Container does not receive an IP address

Hi!

I installed lxd on fedora over snap.
Version:

$ lxc --version
4.6
$ lxd --version
4.6

Container Running, but dosent get an IP address:

$ lxc list
+----------------+---------+------+------+-----------+-----------+
|      NAME      |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+----------------+---------+------+------+-----------+-----------+
| choice-horse   | RUNNING |      |      | CONTAINER | 0         |
+----------------+---------+------+------+-----------+-----------+
| expert-grouper | RUNNING |      |      | CONTAINER | 0         |
+----------------+---------+------+------+-----------+-----------+

Config:

$ lxc profile show default 
config: {}
description: Default LXD profile
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: default
used_by:
- /1.0/instances/choice-horse
- /1.0/instances/expert-grouper

----

$ lxc network show lxdbr0 
config:
  ipv4.address: 10.53.171.1/24
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/choice-horse
- /1.0/instances/expert-grouper
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

----

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d4:5d:64:b2:c2:52 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.178.48/24 brd 192.168.178.255 scope global dynamic noprefixroute eno1
       valid_lft 850548sec preferred_lft 850548sec
    inet6 2a02:8108:9640:1ef4:713a:1e03:d317:220d/64 scope global dynamic noprefixroute 
       valid_lft 4735sec preferred_lft 2035sec
    inet6 fe80::40ca:8ab5:b826:4377/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
14: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:67:68:a1 brd ff:ff:ff:ff:ff:ff
    inet 10.53.171.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe67:68a1/64 scope link 
       valid_lft forever preferred_lft forever
16: vetha00e8df8@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether a2:c7:c5:b5:96:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
18: veth5a339cf8@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether ce:9c:af:11:0a:38 brd ff:ff:ff:ff:ff:ff link-netnsid 2

dnsmasq ist running.
I installed a second system with fedora and there is it working. But i didn’t see a difference.
Someone who has an idea?

:thinking: Not sure, but the first thing I remembered was this “bug”:
https://wiki.archlinux.org/index.php/LXD#No_IPv4_with_systemd-networkd
But it should be fixed.

Thanks for tip, but didn’t fixed it. :confused:

Do you have firewalls?

Docker for example sometimes sets up rules that might interfere with LXD.

I installed the Fedora Server Edition, there was firewalld installed - removed it but made no difference. I also found no other services that could cause this.
The other server was preinstalled (I guess) as Minimal Install. Install the right server now also as minimal.

Also makes no difference.
The only difference I see is the different network port name (eno1 / eth0)

Things to check:

  • Is dnsmasq listening on DHCP ports on your bridge (normally lxdbr0), using sudo ss -ulpn | grep dnsmasq
  • Is Docker installed (this is known to add firewall rules which can block access to LXD’s dnsmasq)
  • What container distro and version are you running?
  • Output of sudo iptables-save or sudo nft list ruleset depending on which firewall backend you are using.
  • Finally using sudo tcpdump -nn -i lxdbr0 to check your container is initiating a DHCP request.
1 Like

Thanks for tips - works now! :slight_smile:
I compared the tcpdump output with the working Server.
That’s from the correct Server:

13:13:19.533778 IP 10.212.9.1.67 > 10.212.9.214.68: BOOTP/DHCP, Reply, length 310
13:13:19.534763 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:6d:64:ca, length 305
13:13:19.541518 IP 10.212.9.1.67 > 10.212.9.214.68: BOOTP/DHCP, Reply, length 310

13:13:20.767207 ARP, Request who-has 10.212.9.1 tell 10.212.9.214, length 28
13:13:20.767249 ARP, Reply 10.212.9.1 is-at 00:16:3e:91:cd:7b, length 28

13:13:20.767279 IP 10.212.9.214.41036 > 10.212.9.1.53: 24844+ [1au] A? concise-owl.lxd. (44)
13:13:20.767555 IP 10.212.9.1.53 > 10.212.9.214.41036: 24844* 1/0/1 A 10.212.9.214 (60)

On the real Server was no ARP packages.
Firewalld and iptables had (also after minimal Install) rules and uones set.
After removing firewalld and dropped all iptables rules the container got IP addresses.

