How to configure LXD network to host bridge?

SR_D · April 10, 2023, 11:43pm

I have LXD instances attached to an LXD network and in each of those instances I’ve configured Netplan with static IP’s.

The LXD docs say, “Network ACLs can be assigned directly to the NIC of an instance or to a network. When assigned to a network, the ACL applies to all NICs connected to the network.”

The latter is what I am trying to accomplish. I’ve assigned ACL’s to a network so all my instances can access the internet. But they do not. I believe what the problem is, is that each instance is configured with static ip’s within Netplan and I’ve not correctly connected the LXD network to the host, and therefore the instances cannot access the internet.

I’ve tried creating a bridge and connecting the LXD network to it, but I also have a VPN connection on this machine and each time I loose all connectivity.

Here’s what I’ve done so far.

$ lxc network show mylan
config:
  ipv4.address: none
  ipv4.firewall: "false"
  ipv6.address: none
  ipv6.firewall: "false"
  security.acls: inet-access
  security.acls.default.egress.action: allow
  security.acls.default.ingress.action: allow
description: ""
name: mylan
type: bridge
used_by:
- /1.0/instances/h1 
- /1.0/instances/h2
managed: true
status: Created
locations:
- none

Because my host has a firewall, I turned off the LXD firewall and added some default actions:

$ lxc network mylan ipv6.firewall false
$ lxc network mylan ipv4.firewall false
$ lxc network set mylan security.acls.default.ingress.action=allow        
$ lxc network set mylan security.acls.default.egress.action=allow

Also, as I have Docker on my host, I turn off the host firewall just to see if things work without Docker interfering, but no success.

Also, I have NetManager running on the host machine (Ubuntu 20.04). Can anyone help with a proper bridge setup to get the LXD instances access to the internet just by connecting the LXD network (not via each individual instance)?

tomp · May 5, 2023, 10:04am

Hi,

What is the reason for using ACLs in the first place?

What does lxc network acl show inet-access show?

SR_D · May 6, 2023, 12:14am

Hi, thanks for your reply, I’ve been at this for awhile. Here’s another post for additional details, some things have been renamed. Each time I can’t get replies, I try to simply what I know and put it out another way.

$ lxc network acl show internet
name: internet
description: ""
egress:
- action: allow
  state: enabled
ingress:
- action: allow
  state: enabled
config: {}
used_by:
- /1.0/networks/mylan

hypeit · May 6, 2023, 2:45pm

I would rather check if docker is not interfering the bridge in the first place.
I had a very similar case where docker was the reason that lxd containers were unable to access the network although they worked just fine.

Maybe your issue is similar to

When I wanted to make sure in my case I tried something like

gist.github.com

https://gist.github.com/mrclay/da1a83380371ee15ae02b4bcc3db8da1

flush-iptables.sh

#!/bin/bash

# Script is needed because my default firewall rules are messed up and after
# every restart, docker containers can't make connections to the host, notably
# preventing debuggers like xdebug from attaching.

# If networking fails in your containers but works in others, rm and re-create the
# docker network that container is bound to.

set -euo pipefail

This file has been truncated. show original

Just to make sure it was docker

Or better Linux Containers - LXD - Has been moved to Canonical

SR_D · May 6, 2023, 7:22pm

Not sure how docker can interfere with the bridge if the bridge isn’t connected in the first place. This is what I’m trying to understand.

I have an instance connected to an lxd network of type bridge, but how is that bridge connected to my host machines bridge br0. And then, shouldn’t I be able to ping the lxd bridge from the host and if that works, then I can worry about trying to get it through the firewall.

Although, I already knew of this (do have docker installed on my host) and did follow the instructions that allow for network traffic to pass at the end of the link provided.

br0 shows the bridge I created on the host and mylan is the LXD network I created.

$ lxc network list
+----------+----------+---------+-----------------+---------------------------+------------------------------+---------+---------+
|   NAME   |   TYPE   | MANAGED |      IPV4       |           IPV6            |         DESCRIPTION          | USED BY |  STATE  |
+----------+----------+---------+-----------------+---------------------------+------------------------------+---------+---------+
| br0      | bridge   | NO      |                 |                           |                              | 1       |         |
+----------+----------+---------+-----------------+---------------------------+------------------------------+---------+---------+
| mylan    | bridge   | YES     | none            | none                      |                              | 3       | CREATED |
+----------+----------+---------+-----------------+---------------------------+------------------------------+---------+---------+

tomp · May 12, 2023, 2:25pm

See my reply on Help getting instance to access internet?