Howto: LXD init 3.9, Hetzner, Single Public IP, MAC, Ubuntu 18.04

LXD
26

I noticed that in his posts since 2018 @stgraber has been offering examples with the “routed” method instead of “macvlan”.

So is “routed” fully supported under Ubuntu 18.04 and LXD 3.0.3 or do I need to install a newer LXD with snapd?

It seems to me that all providers (Hetzner, OVH etc) by default simply route all your IPs/Nets to your dedicated server NIC and offer a custom MAC only as a secondary option (for VMware etc).

Thank you in advance, K.

27

Yes, you can try it with routes. But I dont like individual profiles for containers. Macvlan is easy to configure with only 1 command to override eth0. (to receive DHCP)

You need LXD 3.19 for this feature:

And yes, you can use your host MAC (by default) to route it to your containers.
lxc config device add c1 eth0 nic nictype=routed ipv4.address=public ip

1 Like
28

I agree that macvlan seems (is?) the easiest to configure, but as I wrote earlier I had inexplicable networking problems when I removed the Hetzner secondary MAC address (for additional IP) from one container and adding it to another container (on a Ubuntu 18.04 host with LXD 3.0.3).

This experience has made me hesitant to use it in production … :frowning:

29

I have not experienced that myself. It always works here. Anyway, it is time for you to update LXD :wink:

30

If anyone knows the answers to 2 questions please:

  1. Can I use IPv6 in a container configured with macvlan ? (I’ve asked this twice above)

  2. Should I be afraid of trouble in the future (e.g. upon reboot or adding/removing macvlan containers etc) if I have already configured my macvlan containers with the volatile key ? (i.e. using lxc config set myct volatile.eth0.hwaddr xyz instead of the syntax suggested by @TomvB )

Thank you in advance, K.

31
  1. Getting universally routable IPv6 Addresses for your Linux Containers on Ubuntu 18.04 with LXD 4.0 on a VPS
  2. Howto: LXD init 3.9, Hetzner, Single Public IP, MAC, Ubuntu 18.04
32

Thank you, but neither of the links answer my questions …

33
  1. I don’t think so. It’s hard to configure IPv6 without routing. I’m not using public IPv6 addresses. Only one /64 subnet. The subnet is assigned to 1 MAC address on the host.
  2. This is the answer to your question… The risk is the meaning/usage of that key may change in the future with no warning. Thats all. Nothing more.

And if they do this… You can of course delete it from the containers… But change the volatile key now as you can. Do not wait too long.

34

  1. Thanks.

  2. My question was should I re-do the macvlan configs of the already running containers ??? (i.e. reconfigure them based on your post #24) Those CTs have been configured with the old/wrong syntax of volatile keys and I want to avoid any surprises in the future e.g. if I upgrade from LXD 3.0.3 to a newer version …

And just as you pointed out in your earlier post, I get an error when I try the syntax of @tomp :

$ lxc config device set ct02 eth0 hwaddr 00:50:51:52:53:54
Error: The device doesn't exist

PS: Sorry for being persistent, but I know nothing about the internals of LXD and there is no config text file to read like most other tools.

35

lxc config unset <CT> volatile.eth0.hwaddr

And then this:

1 Like
36

So, to summarize, the instructions in the first few posts of this thread (recommending to set volatile.eth0.hwaddr ) are incorrect and may cause problems in the future.

Let’s just hope that new visitors looking for clues will read the entire thread all the way down to here …

37

Not incorrect, but may cause problems in the future with upcoming changes.

38

Btw unset <CT> volatile.eth0.hwaddr doesn’t seem to change anything in the config:

$ lxc config unset ct02 volatile.eth0.hwaddr
$ lxc config show ct02 --expanded | fgrep hwaddr
  volatile.eth0.hwaddr: 00:50:51:52:53:54
$

PS: I also got an error when I tried lxc profile remove macvlan so I’ve given up and reverted to the old “volatile” config and just made notes to be extra careful before upgrading LXD in the future.

39

Try to turn off the container before applying the unset command or restart after apply.

40

To answer your questions hopefully:

  1. macvlan works with IPv6 the same way it works with IPv4; either by the container doing DHCPv6/SLAAC auto configuration, or by you configuring a static network configuration inside the container.
  2. If your containers need to use a static MAC address because of a requirement by your ISP, then you don’t need to create a profile per container, you can just add the custom macvlan NIC directly to the container. E.g. I will show creating a container with the default profile and then adding a custom macvlan NIC with a static MAC address to override the eth0 bridged NIC in the default profile.

Note: With macvlan each container needs a unique MAC that is different from the host.

# Creates a container based on default profile (and bridged NIC eth0).
lxc init images:ubuntu/focal <container> -p default 

# Override the bridged eth0 NIC by adding a custom macvlan NIC to container.
# With a static MAC address as specified by your ISP.
lxc config device add <container> eth0 nic nictype=macvlan name=eth0 hwaddr=<static MAC address>

# Start container and then enter it to perform static IP configuration if no DHCPv4/DHCPv6/SLAAC provided by your ISP.
lxc start <container>
lxc shell <container>
  1. I don’t believe routed NIC is available in LXD 3.x series, it is in the 4.x series though.
41

I’ve tweaked the original post to remove references to volatile and use instead:

lxc config override c1 eth0 hwaddr=00:AA:BB:CC:DD:FF

This will copy the profile’s macvlan eth0 interface settings into the container (the same as lxc config device add does) and then set it with a custom MAC address.

42

There is a guide on how to configure static IPs (including IPv6) in the Debian documentation:

https://wiki.debian.org/NetworkConfiguration

43

macvlan works with IPv6 the same way it works with IPv4; either by the container doing DHCPv6/SLAAC auto configuration, or by you configuring a static network configuration inside the container.

It is not possible to assign 1 IPv6 address with macvlan. You get a whole /64 IPv6 subnet and you can link it to 1 specific MAC address. Not 1 IPv6 address, but a /64 subnet. If you want to assign single IPv6 addresses, routing is required @kpv

@tomp: In some cases, macvlan is possible for IPv6, but unfortunately not with many providers.

If you want to assign the /64 IPv6 subnet + IPv4 to 1 container with macvlan:

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- IPv4Address/32
- IPv6Address::3/64
routes:
- on-link: true
to: 0.0.0.0/0
via: IPv4Gateway
gateway6: fe80::1
nameservers:
addresses:
- IPv4 DNS
- IPv6 DNS

44

Ah, ok I see, although this isn’t a restriction of macvlan (which works the same way for IPv4 as IPv6), but rather your ISP which forces a /64 per MAC rather than allowing a MAC per IP in that subnet.

In that case you’d be best of exploring the routed or ipvlan NIC types available in the LXD 4.x series, which will both use the host’s single MAC address.

1 Like
45

Yep, what @kpv can do is:

UFW Host config:

nano /etc/default/ufw
Check forward policy:
DEFAULT_FORWARD_POLICY=“DROP” to DEFAULT_FORWARD_POLICY=“ACCEPT”

Container config:

lxc init --profile default ubuntu:20.04 CT
lxc config device add CT eth0 nic nictype=routed ipv6.address=YourIPv6::3

You can also add ipv4.address.
Assign the IPv6 subnet and IPv4 address to your host MAC in your control panel.

With this solution you no longer need macvlan and you can use IPv4 and IPv6.

Edit: Don’t forget to add the config in your container!

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- IPv6::3/64
gateway6: fe80::1
nameservers:
addresses:
- IPv6 Nameserver
- IPv6 Nameserver
- IPv6 Nameserver

1 Like