Output nft list ruleset and iptables-save:

[root@localhost ~]# nft list ruleset
table ip filter {
   chain INPUT {
   	type filter hook input priority filter; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority filter; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority filter; policy accept;
   }
}
table ip6 filter {
   chain INPUT {
   	type filter hook input priority filter; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority filter; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority filter; policy accept;
   }
}
table bridge filter {
   chain INPUT {
   	type filter hook input priority filter; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority filter; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority filter; policy accept;
   }
}
table ip security {
   chain INPUT {
   	type filter hook input priority 150; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority 150; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority 150; policy accept;
   }
}
table ip raw {
   chain PREROUTING {
   	type filter hook prerouting priority raw; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority raw; policy accept;
   }
}
table ip mangle {
   chain PREROUTING {
   	type filter hook prerouting priority mangle; policy accept;
   }

   chain INPUT {
   	type filter hook input priority mangle; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority mangle; policy accept;
   }

   chain OUTPUT {
   	type route hook output priority mangle; policy accept;
   }

   chain POSTROUTING {
   	type filter hook postrouting priority mangle; policy accept;
   }
}
table ip nat {
   chain PREROUTING {
   	type nat hook prerouting priority dstnat; policy accept;
   }

   chain INPUT {
   	type nat hook input priority 100; policy accept;
   }

   chain POSTROUTING {
   	type nat hook postrouting priority srcnat; policy accept;
   }

   chain OUTPUT {
   	type nat hook output priority -100; policy accept;
   }
}
table ip6 security {
   chain INPUT {
   	type filter hook input priority 150; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority 150; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority 150; policy accept;
   }
}
table ip6 raw {
   chain PREROUTING {
   	type filter hook prerouting priority raw; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority raw; policy accept;
   }
}
table ip6 mangle {
   chain PREROUTING {
   	type filter hook prerouting priority mangle; policy accept;
   }

   chain INPUT {
   	type filter hook input priority mangle; policy accept;
   }

   chain FORWARD {
   	type filter hook forward priority mangle; policy accept;
   }

   chain OUTPUT {
   	type route hook output priority mangle; policy accept;
   }

   chain POSTROUTING {
   	type filter hook postrouting priority mangle; policy accept;
   }
}
table ip6 nat {
   chain PREROUTING {
   	type nat hook prerouting priority dstnat; policy accept;
   }

   chain INPUT {
   	type nat hook input priority 100; policy accept;
   }

   chain POSTROUTING {
   	type nat hook postrouting priority srcnat; policy accept;
   }

   chain OUTPUT {
   	type nat hook output priority -100; policy accept;
   }
}
table bridge nat {
   chain PREROUTING {
   	type filter hook prerouting priority dstnat; policy accept;
   }

   chain OUTPUT {
   	type filter hook output priority out; policy accept;
   }

   chain POSTROUTING {
   	type filter hook postrouting priority srcnat; policy accept;
   }
}
table inet firewalld {
   chain raw_PREROUTING {
   	type filter hook prerouting priority raw + 10; policy accept;
   	icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
   	meta nfproto ipv6 fib saddr . iif oif missing drop
   	jump raw_PREROUTING_ZONES
   }

   chain raw_PREROUTING_ZONES {
   	iifname "eno1" goto raw_PRE_public
   	goto raw_PRE_public
   }

   chain mangle_PREROUTING {
   	type filter hook prerouting priority mangle + 10; policy accept;
   	jump mangle_PREROUTING_ZONES
   }

   chain mangle_PREROUTING_ZONES {
   	iifname "eno1" goto mangle_PRE_public
   	goto mangle_PRE_public
   }

   chain filter_INPUT {
   	type filter hook input priority filter + 10; policy accept;
   	ct state { established, related } accept
   	ct status dnat accept
   	iifname "lo" accept
   	jump filter_INPUT_ZONES
   	ct state { invalid } drop
   	reject with icmpx type admin-prohibited
   }

   chain filter_FORWARD {
   	type filter hook forward priority filter + 10; policy accept;
   	ct state { established, related } accept
   	ct status dnat accept
   	iifname "lo" accept
   	ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
   	jump filter_FORWARD_IN_ZONES
   	jump filter_FORWARD_OUT_ZONES
   	ct state { invalid } drop
   	reject with icmpx type admin-prohibited
   }

