LXD bridge not responding to DHCP?

Bloody hell, it was the firewall!

  1. Since I didn’t use DHCP prior, I had never thought about BOOTP traffic before!
  2. Moving my LXD experiments from my workstation to an (internet connected) server, I forgot to adapt the rules accordingly, punch the right holes through etc.
  3. Make sure to give yourself ample rest, productivity tanks and errors skyrocket when overworked.

I now have LXD related rules along those lines:

define lxd_bridge = "lxdbr0"
define lxd_subnet_ip = 10.100.0.0/24 
define lxd_subnet_ip6 = fd42:abbe:1234:5678::1/64 

table inet Filter {
    chain In {
        type filter hook input priority 0; policy drop

        (…)

        # DHCP (crucial line below, totally new to me)
        iifname $lxd_bridge ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport bootps accept
        iifname $lxd_bridge ip6 saddr fe80::/64 accept

        # DNS
        iifname $lxd_bridge ip saddr $lxd_subnet_ip udp dport domain accept
        iifname $lxd_bridge ip saddr $lxd_subnet_ip tcp dport domain accept
    }
}

table ip Nat4 {
    chain Pre {
        type nat hook prerouting priority 0
    }

    chain Post {
        type nat hook postrouting priority 0

        ip saddr $lxd_subnet_ip ip daddr != $lxd_subnet_ip masquerade
    }
}

table ip6 Nat6 {
    chain Pre {
        type nat hook prerouting priority 0
    }

    chain Post {
        type nat hook postrouting priority 0

        ip6 saddr $lxd_subnet_ip6 ip6 daddr != $lxd_subnet_ip6 masquerade
    }
}

Now the containers acquire IPs, automatically set their nameservers to the bridge IP (where Dnsmasq listens), and generally behave in a more predictable way.

I’ll also move away from manual IP assignment for good now, unless a special case requires it.

Thanks a lot @gpatel-fr and @tomp for the help here and in the other thread!

Edit: Fixed IPv6 DHCP, now SLAAC is fast as well.