Failed to parse config file "lxc.network.type = vlan"

LXC
1

Hello. I’m need some help with setting up the LXC container. I am unable to connect the LXC container to the VLAN. What am I doing wrong ?

The problem is:

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-start -n dns01.vmlab.local
lxc-start: dns01.vmlab.local: confile.c: set_config_net: 293 lxc.net must not have a value
lxc-start: dns01.vmlab.local: parse.c: lxc_file_for_each_line_mmap: 131 Failed to parse config file "/var/lib/lxc/dns01.vmlab.local/config" at line "lxc.network.type = vlan"
Failed to load config for dns01.vmlab.local
lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 242 Failed to create lxc_container

Pastebin

https://pastebin.com/ijrwB9f3
https://pastebin.com/Lh006cD8

screen03
screen031478×806 156 KB

Regards,
Petr Kallen

2

Your network config looks in an incorrect/old format:

Try using:

lxc.net.0.foo=bah
lxc.net.0.foofoo=bah1

etc

Where 0 means the first NIC in the container.

The Debian page looks out of date: LXC/VlanNetworking - Debian Wiki

3

Something more like:

4 
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> ll
total 20K
drwxrwx---  3 root root 4.0K Nov 21 11:48 .
drwxr-xr-x  3 root root 4.0K Nov 21 09:48 ..
-rw-r-----  1 root root  752 Nov 21 11:48 config
-rw-r-----  1 root root  727 Nov 21 09:50 config.dist
drwxr-xr-x 17 root root 4.0K Nov 21 11:48 rootfs
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> cat config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/dns01.vmlab.local/rootfs
lxc.uts.name = dns01.vmlab.local

# Network configuration
lxc.net.0.type = vlan
lxc.net.0.vlan.id = 100
lxc.net.0.link = ens224
lxc.net.0.flags = up

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-start -n dns01.vmlab.local
lxc-start: dns01.vmlab.local: lxccontainer.c: wait_on_daemonized_start: 859 Received container state "ABORTING" instead of "RUNNING"
lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 311 To get more details, run the container in foreground mode
lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
5

Can you run lxc-start with -F flag.

6 
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> ll
total 20K
drwxrwx---  3 root root 4.0K Nov 21 11:49 .
drwxr-xr-x  3 root root 4.0K Nov 21 09:48 ..
-rw-r-----  1 root root  752 Nov 21 11:48 config
-rw-r-----  1 root root  727 Nov 21 09:50 config.dist
drwxr-xr-x 17 root root 4.0K Nov 21 11:49 rootfs
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-start -F -n dns01.vmlab.local
lxc-start: dns01.vmlab.local: network.c: instantiate_vlan: 701 File exists - Failed to create vlan interface "vlan100-0" on "ens224"
                                                                                                                                    lxc-start: dns01.vmlab.local: network.c: lxc_create_network_priv: 3068 File exists - Failed to create network device
          lxc-start: dns01.vmlab.local: start.c: lxc_spawn: 1786 Failed to create the network
                                                                                             lxc-start: dns01.vmlab.local: start.c: __lxc_start: 1999 Failed to spawn container "dns01.vmlab.local"
                                                                                                                                                                                                   lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: dns01.vmlab.local: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
7

What does ip a on the host show?

8

Hi @tomp
It’s show this…

root@firewall.vmlab.local:~
>>> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:9a brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 10.255.255.251/24 brd 10.255.255.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet 10.255.255.252/24 brd 10.255.255.255 scope global secondary ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c29a/64 scope link
       valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
4: vlan100@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.100.1.1/24 brd 10.100.1.255 scope global vlan100
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
5: vlan101@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.101.1.1/24 brd 10.101.1.255 scope global vlan101
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
6: vlan102@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.102.1.1/24 brd 10.102.1.255 scope global vlan102
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
7: vlan103@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.103.1.1/24 brd 10.103.1.255 scope global vlan103
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever

But couldn’t the problem be that vlan100 already exists and I’m trying to connect an LXC container to this vlan ?

9

The goal is to connect this container to an existing vlan100. Ideally, without having to use a bridge.

10

Yes you can’t do this. You can only connect a single container directly to a VLAN, and this requires the vlan100 interface not to exist.

Effectively this creates the VLAN interface and moves it into the container.

11

If you were using LXD you could use macvlan NIC type that supports the vlan property and can create or use an existing VLAN interface and then build multiple macvlan NICs ontop of it:

See Type: nic - LXD documentation

12

I tried to set up “macvlan”, but I can’t ping the gateway from the VM…
Please, can you check my config bellow ?

