I use Ubuntu 25.04 with Incus 6.0.3-4, the version that came with this Ubuntu version.
If I create a VM, it works as should, get IP and everything is fine. The problem is related to containers, since they don’t get IP and DNS.
If I execute dhclient in the container, it get’s IP, but not DNS.
➜ incus list
+-------------------+---------+------------------------+-----------------------------------------------+-----------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-------------------+---------+------------------------+-----------------------------------------------+-----------------+-----------+
| debian13 | RUNNING | 10.32.148.165 (enp5s0) | | VIRTUAL-MACHINE | 0 |
+-------------------+---------+------------------------+-----------------------------------------------+-----------------+-----------+
| debian13container | RUNNING | | fd42:7f14:e615:7f9d:216:3eff:fe4e:d469 (eth0) | CONTAINER | 0 |
+-------------------+---------+------------------------+-----------------------------------------------+-----------------+-----------+
| ubuntu2504 | RUNNING | | fd42:7f14:e615:7f9d:216:3eff:fe74:5ec7 (eth0) | CONTAINER | 0 |
+-------------------+---------+------------------------+-----------------------------------------------+-----------------+-----------+
Here is the configuration of my container:
➜ incus config show ubuntu2504 -e
architecture: x86_64
config:
image.architecture: amd64
image.description: Ubuntu plucky amd64 (20250701_07:42)
image.os: Ubuntu
image.release: plucky
image.serial: "20250701_07:42"
image.type: squashfs
image.variant: default
volatile.base_image: ffcc528d22376645535bfb2015a7574b2577ccae4a15052c6137a1de5d079da5
volatile.cloud-init.instance-id: d5e953c8-46fe-427c-bfe5-d2e893386fdc
volatile.eth0.host_name: veth10715eb5
volatile.eth0.hwaddr: 00:16:3e:74:5e:c7
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.last_state.ready: "false"
volatile.uuid: 548ff407-dc8a-4477-80a3-d57e9195a019
volatile.uuid.generation: 548ff407-dc8a-4477-80a3-d57e9195a019
devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
Here is the configuration of my VM:
architecture: x86_64
config:
image.architecture: amd64
image.description: Debian trixie amd64 (20250618_05:24)
image.os: Debian
image.release: trixie
image.serial: "20250618_05:24"
image.type: disk-kvm.img
image.variant: default
volatile.base_image: ce03c72158b45cc52772aaa42dd3fa467b4ecf4ce0d18123861d0bf8325d7880
volatile.cloud-init.instance-id: c2334064-68b7-4641-ad57-f44c64fd6406
volatile.eth0.host_name: tapa5dba13d
volatile.eth0.hwaddr: 00:16:3e:34:a7:39
volatile.last_state.power: RUNNING
volatile.uuid: 76e31727-99eb-4bbe-aab3-30da270a70fe
volatile.uuid.generation: 76e31727-99eb-4bbe-aab3-30da270a70fe
volatile.vsock_id: "2152505786"
devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
I manually disabled the incus firewall. Ufw is also inactive.
➜ sudo ufw status
Status: inactive
Here is the configuration for the main bridge.
➜ incus network show incusbr0
config:
ipv4.address: 10.32.148.1/24
ipv4.firewall: "false"
ipv4.nat: "true"
ipv6.address: fd42:7f14:e615:7f9d::1/64
ipv6.firewall: "false"
ipv6.nat: "true"
description: ""
name: incusbr0
type: bridge
used_by:
- /1.0/instances/debian13
- /1.0/instances/debian13container
- /1.0/instances/ubuntu2504
- /1.0/profiles/default
managed: true
status: Created
locations:
- none
project: default
Here are the settings of the iptables firewall.
➜ sudo iptables -L -n -v
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8659K 5229M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- mpqemubr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for Multipass network mpqemubr0 */
146 11339 ACCEPT udp -- mpqemubr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for Multipass network mpqemubr0 */
7 2117 ACCEPT udp -- mpqemubr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for Multipass network mpqemubr0 */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
148K 382M LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
148K 382M LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
148K 382M LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
6 1910 ACCEPT all -- mpqemubr0 mpqemubr0 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */
44466 2542K ACCEPT all -- mpqemubr0 * 10.103.14.0/24 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */
102K 376M ACCEPT all -- * mpqemubr0 0.0.0.0/0 10.103.14.0/24 ctstate RELATED,ESTABLISHED /* generated for Multipass network mpqemubr0 */
0 0 REJECT all -- mpqemubr0 * 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
0 0 REJECT all -- * mpqemubr0 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6313K 219G LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * mpqemubr0 0.0.0.0/0 0.0.0.0/0 tcp spt:53 /* generated for Multipass network mpqemubr0 */
144 25967 ACCEPT udp -- * mpqemubr0 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* generated for Multipass network mpqemubr0 */
4 1318 ACCEPT udp -- * mpqemubr0 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* generated for Multipass network mpqemubr0 */
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * virbr3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- virbr3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr3 virbr3 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr3 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr3 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr2 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
And here is the nft config for Incus:
sudo nft list table inet incus
table inet incus {
chain pstrt.incusbr-1000 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.31.254.0/24 ip daddr != 10.31.254.0/24 masquerade
ip6 saddr fd42:2257:b716:5069::/64 ip6 daddr != fd42:2257:b716:5069::/64 masquerade
}
chain fwd.incusbr-1000 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "incusbr-1000" accept
ip version 4 iifname "incusbr-1000" accept
ip6 version 6 oifname "incusbr-1000" accept
ip6 version 6 iifname "incusbr-1000" accept
}
chain in.incusbr-1000 {
type filter hook input priority filter; policy accept;
iifname "incusbr-1000" tcp dport 53 accept
iifname "incusbr-1000" udp dport 53 accept
iifname "incusbr-1000" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "incusbr-1000" udp dport 67 accept
iifname "incusbr-1000" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
iifname "incusbr-1000" udp dport 547 accept
}
chain out.incusbr-1000 {
type filter hook output priority filter; policy accept;
oifname "incusbr-1000" tcp sport 53 accept
oifname "incusbr-1000" udp sport 53 accept
oifname "incusbr-1000" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
oifname "incusbr-1000" udp sport 67 accept
oifname "incusbr-1000" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
oifname "incusbr-1000" udp sport 547 accept
}
chain pstrt.incusbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.32.148.0/24 ip daddr != 10.32.148.0/24 masquerade
ip6 saddr fd42:7f14:e615:7f9d::/64 ip6 daddr != fd42:7f14:e615:7f9d::/64 masquerade
}
}
I think it seems something related to libvirt and its firewall rules.
Ah! I also don’t have Docker installed, just Podman.
Thanks for any help.