After installing LXD and doing lxd init, I created a container using lxc launch ubuntu:20.04. When I logged into the container it had internet connectivity (I installed apps there from internet). Now, on the next day I created a new container again using lxc launch, but then I found that neither had internet connection. It didn’t matter if I started them simultaneously or one at a time. At first I thought I had another problem with nftables (it dropped almost all input packets by default), but the problem persisted when I disabled it temporarily.
I also tried removing ipv6 from the network config (my ISP does not provide ipv6 anyways), but it seems that nothing changed aside from my container not having ipv6 address and me not knowing what to assign to it to bring it back.
I run Manjaro linux as my host. Aside from LXD this is basically out-of-the-box Manjaro, so no docker messing up networking.
What happens when I try to ping somewhere from inside the container:
ubuntu@joint-drake:~$ ping google.com
PING google.com (216.58.210.174) 56(84) bytes of data.
^C
--- google.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4042ms
ubuntu@joint-drake:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4061ms
Some info about my system:
Firewall ruleset (# nft list ruleset )
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second counter packets 458 bytes 29002 reject with icmpx admin-prohibited
counter packets 238 bytes 28713
iifname "lxdbr0" accept comment "allow lxc bridge without allowing all incoming"
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
table inet lxd {
chain pstrt.lxdbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.143.175.0/24 ip daddr != 10.143.175.0/24 masquerade
}
chain fwd.lxdbr0 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "lxdbr0" accept
ip version 4 iifname "lxdbr0" accept
}
chain in.lxdbr0 {
type filter hook input priority filter; policy accept;
iifname "lxdbr0" tcp dport 53 accept
iifname "lxdbr0" udp dport 53 accept
iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "lxdbr0" udp dport 67 accept
}
chain out.lxdbr0 {
type filter hook output priority filter; policy accept;
oifname "lxdbr0" tcp sport 53 accept
oifname "lxdbr0" udp sport 53 accept
oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
oifname "lxdbr0" udp sport 67 accept
}
}
# lxc network info lxdbr0
Name: lxdbr0
MAC address: 00:16:3e:da:63:84
MTU: 1500
State: up
Type: broadcast
IP addresses:
inet 10.143.175.1/24 (global)
inet6 fe80::216:3eff:feda:6384/64 (link)
Network usage:
Bytes received: 90.08kB
Bytes sent: 74.23kB
Packets received: 1389
Packets sent: 750
Bridge:
ID: 8000.00163eda6384
STP: false
Forward delay: 1499
Default VLAN ID: 1
VLAN filtering: true
Upper devices: veth88967ab1
lxdbr0 config:
config:
ipv4.address: 10.143.175.1/24
ipv4.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/profiles/default
- /1.0/instances/container1
- /1.0/instances/container2
managed: true
status: Created
locations:
- none
Container config ( # lxc config show container1 )
architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 20.04 LTS amd64 (release) (20220419)
image.label: release
image.os: ubuntu
image.release: focal
image.serial: "20220419"
image.type: squashfs
image.version: "20.04"
volatile.base_image: 779036dd7c484bfef5f747f53eaffd15b9f38a12f504bb07fc64b13059d815d2
volatile.cloud-init.instance-id: 8e47cfb3-a96e-4c20-a978-d564d83a4c7d
volatile.eth0.host_name: veth88967ab1
volatile.eth0.hwaddr: 00:16:3e:98:f9:7a
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.uuid: 9f5622b8-8123-4cbc-a24f-bcb0efad38cb
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""