   chain filter_OUTPUT {
   	type filter hook output priority filter + 10; policy accept;
   	oifname "lo" accept
   	ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
   }

   chain filter_INPUT_ZONES {
   	iifname "eno1" goto filter_IN_public
   	goto filter_IN_public
   }

   chain filter_FORWARD_IN_ZONES {
   	iifname "eno1" goto filter_FWDI_public
   	goto filter_FWDI_public
   }

   chain filter_FORWARD_OUT_ZONES {
   	oifname "eno1" goto filter_FWDO_public
   	goto filter_FWDO_public
   }

   chain raw_PRE_public {
   	jump raw_PRE_public_pre
   	jump raw_PRE_public_log
   	jump raw_PRE_public_deny
   	jump raw_PRE_public_allow
   	jump raw_PRE_public_post
   }

   chain raw_PRE_public_pre {
   }

   chain raw_PRE_public_log {
   }

   chain raw_PRE_public_deny {
   }

   chain raw_PRE_public_allow {
   }

   chain raw_PRE_public_post {
   }

   chain filter_IN_public {
   	jump filter_IN_public_pre
   	jump filter_IN_public_log
   	jump filter_IN_public_deny
   	jump filter_IN_public_allow
   	jump filter_IN_public_post
   	meta l4proto { icmp, ipv6-icmp } accept
   }

   chain filter_IN_public_pre {
   }

   chain filter_IN_public_log {
   }

   chain filter_IN_public_deny {
   }

   chain filter_IN_public_allow {
   	tcp dport 22 ct state { new, untracked } accept
   	ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
   	ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
   	ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
   }

   chain filter_IN_public_post {
   }

   chain filter_FWDI_public {
   	jump filter_FWDI_public_pre
   	jump filter_FWDI_public_log
   	jump filter_FWDI_public_deny
   	jump filter_FWDI_public_allow
   	jump filter_FWDI_public_post
   	meta l4proto { icmp, ipv6-icmp } accept
   }

   chain filter_FWDI_public_pre {
   }

   chain filter_FWDI_public_log {
   }

   chain filter_FWDI_public_deny {
   }

   chain filter_FWDI_public_allow {
   }

   chain filter_FWDI_public_post {
   }

   chain mangle_PRE_public {
   	jump mangle_PRE_public_pre
   	jump mangle_PRE_public_log
   	jump mangle_PRE_public_deny
   	jump mangle_PRE_public_allow
   	jump mangle_PRE_public_post
   }

   chain mangle_PRE_public_pre {
   }

   chain mangle_PRE_public_log {
   }

   chain mangle_PRE_public_deny {
   }

   chain mangle_PRE_public_allow {
   }

   chain mangle_PRE_public_post {
   }

   chain filter_FWDO_public {
   	jump filter_FWDO_public_pre
   	jump filter_FWDO_public_log
   	jump filter_FWDO_public_deny
   	jump filter_FWDO_public_allow
   	jump filter_FWDO_public_post
   }

   chain filter_FWDO_public_pre {
   }

   chain filter_FWDO_public_log {
   }

   chain filter_FWDO_public_deny {
   }

   chain filter_FWDO_public_allow {
   }

   chain filter_FWDO_public_post {
   }
}
table ip firewalld {
   chain nat_PREROUTING {
   	type nat hook prerouting priority dstnat + 10; policy accept;
   	jump nat_PREROUTING_ZONES
   }

   chain nat_PREROUTING_ZONES {
   	iifname "eno1" goto nat_PRE_public
   	goto nat_PRE_public
   }

   chain nat_POSTROUTING {
   	type nat hook postrouting priority srcnat + 10; policy accept;
   	jump nat_POSTROUTING_ZONES
   }

   chain nat_POSTROUTING_ZONES {
   	oifname "eno1" goto nat_POST_public
   	goto nat_POST_public
   }

   chain nat_PRE_public {
   	jump nat_PRE_public_pre
   	jump nat_PRE_public_log
   	jump nat_PRE_public_deny
   	jump nat_PRE_public_allow
   	jump nat_PRE_public_post
   }

