LXD container unable to connect to internet (docker)

mazerty · February 3, 2023, 4:18pm

Hello

It’s been a while since I’ve used LXD at all, but today I launched a new container and they can’t connect to internet.
To be sure, I completely removed LXD via snap, reinstalled it, did the “lxd init” procedure again with default values, and still my container cannot “apt update” or “ping google.com” or anything…
I’m not really competent analyzing networking issues, can someone please help me ?

LXD version : 5.10
Container image : ubuntu 20.04 LTS amd64 (release) (20230117)

edit : more information on my system
xubuntu 22.04
docker is installed too
network is working fine for web browser and all
and i can reach the host from the container

ubuntu@odysseus:~$ lxc network list
+---------+----------+---------+---------------+---------------------------+-------------+---------+---------+
|  NAME   |   TYPE   | MANAGED |     IPV4      |           IPV6            | DESCRIPTION | USED BY |  STATE  |
+---------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| docker0 | bridge   | NO      |               |                           |             | 0       |         |
+---------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| lxdbr0  | bridge   | YES     | 10.53.94.1/24 | fd42:d4d2:a2b6:f129::1/64 |             | 3       | CREATED |
+---------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| wlp9s0  | physical | NO      |               |                           |             | 0       |         |
+---------+----------+---------+---------------+---------------------------+-------------+---------+---------+

I tried on another desktop in the same home network and it works (it doesn’t have docker installed though)

tomp · February 3, 2023, 5:04pm

Hi, please see https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker

mazerty · February 3, 2023, 6:41pm

yeah i was pretty sure it would be a noob question

unfortunately i’m not an iptables expert
i’m trying to find a way to add the accept rule without having to specify the lxd bridge, do you know how to do that ?
(so that it can apply to all lxd bridges i might add, but i don’t want to mess up my rules by accepting everything either ^^")

besides, I don’t really understand why the packets are dropped since only the ones going to docker0 seems to be dropped by the rules added by docker ?

ubuntu@odysseus:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

am I missing something ?

tomp · February 3, 2023, 8:38pm

Its this line that is the problem, which is what Docker sets.

tomp · February 3, 2023, 8:39pm

See LXD losts iptables rules with docker - #6 by like

mazerty · February 4, 2023, 7:53am

I see
I removed docker for now, maybe I’ll move to podman
Anyway, thanks for your help !