Lxc container have no internet access (docker)

LXD
1

Setup:

  • Ubuntu 22 with lxd installed
  • 1 container (OpenHAB) running

I tried to update my lxc container “OpenHAB” recently and got some errors:

apt update
Hit:1 https://repos.influxdata.com/debian stretch InRelease
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:3 https://packages.grafana.com/oss/deb stable InRelease [5812 B]
Hit:4 https://deb.nodesource.com/node_14.x focal InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal InRelease
Get:6 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Err:8 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable InRelease
  Could not connect to openhab.jfrog.io:443 (34.139.10.89), connection timed out
Err:9 https://repos.azul.com/zulu/deb stable InRelease
  Could not connect to repos.azul.com:443 (104.18.40.91), connection timed out Could not connect to repos.azul.com:443 (172.64.147.165), connection timed out
Fetched 342 kB in 31s (11.1 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: Failed to fetch https://openhab.jfrog.io/artifactory/openhab-linuxpkg/dists/stable/InRelease  Could not connect to openhab.jfrog.io:443 (34.139.10.89), connection timed out
W: Failed to fetch https://repos.azul.com/zulu/deb/dists/stable/InRelease  Could not connect to repos.azul.com:443 (104.18.40.91), connection timed out Could not connect to repos.azul.com:443 (172.64.147.165), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.

So I tested the internet connection from host (works fine) and from the container by:
wget -qO- whatismyip.org
But all packages are lost. So no internet access from the container.

What could be wrong? I checked the lxd configuration as follows, but could not see anything strange.

simon@simon-itx:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]: no
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: yes
Name of the existing bridge or host interface: lxdbr0
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]:
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
Error: Failed to update profile "default": Device validation failed for "eth0": Cannot use "nictype" property in conjunction with "network" property
2

What is the output of ip a and ip r on the host and inside the container?

What does lxc network show <network> and lxc config show <instance> --expanded show?

3

on the host:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 70:85:c2:85:93:9f brd ff:ff:ff:ff:ff:ff
    inet 192.168.103.44/24 brd 192.168.103.255 scope global dynamic noprefixroute enp1s0
       valid_lft 784580sec preferred_lft 784580sec
    inet6 2003:eb:af0b:be00:3551:62ab:ff9c:be5d/64 scope global temporary dynamic
       valid_lft 7195sec preferred_lft 1795sec
    inet6 2003:eb:af0b:be00:b87d:3f36:cea9:cc1d/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7195sec preferred_lft 1795sec
    inet6 fe80::4456:9cbc:9cd8:407a/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:f9:ca:c3:e4 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f9ff:feca:c3e4/64 scope link
       valid_lft forever preferred_lft forever
4: br-e0da84865713: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:8a:b6:f0:e1 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-e0da84865713
       valid_lft forever preferred_lft forever
5: br-e1b2281ca15e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:68:c5:12:ff brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-e1b2281ca15e
       valid_lft forever preferred_lft forever
6: br-1ded0a1d0a30: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:ff:66:62:a5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.32.1/20 brd 192.168.47.255 scope global br-1ded0a1d0a30
       valid_lft forever preferred_lft forever
7: br-3835e673ed8c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:07:36:a9:5f brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-3835e673ed8c
       valid_lft forever preferred_lft forever
    inet6 fe80::42:7ff:fe36:a95f/64 scope link
       valid_lft forever preferred_lft forever
8: br-7345e09288f4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:d8:f6:f1:b2 brd ff:ff:ff:ff:ff:ff
    inet 172.22.0.1/16 brd 172.22.255.255 scope global br-7345e09288f4
       valid_lft forever preferred_lft forever
10: vethb773517@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3835e673ed8c state UP group default
    link/ether 32:8b:fd:04:d9:6b brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::308b:fdff:fe04:d96b/64 scope link
       valid_lft forever preferred_lft forever
14: veth310f1f1@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3835e673ed8c state UP group default
    link/ether d2:f7:36:f0:ab:1d brd ff:ff:ff:ff:ff:ff link-netnsid 4
    inet6 fe80::d0f7:36ff:fef0:ab1d/64 scope link
       valid_lft forever preferred_lft forever
16: vethcec12b7@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 1a:9a:00:4d:c2:fb brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::189a:ff:fe4d:c2fb/64 scope link
       valid_lft forever preferred_lft forever
18: veth509d58a@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3835e673ed8c state UP group default
    link/ether 82:30:d5:57:22:d5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::8030:d5ff:fe57:22d5/64 scope link
       valid_lft forever preferred_lft forever
20: veth9bd58e8@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3835e673ed8c state UP group default
    link/ether 6e:11:7a:1a:a7:48 brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::6c11:7aff:fe1a:a748/64 scope link
       valid_lft forever preferred_lft forever
22: veth7871953@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3835e673ed8c state UP group default
    link/ether 02:ce:3b:25:a3:7e brd ff:ff:ff:ff:ff:ff link-netnsid 6
    inet6 fe80::ce:3bff:fe25:a37e/64 scope link
       valid_lft forever preferred_lft forever
23: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:73:eb:aa brd ff:ff:ff:ff:ff:ff
    inet 10.120.228.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fd42:7d6d:692e:1938::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe73:ebaa/64 scope link
       valid_lft forever preferred_lft forever
25: veth73a7056d@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 2a:7c:36:92:8e:ea brd ff:ff:ff:ff:ff:ff link-netnsid 7
27: veth3b4da3e@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 8a:41:f0:ca:46:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::8841:f0ff:feca:46b9/64 scope link
       valid_lft forever preferred_lft forever
simon@simon-itx:~/Downloads$ ip r
default via 192.168.103.1 dev enp1s0 proto dhcp metric 100
10.120.228.0/24 dev lxdbr0 proto kernel scope link src 10.120.228.1
169.254.0.0/16 dev enp1s0 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-3835e673ed8c proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-e1b2281ca15e proto kernel scope link src 172.19.0.1 linkdown
172.20.0.0/16 dev br-e0da84865713 proto kernel scope link src 172.20.0.1 linkdown
172.22.0.0/16 dev br-7345e09288f4 proto kernel scope link src 172.22.0.1 linkdown
192.168.32.0/20 dev br-1ded0a1d0a30 proto kernel scope link src 192.168.32.1 linkdown
192.168.103.0/24 dev enp1s0 proto kernel scope link src 192.168.103.44 metric 100

