Lxdbr0 DHCP is blocked by firewalld in CentOS8 VM

I’m running a LXD runtime inside a CentOS virtual machine (Libvirt KVM). After an update from CentOS 7 to CentOS 8 the containers don’t get an IPv4 address from DHCP.

When I shutdown firewalld on the CentOS 8 VM everything works fine again (and stops working as soon as I fire up firewalld again).

And of course, a static configuration of the container IP works as well.

Unfortunately I am not familiar enough with firewalld to find a suitable solution. Any help greatly appreciated

Ah, that’d be good to know indeed.
Hopefully someone figured it out and can share the config needed for it to let LXD work.

I found a solution: As a post-installation task (after lxd init), the LXD interface must be explicitly assigned to a firewalld zone, most simply zone “trusted” for a network of trusted containers (or another zone that allows DHCP and DNS). This is required if LXD is running in a CentOS libvirt based VM or a corresponding libvirt root host. I have not yet tested how it works in a standard CentOS 8 host.

The same applies to Fedora, version 31.

Example:

firewall-cmd --add-interface=lxdbr0 --zone=trusted --permanent
firewall-cmd --reload

When booting the host and firewalld is initialized, the LXD interface does not yet exist. And firewalld obviously now blocks all traffic to unknown interfaces. This is probably a change from CentOS 7 to CentOS 8 (or libvirt versions). Fortunately the manual assignment is preserved during a reboot.

In the long term, LXD should implement a similar solution to the libvirt project. There, a separate firewalld zone “libvirt” is created during installation (if firewalld is detected) and each virtual bridge is assigned to this zone by default. There is also a parameter to assign a virtual bridge to a preferred firewalld zone (“zone=” in tag <bridge … />), So we need a parameter like "bridge.firewalld.zone= … ". Unfortunately I have no idea about go and can’t contribute a patch myself.

3 Likes