When LXD starts, some rules are added to iptables to make the containers able to access the internet, and to communicate with the host.
In my case, I have many other custom rules, and the two play along without problems. However, at times I have the need to reset the firewall by clearing all the rules. This, of course, deletes the rules inserted by LXD as well.
Is there any way to have LXD reinsert those rules into the (now empty) firewall?
PS In case it matters: I am using LXC installed via snap as per these instructions.
Thank you very much for your suggestion. This indeed works, and rules are regenerated properly.
However, according to my tests it “resets” the containers, too: i.e. if I login into a container with lxc exec mycontainer bash the connection is dropped.
Any suggestion for a “softer” method? Somewhere in the Internet I had found hints about a shell script, part of lxd, which could be called for exactly this purpose. The script was not to be found on my system, maybe because of different versions, or different packaging system (apt vs snap).
The reset is only due to the fact that you exec a command through LXD and restart it, the container itself keeps running without any impact to the container.
Yes, you are correct, I can replicate the same.
It seems that when you do a restart via snap the containers are indeed stopped when LXD is restarted, this does not happen with the deb package. @stgraber any ideas?
Use systemctl reload snap.lxd.daemon as snap restart lxd or systemctl restart snap.lxd.daemon will cause a “clean” shutdown of the LXD daemon, shutting down all the containers in the process.
When the snap package updates (refresh), a reload is performed, specifically so that containers don’t get respawned. Unfortunately we can’t make snap restart lxd do that as what it does is call systemctl restart lxd which in turn is the same as systemctl stop and systemctl start and we do need systemctl stop to shutdown all containers as otherwise we’d get data corruption when you shutdown or reboot the server.
Indeed: systemctl reload snap.lxd.daemon seems to work perfectly in this case. I assume systemctl reload lxd will do the same in case LXD was installed via apt package.
I am facing a smiliar situation where the firewall is reloading every 24 hours for maintenance and in the process flushing the entire iptable, after wich the LXC container(s) loosing connectivity.
The box is running LXC straight off without snapd and tried systemctl reload lxc with output
Failed to reload lxc.service: Job type reload is not applicable for unit lxc.service.
another firewall restart scenario is when the firewall userland app gets an update.
Since the firewall is supporing postup.sh scripts it is perhaps best practice to restart lxc.service and lxc-net.service, however that leads to a bief interruption of service provided by a container. Reloading instead would perhaps be less intrusive.
If I restart firewalld, all the iptables set by LXD are removed so I must restart LXD or the containers will be disconnected of outgoing internet connections.
I’m trying to find a way to manually set the right iptables rules LXD is setting. So that I could integrate these rules inside the firewalld parameters and set ipv4.firewall=false in the LXD parameters.
Did you find a way to do that? or do you just force LXD reload after your firewall restart?
Since that post switched from IPT(ables) to NFT(ables) and configured the rules for the containers in the NFT ruleset (as opposed to LXC generating rules)
No it is not installed. I deleted all my ufw rules and they got deleted as well.
Trying to rebuild the ufw rules with plain iptables was not easy and I am still not there.