How do I make LXD reload the nftables rules?

michacassola · June 21, 2022, 8:21pm

systemctl reload snap.lxd.daemon did not do the trick unfortunately. After restarting after installing lxd and initializing it the rules do not get loaded for some reason, maybe because there is no container yet?

tomp · June 21, 2022, 9:02pm

Check your system logs and persistent warnings lxc warning list, but a LXD daemon reload will reinitialise the LXD firewall rules, so perhaps LXD isn’t using nftables (lxc info | grep "firewall:") will show that.

michacassola · June 22, 2022, 1:19pm

lxc info | grep firewall:
  firewall: nftables

I use pure nftables as ufw installs legacy iptables and it all becomes a big mess, always had a hard time understanding the ufw generated rules.

This is lxc warning list:

+--------------------------------------+------------------------------------------------------+--------+----------+-------+---------+------------------------------+
|                 UUID                 |                         TYPE                         | STATUS | SEVERITY | COUNT | PROJECT |          LAST SEEN           |
+--------------------------------------+------------------------------------------------------+--------+----------+-------+---------+------------------------------+
| c1381f61-fa7b-41ab-a246-21fa2570b0f8 | Instance type not operational                        | NEW    | LOW      | 4     |         | Jun 21, 2022 at 8:19pm (UTC) |
+--------------------------------------+------------------------------------------------------+--------+----------+-------+---------+------------------------------+
| ec1f0f30-f4aa-49da-9b2e-29deac39e728 | Couldn't find the CGroup network priority controller | NEW    | LOW      | 4     |         | Jun 21, 2022 at 8:19pm (UTC) |
+--------------------------------------+------------------------------------------------------+--------+----------+-------+---------+------------------------------+

Ok, just ran systemctl reload snap.lxd.daemon again after getting the above info and now the lxd inet table is there… Why did it not come up yesterday? Did the server need to ripen over night?

michacassola · November 18, 2022, 5:19pm

Follow up question and wish:
I would like a way to tell LXD to reinsert nftables rules without restarting the whole daemon please.
In a speparate topic i mention some problems: Error: LXD is shutting down - Not closing bash in an instance