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> ll
total 28K
drwxrwx---  4 root root 4.0K Nov 21 15:18 .
drwxr-xr-x  3 root root 4.0K Nov 21 09:48 ..
drwxr-xr-x  2 root root 4.0K Nov 21 15:18 apparmor
-rw-r-----  1 root root  832 Nov 21 15:17 config
-rw-r-----  1 root root  727 Nov 21 09:50 config.dist
-rw-r-----  1 root root  891 Nov 21 14:51 log.txt
drwxr-xr-x 17 root root 4.0K Nov 21 15:18 rootfs
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> cat config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/dns01.vmlab.local/rootfs
lxc.uts.name = dns01.vmlab.local

# Network configuration
lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.link = ens224
lxc.net.0.hwaddr = 4a:49:43:49:79:bd
lxc.net.0.ipv4.address = 10.100.1.51/24
lxc.net.0.vlan.id = 200

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-attach -n dns01.vmlab.local
root@dns01:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
10: eth0@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:49:43:49:79:bd brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.100.1.51/24 brd 10.100.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::4849:43ff:fe49:79bd/64 scope link
       valid_lft forever preferred_lft forever
root@dns01:/# ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
From 10.100.1.51 icmp_seq=1 Destination Host Unreachable
From 10.100.1.51 icmp_seq=2 Destination Host Unreachable
From 10.100.1.51 icmp_seq=3 Destination Host Unreachable
^C
--- 10.100.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 73ms
pipe 4
root@dns01:/#
13

Please show ip a and ip r from the container and the host.

Although I don’t think macvlan supports the vlan.id setting.

So you would need to use the .link setting of the manually created vlan200 interface.

14 
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:9a brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 10.255.255.251/24 brd 10.255.255.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet 10.255.255.252/24 brd 10.255.255.255 scope global secondary ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c29a/64 scope link
       valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
4: vlan100@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.100.1.1/24 brd 10.100.1.255 scope global vlan100
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
5: vlan101@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.101.1.1/24 brd 10.101.1.255 scope global vlan101
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
6: vlan102@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.102.1.1/24 brd 10.102.1.255 scope global vlan102
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
7: vlan103@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.103.1.1/24 brd 10.103.1.255 scope global vlan103
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-ls -f
NAME              STATE   AUTOSTART GROUPS IPV4        IPV6 UNPRIVILEGED
dns01.vmlab.local RUNNING 0         -      10.100.1.51 -    false
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> ping -c 3 10.100.1.51
PING 10.100.1.51 (10.100.1.51) 56(84) bytes of data.
From 10.100.1.1 icmp_seq=1 Destination Host Unreachable
From 10.100.1.1 icmp_seq=2 Destination Host Unreachable
From 10.100.1.1 icmp_seq=3 Destination Host Unreachable

--- 10.100.1.51 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2025ms
pipe 3
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> lxc-attach -n dns01.vmlab.local
root@dns01:/# ping -c 3 10.100.1.1
PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
From 10.100.1.51 icmp_seq=1 Destination Host Unreachable
From 10.100.1.51 icmp_seq=2 Destination Host Unreachable
From 10.100.1.51 icmp_seq=3 Destination Host Unreachable

--- 10.100.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 45ms
pipe 3
root@dns01:/# exit
exit
root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>> cat config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/dns01.vmlab.local/rootfs
lxc.uts.name = dns01.vmlab.local

# Network configuration
lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.link = ens224
lxc.net.0.hwaddr = 4a:49:43:49:79:bd
lxc.net.0.ipv4.address = 10.100.1.51/24
lxc.net.0.vlan.id = 100

root@firewall.vmlab.local:/var/lib/lxc/dns01.vmlab.local
>>>
15

Actual settings from the host

root@firewall.vmlab.local:~
>>> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:9a brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 10.255.255.251/24 brd 10.255.255.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet 10.255.255.252/24 brd 10.255.255.255 scope global secondary ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c29a/64 scope link
       valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
4: vlan100@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.100.1.1/24 brd 10.100.1.255 scope global vlan100
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
5: vlan101@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.101.1.1/24 brd 10.101.1.255 scope global vlan101
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
6: vlan102@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.102.1.1/24 brd 10.102.1.255 scope global vlan102
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever
7: vlan103@ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:48:c2:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.103.1.1/24 brd 10.103.1.255 scope global vlan103
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:c2a4/64 scope link
       valid_lft forever preferred_lft forever

