LXC (not LXD) container can ping HOST but not DEFAULT ROUTER

Hello Friends:

Now that I recovered my Fedora-30 environment (… recalling that I had upgraded to Fedora-32 which broke LXC; so I reverted to Fedora-30), everything seems to be working, but for this: I can’t ping the default router from within the LXC container (whereas I could before). Actually, from the LXC container, I can’t ping any device on the bridge-to local network other than it’s HOST.

So I must have missed something in my reverting back to Fedora-30. I provide information below. Can anyone identify what I might be missing? Note that the included LXC container config file is the same as before (unchanged).

Any ideas? Please see below, and thank you!

What’s running on the HOST:

user@HOST$ sudo lxc-ls --fancy --running
NAME  STATE   AUTOSTART GROUPS IPV4                      IPV6 UNPRIVILEGED 
vps12 RUNNING 0         -      172.17.0.1, 192.168.0.192 -    false  

The bridge on the HOST:

user@HOST$ sudo brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.ac220b51b11d	no		eth0
							        veth2ECD1V
docker  8000.0242de098eba	no		

Configured interfaces on the HOST:

user@HOST$ sudo ifconfig -a
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.16  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::ae22:bff:fe51:b11d  prefixlen 64  scopeid 0x20<link>
        ether ac:22:0b:51:b1:1d  txqueuelen 1000  (Ethernet)
        RX packets 2048  bytes 224239 (218.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1420  bytes 166366 (162.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:de:09:8e:ba  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether ac:22:0b:51:b1:1d  txqueuelen 1000  (Ethernet)
        RX packets 2100  bytes 296608 (289.6 KiB)
        RX errors 0  dropped 56  overruns 0  frame 0
        TX packets 898  bytes 114072 (111.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18  memory 0xfb100000-fb120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2  bytes 190 (190.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 190 (190.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth2ECD1V: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fcfc:2eff:feb4:436b  prefixlen 64  scopeid 0x20<link>
        ether fe:fc:2e:b4:43:6b  txqueuelen 1000  (Ethernet)
        RX packets 476  bytes 72861 (71.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 619  bytes 64519 (63.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Network commands while SSH’ed into GUEST (vps12):

user@vps12$ ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a1:25:79:10  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.192  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::2022:22ff:fe22:2212  prefixlen 64  scopeid 0x20<link>
        ether 22:22:22:22:22:12  txqueuelen 1000  (Ethernet)
        RX packets 680  bytes 72490 (70.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 518  bytes 80274 (78.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 18  bytes 1821 (1.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18  bytes 1821 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

user@vps12$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Config file for vps12 LXC container:

#####################################################################################
lxc.uts.name = vps12
lxc.rootfs.path = dir:/var/lib/lxc/vps12/rootfs
lxc.mount.fstab = /var/lib/lxc/vps12/fstab
#
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = x86_64
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.name = eth0
lxc.net.0.flags = up
lxc.net.0.ipv4.gateway = 192.168.0.1
#
lxc.net.0.ipv4.address = 192.168.0.192/24
lxc.net.0.hwaddr = 22:22:22:22:22:12
#####################################################################################


#####################################################################################
# Uncomment the following line to support nesting containers:
# (Be aware this has security implications)
#####################################################################################
lxc.include = /usr/share/lxc/config/nesting.conf
#####################################################################################


#####################################################################################
# Set for dstorm CPU cores. If this LXC is copied elsewhere, modify for that CPU.
#####################################################################################
lxc.cgroup.cpuset.cpus = 0,1,2,3,4,5,6,7,8,9,10,11
lxc.cgroup.cpu.shares = 100
#####################################################################################

#####################################################################################
# Miscellaneous settings ...
#####################################################################################
lxc.tty.max = 4
lxc.pty.max = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time
#####################################################################################

#####################################################################################
# cgroups ...
#####################################################################################
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
#####################################################################################

#####################################################################################
# consoles ...
#####################################################################################
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
#####################################################################################

#####################################################################################
# /dev/{,u}random ...
#####################################################################################
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
#####################################################################################

#####################################################################################
# rtc
#####################################################################################
lxc.cgroup.devices.allow = c 254:0 rm
#####################################################################################

#####################################################################################
linux.kernel_modules = ip_tables,ip6_tables,netlink_diag,nf_nat,overlay
raw.lxc = lxc.mount.auto=proc:rw sys:rw
lxc.mount.entry = /dev/kmsg dev/kmsg none defaults,bind,create=file
security.nesting = true
security.privileged = true
lxc.apparmor.profile = unconfined
lxc.cgroup.devices.allow = a
lxc.mount.auto=proc:rw sys:rw
lxc.cap.drop =
#####################################################################################

I note the docker0 in your interface list, suggesting you have docker installed. In that case check your firewall rules using iptables-save as docker usually modifies the FORWARD chain policy to drop unknown traffic that can cause this issue.

See https://docs.docker.com/network/iptables/#docker-on-a-router

Hi @tomp Thank you.

The docker0 interface (and the service itself) are present on both the HOST and GUEST, but I presume you meant the HOST.

Taking your advice – and honestly not remembering whether I originally had docker-ce installed and running on the Fedora-30 HOST, but I definitely wasn’t using it there – I simply removed the docker-ce RPMs on the HOST, rebooted, and voila, everything worked! :laughing:

Your suggestion was great. In the future, in case I do need docker-ce running on the HOST (though I do try to keep everything wholly contained within the LXCs for portability), I bookmarked this Q&A session so I remember to implement the iptables-based modifications you pointed to.

Great catch, Tom. Thank you.

1 Like