Container can't ping to gateway

Anousack_SYHAVONG · November 3, 2020, 2:53am

Dear,

I have a problem with networking in my container
in my lxd can ping and access but container can’t
but i try to ping container with own container gateway it show Destination Host Unreachable

but i can ping these 2 server
hope you can find solution for me

thank
anousack

tomp · November 4, 2020, 9:14am

Please can you show the output of the following commands on your LXD server:

lxc network ls
ip a
ip r

And inside the container:

ip a
ip r

Anousack_SYHAVONG · November 4, 2020, 9:36am

LXD server:

Anousack_SYHAVONG · November 4, 2020, 9:37am

And inside the container:

tomp · November 4, 2020, 10:04am

Also the output of lxc config show <container> --expanded please

Anousack_SYHAVONG · November 4, 2020, 10:12am

tomp · November 4, 2020, 10:13am

You missed the expanded argument.

tomp · November 4, 2020, 10:13am

Ah there it is now

tomp · November 4, 2020, 10:15am

OK so your container is using macvlan NIC type to connect it to the ens3 interface on the host.

Macvlan NICs do not allow the LXD host and the container to communicate by design.

Can you advise what ping command you are running inside the container precisely that isn’t working.

Anousack_SYHAVONG · November 4, 2020, 10:19am

Here i try to ping to it’s gateway but it still can’t ping

can you suggest me how to fix or use another solution to communicate host and container ?

tomp · November 4, 2020, 11:07am

My suspicion would be a firewall on the LXD host blocking outbound traffic.

Can you show output of iptables-save

Anousack_SYHAVONG · November 5, 2020, 12:54am

This my lxd

Anousack_SYHAVONG · November 5, 2020, 12:55am

This my container

tomp · November 5, 2020, 4:34pm

OK so no firewall.

What happens if you run sudo tcpdump -i ens3 -n icmp on the lxd host and then try pinging the gateway in the container, do you see the packets leaving the interface?

Anousack_SYHAVONG · November 9, 2020, 1:45am

sorry for late reply
i try to run “tcpdump -i ens3 -n icmp” on lxd host it show

and still can’t ping to gateway

tomp · November 9, 2020, 2:11pm

This is strange. What is the host OS?

Anousack_SYHAVONG · November 10, 2020, 1:13am

It’s ubuntu

tomp · November 10, 2020, 2:01pm

So here’s an example of what I’d expect to see:

In one window/terminal:

lxc init images:ubuntu/focal ctest
lxc config device add ctest eth0 nic nictype=macvlan parent=ens3
lxc start ctest
lxc exec ctest -- ping 192.168.1.2

At the same time in a separate window:

sudo tcpdump -i ens3 icmp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:58:15.750337 IP 192.168.1.115 > 192.168.1.2: ICMP echo request, id 85, seq 1, length 64
13:58:15.750612 IP 192.168.1.2 > 192.168.1.115: ICMP echo reply, id 85, seq 1, length 64
13:58:16.782231 IP 192.168.1.115 > 192.168.1.2: ICMP echo request, id 85, seq 2, length 64
13:58:16.782505 IP 192.168.1.2 > 192.168.1.115: ICMP echo reply, id 85, seq 2, length 64
13:58:17.806236 IP 192.168.1.115 > 192.168.1.2: ICMP echo request, id 85, seq 3, length 64
13:58:17.806541 IP 192.168.1.2 > 192.168.1.115: ICMP echo reply, id 85, seq 3, length 64

Assuming you did something like that, if its not working it suggests ARP resolution for the gateway IP is not working.

Is your LXD host a virtual machine (I ask because your hostname mentions ovirt)?

If so, have you checked that your physical host is allowing your VM guest to use multiple MAC addresses? As if not, then the traffic from the macvlan interface (that will have a different MAC address than your LXD host) may be being filtered out.