>>> ip r
default via 10.255.255.1 dev ens192 onlink
10.100.1.0/24 dev vlan100 proto kernel scope link src 10.100.1.1
10.101.1.0/24 dev vlan101 proto kernel scope link src 10.101.1.1
10.102.1.0/24 dev vlan102 proto kernel scope link src 10.102.1.1
10.103.1.0/24 dev vlan103 proto kernel scope link src 10.103.1.1
10.255.255.0/24 dev ens192 proto kernel scope link src 10.255.255.251
root@firewall.vmlab.local:~
>>>

My actual LXC container settings on the host

root@firewall.vmlab.local:~
>>> cat /var/lib/lxc/dns01.vmlab.local/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/dns01.vmlab.local/rootfs
lxc.uts.name = dns01.vmlab.local

# Network configuration
lxc.net.0.type = macvlan
lxc.net.0.flags = up
lxc.net.0.link = vlan100
lxc.net.0.ipv4.address = 10.100.1.51/24
lxc.net.0.ipv4.gateway = 10.100.1.1

Actual network settings inside LXC container

root@dns01:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 12:13:2c:68:01:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.100.1.51/24 brd 10.100.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::1013:2cff:fe68:15d/64 scope link
       valid_lft forever preferred_lft forever
root@dns01:~#

root@dns01:~# ping -c 3 10.100.1.1
PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
From 10.100.1.51 icmp_seq=1 Destination Host Unreachable
From 10.100.1.51 icmp_seq=2 Destination Host Unreachable
From 10.100.1.51 icmp_seq=3 Destination Host Unreachable

--- 10.100.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 48ms
pipe 3
root@dns01:~# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.100.1.51 icmp_seq=1 Destination Host Unreachable
From 10.100.1.51 icmp_seq=2 Destination Host Unreachable
From 10.100.1.51 icmp_seq=3 Destination Host Unreachable

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 55ms
pipe 3
root@dns01:~#

The network is still not available :frowning:

Regards,
Petr Kallen

16

So the issue is that when using macvlan, by design, it does not allow the containers to communicate with the host (only through it to the linked network).

So in this case your host has a vlan100 interface with an IP address of 10.100.1.1.

And the container is connected to vlan100 using macvlan and has its gateway set to 10.100.1.1.

Now, 10.100.1.1 will not be reachable from the container.

But now I am a bit confused, why is the host machine the gateway? What is the actual gateway on that host? And if it is the gateway, why are you using vlans at all?

17

Hi and thanks for your answer and your time.
Our server have 2 physical NICs.

NIC1 = ens192 - WAN (10.255.255.251/24, gw: 10.255.255.1)
NIC2 = ens224 - LAN connected to the L2/L3 switch

On ens224 (LAN) interface we are using vlans only…
vlan100 - management and infra network, clients gateway is: 10.100.1.1
vlan101 - clients network, clients gateway is: 10.101.1.1
vlan102 - guest network, clients gateway is: 10.102.1.1
vlan103 - guest netwrok for WiFi, clients gateway is: 10.103.1.1

When connect client to the port on the switch, where the vlan100 is untagged, everything is OK.
When connect client to the port on the switch, where the vlan101 is untagged, everything is OK.
When connect client to the port on the switch, where the vlan102 is untagged, everything is OK.
When connect client to the port on the switch, where the vlan103 is untagged, everything is OK.

Clients are getting IP addresses from DHCP, internet is working, clients can communicate with each other = Everything is OK.

It should be said that this server has the following roles for our network…

  • router / NAT via nftables where only masquarade is applied for now and everything is accepted
  • DHCP server for all our clients
  • DNS server for all our clients
  • NTP server for all our clients

If I connect the container to VLAN100 via macvlan, I can’t ping any gateway, the data is not flowing, the container is not accessible in any way.

Is this enough or is there something else that needs to be refined ?

Regards,
Petr Kallen

18

OK that info is pretty key.

In that case you can’t use macvlan and will need to create a bridge manually ontop of vlan100 interface (moving the 10.100.1.1 IP to the bridge interfae) and then use the bridge NIC in LXC connected to the manual bridge.

19

OK, thanks, but what’s for is the “mac-vlan” ?

20

For communicating with other devices on the linked network interface, except the host.
Its a lighter weight alternative to bridging, but comes with that limitation/design feature (not from LXC/LXD).