface’s MTU it means that your containers are aligned with the MTU of the internet connection and won’t try to send packets too large or indicate to the far side that it can receive packets larger than it can.

microcoder · September 16, 2022, 2:04pm

so when the target starts to sent data it will not be able to fit down the smaller MTU of your PPP connection (1492)

Mmm… Exactly. Now I understand the issue. Thank You very match!

tomp · September 16, 2022, 2:06pm

It may be that the reason other download locations worked were either that they hadn’t broken PMTUD or that they themselves were sending packets smaller than 1492 and could fit.

microcoder · September 16, 2022, 2:12pm

But before there was no such the issue. MTU=1492 set a very long time ago and I used containers without any issue.