   chain nat_PRE_public_pre {
   }

   chain nat_PRE_public_log {
   }

   chain nat_PRE_public_deny {
   }

   chain nat_PRE_public_allow {
   }

   chain nat_PRE_public_post {
   }

   chain nat_POST_public {
   	jump nat_POST_public_pre
   	jump nat_POST_public_log
   	jump nat_POST_public_deny
   	jump nat_POST_public_allow
   	jump nat_POST_public_post
   }

   chain nat_POST_public_pre {
   }

   chain nat_POST_public_log {
   }

   chain nat_POST_public_deny {
   }

   chain nat_POST_public_allow {
   }

   chain nat_POST_public_post {
   }
}
table ip6 firewalld {
   chain nat_PREROUTING {
   	type nat hook prerouting priority dstnat + 10; policy accept;
   	jump nat_PREROUTING_ZONES
   }

   chain nat_PREROUTING_ZONES {
   	iifname "eno1" goto nat_PRE_public
   	goto nat_PRE_public
   }

   chain nat_POSTROUTING {
   	type nat hook postrouting priority srcnat + 10; policy accept;
   	jump nat_POSTROUTING_ZONES
   }

   chain nat_POSTROUTING_ZONES {
   	oifname "eno1" goto nat_POST_public
   	goto nat_POST_public
   }

   chain nat_PRE_public {
   	jump nat_PRE_public_pre
   	jump nat_PRE_public_log
   	jump nat_PRE_public_deny
   	jump nat_PRE_public_allow
   	jump nat_PRE_public_post
   }

   chain nat_PRE_public_pre {
   }

   chain nat_PRE_public_log {
   }

   chain nat_PRE_public_deny {
   }

   chain nat_PRE_public_allow {
   }

   chain nat_PRE_public_post {
   }

   chain nat_POST_public {
   	jump nat_POST_public_pre
   	jump nat_POST_public_log
   	jump nat_POST_public_deny
   	jump nat_POST_public_allow
   	jump nat_POST_public_post
   }

   chain nat_POST_public_pre {
   }

   chain nat_POST_public_log {
   }

   chain nat_POST_public_deny {
   }

   chain nat_POST_public_allow {
   }

   chain nat_POST_public_post {
   }
}
table ip lxd {
   chain in.lxdbr0 {
   	type filter hook input priority filter; policy accept;
   	iifname "lxdbr0" tcp dport 53 accept
   	iifname "lxdbr0" udp dport 53 accept
   	iifname "lxdbr0" udp dport 67 accept
   }

   chain out.lxdbr0 {
   	type filter hook output priority filter; policy accept;
   	oifname "lxdbr0" tcp sport 53 accept
   	oifname "lxdbr0" udp sport 53 accept
   	oifname "lxdbr0" udp sport 67 accept
   }

   chain fwd.lxdbr0 {
   	type filter hook forward priority filter; policy accept;
   	oifname "lxdbr0" accept
   	iifname "lxdbr0" accept
   }

   chain pstrt.lxdbr0 {
   	type nat hook postrouting priority srcnat; policy accept;
   	ip saddr 10.103.61.0/24 ip daddr != 10.103.61.0/24 masquerade
   }
}
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*filter
:INPUT ACCEPT [7329:26137315]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4863:351000]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*security
:INPUT ACCEPT [7238:26121552]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4864:351248]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*raw
:PREROUTING ACCEPT [7330:26137891]
:OUTPUT ACCEPT [4866:351632]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*mangle
:PREROUTING ACCEPT [7330:26137891]
:INPUT ACCEPT [7329:26137315]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4868:351992]
:POSTROUTING ACCEPT [4868:351992]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
# Generated by iptables-save v1.8.4 on Wed Oct 14 13:06:20 2020
*nat
:PREROUTING ACCEPT [94:16459]
:INPUT ACCEPT [2:120]
:POSTROUTING ACCEPT [43:2895]
:OUTPUT ACCEPT [44:2935]
COMMIT
# Completed on Wed Oct 14 13:06:20 2020
[root@localhost ~]#
1 Like

Just sayin, firewalls are very useful, so you might not disable everything.