IPv4 address not obtained by contained with bridged networking and docker

I have been using LXD for a few weeks now. Host is Ubuntu 20.04 and containers are running the same. I had been using macvlan to give my containers real IP addresses from my LAN, and that’s been working fine.

However, the lack of network communication between containers and to the host was too much of a limitation, so I decided to go with converting my host’s networking to a bridge setup with what was ens33 connected to br0.

From a host point of view this worked fine. br0 now has my static IP.

I then edited my default LXD profile to point to br0 instead of macvlan, and restarted my containers. However, they now only get IPv6 addresses, which are valid and reachable from elsewhere on my network. IPv4 addresses are simply blank.

I’ve read several other topics on this site where users had had similar issues, but they seem to be related to dnsmasq running locally on the host, and lxdbr0 networking. In my case, I am definitely expecting a DHCP address from my LAN - which worked with macvlan.

Here is some information about my setup:

jamesp@doug:~$ lxc ls
+-------------+---------+------+----------------------------------------------+-----------+-----------+
|    NAME     |  STATE  | IPV4 |                     IPV6                     |   TYPE    | SNAPSHOTS |
+-------------+---------+------+----------------------------------------------+-----------+-----------+
| mailserver  | RUNNING |      | 2001:xxx:xxx:bd3f:dead:beef:e0cd:bae7 (eth0) | CONTAINER | 0         |
|             |         |      | 2001:xxx:xxx:bd3f:216:3eff:fe09:658f (eth0)  |           |           |
+-------------+---------+------+----------------------------------------------+-----------+-----------+
| mailserver2 | RUNNING |      | 2001:xxx:xxx:bd3f:dead:beef:82bc:d1a0 (eth0) | CONTAINER | 0         |
|             |         |      | 2001:xxx:xxx:bd3f:216:3eff:fedd:6a0c (eth0)  |           |           |
+-------------+---------+------+----------------------------------------------+-----------+-----------+

jamesp@doug:~$ lxc network list 
+---------+----------+---------+-------------+---------+
|  NAME   |   TYPE   | MANAGED | DESCRIPTION | USED BY |
+---------+----------+---------+-------------+---------+
| br0     | bridge   | NO      |             | 3       |
+---------+----------+---------+-------------+---------+
| docker0 | bridge   | NO      |             | 0       |
+---------+----------+---------+-------------+---------+
| ens33   | physical | NO      |             | 0       |
+---------+----------+---------+-------------+---------+
| lxdbr0  | bridge   | YES     |             | 0       |
+---------+----------+---------+-------------+---------+
jamesp@doug:~$ lxc profile show default
config: {}
description: Default LXD profile
devices:
  eth0:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: default
used_by:
- /1.0/instances/mailserver
- /1.0/instances/mailserver2

jamesp@doug:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 00:0c:29:fe:16:c3 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:0c:29:fe:16:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.4/24 brd 192.168.10.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2001:xxx:xxx:bd3f:dead:beef:9659:96ee/128 scope global dynamic noprefixroute
valid_lft 5868sec preferred_lft 3168sec
inet6 2001:xxx:xxx:bd3f:20c:29ff:fefe:16c3/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::20c:29ff:fefe:16c3/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3c:1e:c6:43 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: lxdbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 00:16:3e:35:64:03 brd ff:ff:ff:ff:ff:ff
inet 10.173.204.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fd42:795:547a:51af::1/64 scope global
valid_lft forever preferred_lft forever
7: vethf13ad10c@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 5a:4b:53:15:65:29 brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: veth66a99bc2@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether ba:57:e6:90:a4:de brd ff:ff:ff:ff:ff:ff link-netnsid 1

I’m at a bit of a loss here, I really want to get this working and would appreciate any assistance!

After more research I found that it is the apparently known issue with Docker doing something with the firewall rules. I had initially discounted this as I thought that a container being connected directly to a bridge would not be affected by a host firewall.

Running sudo iptables -I DOCKER-USER -j ACCEPT solves this particular issue. So the next question - is this the right way to solve the problem?

Yes this is a common issue, there’s some discussion on possible solutions on it over at:

But it sounds like you’re already on the right track :slight_smile:

From docker documentation:

Docker also sets the policy for the FORWARD chain to DROP. If your Docker host also acts as a router, this will result in that router not forwarding any traffic anymore. If you want your system to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:

$ iptables -I DOCKER-USER -j ACCEPT

After that everything started to work again with my bridged lxc containters.