I’m running a LXD runtime inside a CentOS virtual machine (Libvirt KVM). After an update from CentOS 7 to CentOS 8 the containers don’t get an IPv4 address from DHCP.
When I shutdown firewalld on the CentOS 8 VM everything works fine again (and stops working as soon as I fire up firewalld again).
And of course, a static configuration of the container IP works as well.
Unfortunately I am not familiar enough with firewalld to find a suitable solution. Any help greatly appreciated
Ah, that’d be good to know indeed.
Hopefully someone figured it out and can share the config needed for it to let LXD work.
I found a solution: As a post-installation task (after lxd init), the LXD interface must be explicitly assigned to a firewalld zone, most simply zone “trusted” for a network of trusted containers (or another zone that allows DHCP and DNS). This is required if LXD is running in a CentOS libvirt based VM or a corresponding libvirt root host. I have not yet tested how it works in a standard CentOS 8 host.
The same applies to Fedora, version 31.
Example:
firewall-cmd --add-interface=lxdbr0 --zone=trusted --permanent
firewall-cmd --reload
When booting the host and firewalld is initialized, the LXD interface does not yet exist. And firewalld obviously now blocks all traffic to unknown interfaces. This is probably a change from CentOS 7 to CentOS 8 (or libvirt versions). Fortunately the manual assignment is preserved during a reboot.
In the long term, LXD should implement a similar solution to the libvirt project. There, a separate firewalld zone “libvirt” is created during installation (if firewalld is detected) and each virtual bridge is assigned to this zone by default. There is also a parameter to assign a virtual bridge to a preferred firewalld zone (“zone=” in tag <bridge … />), So we need a parameter like "bridge.firewalld.zone= … ". Unfortunately I have no idea about go and can’t contribute a patch myself.