My containers cannot access the internet

networking

(Shigbeard) #1

Hi there. I’ve been trying to setup an environment where my host machine remains exposed to the internet and my containers host services, with the host acting as a proxy for traffic coming in. The issue I’m encountering is that my containers will not connect to the internet. To clarify, I’m not speaking about traffic going into the container from the internet, rather I’m talking about the container connecting to the internet to perform basic functions such as pinging google or updating packages.

Both the container and host environment are on ubuntu 16.04 LTS and the container is able to successfully ping the host and any other containers I happen to create. I have tried various solutions found online using google that involve creating iptables rules for routing traffic to and from the container, to no avail. Otherwise this is a fresh out-of-the-box install.

Oddly enough, in all of my testing environments save for one, this occurs. The one environment where the container is able to reach the internet without any additional configuration past lxd init is a home hosted setup with a modem/router acting as the network’s DHCP server, which is the only thing I can think of that could influence the container in such a way to provide internet access.

To clarify, the hosts have no issue with connecting to the internet. Only the containers do.

EDIT To clarify again, the hosts are also containers, so that’s nested containers. The 2nd layer of nesting cannot reach the internet, with the exception of that home hosted setup I mentioned earlier.


(ali) #2

Hi
Add 8.8.8.8 to name servers in containers


(Shigbeard) #3

Hi. I tried this just now, and it didn’t do anything. Except when I placed it above the existing nameserver (the lxd host), it would stop resolving domains.


(Stéphane Graber) #4

So I can think of a few potential problems:

  • If using macvlan, sometimes macvlan doesn’t stack well and drops traffic (but that should drop all of it)
  • If using a bridge on the physical host and then a bridge in the host containers, then maybe there’s some kind of subnet conflict going on which would ultimately break routing.
  • Somewhat similar to the previous one, but maybe you’re missing a layer of NAT somewhere in there.

It’d be useful to know the LXD release used on the physical host and on the host containers as well as the network setup in place including subnets at every level and any iptables rules in place.


(Brian Mullan) #5

you need to provide more basic info than you have.

are you using LXD’s default bridge (lxdbr0) or have you configured something else ?

what is IP of one or two of your LXD containers

what is IP of Host

a nice Linux IP route cheat sheet is: http://baturin.org/docs/iproute2/

But a couple blog posts on LXC networking config are:

http://www.bonsaiframework.com/wiki/display/bonsai/5.1+LXC+Advanced+Networking+-+Exposing+Containers+to+the+Network

https://github.com/jorgeluiztaioque/lxd-forward


(Shigbeard) #6

-snip-, friend’s post got unflagged. Read his message.


#7

Note:Im a friend of shigbeard and help run some of his servers. so i hope im able to explain this abit better

All lxd versions on host and inside the containers are 2.0.11
(Host does not have dhcp)

The network configuration is the host makes a container using a macvlan lxc profile on the containers, then statically set inside the container.

host(static ip) -> macvlan(static ip) -> bridge inside lxc container(lxd default dhcp)

inside the lxc containers a standard lxd init is preformed creating the default lxdbr0 bridge inside the container.
Creating a lxc container using default settings, the nested containers does not recieve internet (lxc launch ubunbu:16.04)

|Host| -> |LXC Container| -> |Nested Container|


#8

So I tried the following and it worked for me.

  1. LXD host has a profile for macvlan containers (see macvlan at The LXD tutorials of Simos).
  2. Created a container with the macvlan profile and nesting support, and it successfully got the network settings from DHCP (my LAN router). If you are using static network settings, you need to make sure that the IP address, the route and the DNS are OK.
  3. Inside the nested container, I configured LXD with the default settings for nested containers.
  4. I created a container inside the nested container, and that container had access to the Internet.

I believe your issue is with your static network settings of the nested container. What you need to do, is write here in detail how you set up statically the network settings of the nested containers.