lxc network show lxdbr0:

$ lxc network show lxdbr0
config:
  ipv4.address: 10.120.228.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:7d6d:692e:1938::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/OpenHAB
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

lxc config show OpenHAB --expanded
architecture: x86_64
config:
  boot.autostart: "true"
  image.architecture: amd64
  image.description: ubuntu 20.04 LTS amd64 (release) (20201210)
  image.label: release
  image.os: ubuntu
  image.release: focal
  image.serial: "20201210"
  image.type: squashfs
  image.version: "20.04"
  volatile.base_image: e0c3495ffd489748aa5151628fa56619e6143958f041223cb4970731ef939cb6
  volatile.cloud-init.instance-id: 4a1f55e6-1a13-48de-ba70-6e8c00b82887
  volatile.eth0.host_name: veth73a7056d
  volatile.eth0.hwaddr: 00:16:3e:2e:6f:a3
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 5c78911e-777e-4b81-a837-73bd02176d3b
devices:
  CC2531:
    type: usb
    vendorid: "0451"
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  myport1883:
    connect: tcp:127.0.0.1:1883
    listen: tcp:0.0.0.0:1883
    type: proxy
  myport3000:
    connect: tcp:127.0.0.1:3000
    listen: tcp:0.0.0.0:3000
    type: proxy
  myport8080:
    connect: tcp:127.0.0.1:8080
    listen: tcp:0.0.0.0:8080
    type: proxy
  root:
    path: /
    pool: default
    type: disk
  ttyACM0:
    gid: "20"
    mode: "0666"
    path: /dev/ttyACM0
    type: unix-char
ephemeral: false
profiles:
- default
stateful: false
description: ""

on the container:

~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:2e:6f:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.120.228.29/24 brd 10.120.228.255 scope global dynamic eth0
       valid_lft 2812sec preferred_lft 2812sec
    inet6 fd42:7d6d:692e:1938:216:3eff:fe2e:6fa3/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 3463sec preferred_lft 3463sec
    inet6 fe80::216:3eff:fe2e:6fa3/64 scope link
       valid_lft forever preferred_lft forever
root@OpenHAB:~# ip r
default via 10.120.228.1 dev eth0 proto dhcp src 10.120.228.29 metric 100
10.120.228.0/24 dev eth0 proto kernel scope link src 10.120.228.29
10.120.228.1 dev eth0 proto dhcp scope link src 10.120.228.29 metric 100
4

@tomp : Can you please give me any hints what else I should check or do?
Is it recommend to install from scratch and import the container?

5

You are running Docker on the host so please take a look at

6

Many thanks. That was the solution.

iptables -I DOCKER-USER -i lxdbr0 -o enp1s0 -j ACCEPT
iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

did the trick. I am running the system for 3 years now and some url worked. So that was strange to me.

3 Likes