Network unreachable from containers with fresh incus install

dboeger1 · January 11, 2024, 11:10pm

Hello, relative newbie here. I’ve been using LXD under an Ubuntu Server host (which is itself a VirtualBox VM on a Windows 11 machine) for about a year now, but that was mostly due to issues I had with a specific VirtualBox/Fedora version pair. Those issues have since been resolved, and with LXD now being Ubuntu-centric, I’m in the process of migrating to Incus on Fedora Server 39.

I’ll briefly mention that I installed Incus from the COPR. I doubt this has much to do with my networking issue, but while following this page, I did need to run the following commands before Incus could successfully start containers:

# echo "root:1000000:1000000000" >> /etc/subuid
# echo "root:1000000:1000000000" >> /etc/subgid

That brings me to my issue, which is that my containers don’t seem to have external network access:

dboeger@localhost:~$ incus list
+-------------------+---------+------+-----------------------------------------------+-----------+-----------+
|       NAME        |  STATE  | IPV4 |                     IPV6                      |   TYPE    | SNAPSHOTS |
+-------------------+---------+------+-----------------------------------------------+-----------+-----------+
| cheerful-polliwog | RUNNING |      | fd42:4aa9:2dd5:891d:216:3eff:fe9f:a7a2 (eth0) | CONTAINER | 0         |
+-------------------+---------+------+-----------------------------------------------+-----------+-----------+
dboeger@localhost:~$ incus exec cheerful-polliwog -- ping -C 3 8.8.8.8
ping: connect: Network is unreachable

I vaguely remember having a similar issue when setting up LXD a year ago. I did some searching for old topics and found what I thought was the solution back then, which is to tell LXD (now Incus) not to set firewall rules:

incus network set <network_bridge> ipv6.firewall false
incus network set <network_bridge> ipv4.firewall false

However, that didn’t seem to resolve my issue this time around. I apologize for not knowing how to do more of my own digging, as I’m not very well-versed in Linux firewall configuration. How might I go about diagnosing this issue?

Note that I am not running Docker, and at first glance, I don’t think dnsmasq is an issue:

dboeger@localhost:~$ systemctl status dnsmasq
○ dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
dboeger@localhost:~$ journalctl -u dnsmasq.service
-- No entries --

stgraber · January 12, 2024, 3:46am

dboeger1 · January 12, 2024, 4:44am

Okay, so turns out I made a newbie mistake. I had seen that page before, but skipped the part about firewalld because, well, I’m new to Linux firewalls and thought, “I’m using nftables, not firewalld!” I went down a major rabbit hole of trying to understand the nftables configuration, how the Incus bridge works, my host’s routing, comparing to my LXD setup, etc. I started messing around with dnsmasq thinking the missing IPv4 address was indicative of a DHCP problem.

Turns out Fedora does use firewalld with nftables as a backend. I guess there’s something in firewalld that was causing issues, and the steps from that page indeed did the trick:

sudo firewall-cmd --zone=trusted --change-interface=incusbr0 --permanent
sudo firewall-cmd --reload

Thanks for the pointer!