Now I messed up my container configuration while I wanted to change something on volatile.network while container still was started.
I getting these erros i.e.;
lxc start webserver
Error: Common start logic: Failed to start device “eth0”: Parent device “lxdbr0” doesn’t exist
Even when i try to delete container , it doesn’t work!
lxc delete webserver
Error: Failed to remove device ‘eth0’: route ip+net: no such network interface
Pls. how can I fix this somehow with a
lxc sql global ’ SQL statement’
here?
all my trials of putting a table name which I know for my last post in issue github (#6661) messed up in unknown table names.
Btw: If I eventually had missed to set remote access while “lxd init” … how could I fix this / proofe this afterwards?
furtheron appreciating any hints, cause I’m really getting crazy
Edit:
I think the number ‘3’ in the last column (used by) isn’t correct here, because there I have no container with id 3 :
The main problem seems to be DHCP.
Also installing a brand new container has the same issue of getting no IPV4
I set temp. a fix IP on the host (ifconfig … up) , afterwards i was able to get access via lxdbr ip range. But unfortunately even if I set a static route in the host, I am not able to get outside this range. Maybe I have to set also a static route on the system for the back route.
But seriously? Is this tested somehow?
I have now investigate 2 days with still no success. Sry, I’m NOT that linux expert - and I just even had manged lxd/lxc one yr ago now on lxd2 and lxd3 on ubuntu18.04 boxes.
Maybe ubuntu20.04 (LM20) and lxd-4.4 doesn’t still work together in this sense of dnsmasq dhcp stuff.
The next one shows too much, so I post a snippet only
grep -i apparmor /var/log/kern.log
> Aug 4 19:04:28 LenovoT470s kernel: [25456.347794] audit: type=1400 audit(1596560668.592:38): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_dnsmasq-lxdbr0_</var/lib/lxd>" pid=28876 comm="apparmor_parser"
> Aug 4 20:04:45 LenovoT470s kernel: [29072.769034] audit: type=1400 audit(1596564285.054:39): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-webserver_</var/lib/lxd>" pid=34628 comm="apparmor_parser"
> Aug 4 20:58:12 LenovoT470s kernel: [32280.403926] audit: type=1400 audit(1596567492.732:40): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lxd_dnsmasq-lxdbr0_</var/lib/lxd>" pid=41172 comm="apparmor_parser"
> Aug 4 21:03:08 LenovoT470s kernel: [32575.993301] audit: type=1400 audit(1596567788.327:41): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lxd-webserver_</var/lib/lxd>" pid=41799 comm="apparmor_parser"
> Aug 4 21:58:48 LenovoT470s kernel: [35916.437635] audit: type=1400 audit(1596571128.811:43): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lxd-webserver_</var/lib/lxd>" pid=50473 comm="apparmor_parser"
> Aug 5 10:22:57 LenovoT470s kernel: [37638.375190] audit: type=1400 audit(1596615777.152:44): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=55876 comm="cups-browsed" capability=23 capname="sys_nice"
> Aug 5 12:27:57 LenovoT470s kernel: [45139.437974] audit: type=1400 audit(1596623277.673:45): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lxd_dnsmasq-lxdbr0_</var/lib/lxd>" pid=62092 comm="apparmor_parser"
> Aug 5 12:29:27 LenovoT470s kernel: [45228.864393] audit: type=1400 audit(1596623367.102:46): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lxd_dnsmasq-lxdbr0_</var/lib/lxd>" pid=62191 comm="apparmor_parser"
The last one is on my system: cat /var/log/lxd/lxd.log
because I don’t have snap installed und compiled lxd-4.4 by my own, as you probably can remember by another thread here. It prints also too much, so again I show here only the tail:
It looks like you ran the last command as non-root (I should’ve specified sudo ss -ulpn) so I can’t see which processes are listening, but I can see a DHCP service listening on specifically lxdbr0, so I’ll assume that is dnsmasq (as you’ve shown that is running).
From the lxc info output I can see that LXD has detected your firewall driver as nftables:
firewall: nftables
However your iptables-save output shows you are actively using iptables, and looking at the chain names, suggests you are using the ufw wrapper around iptables.
So this could suggest that you’ve got a mixture of firewall systems running on your host, and LXD has picked the more recent one to add the DHCP rules to, but they aren’t taking effect (because running iptables and nftables concurrently is going to cause issues).
Can you show the output of sudo nft list ruleset as I’d like to see if LXD has added the DHCP allow rules there instead, and whether you’ve got other rules in place that has triggered LXD to prefer nftables.
OK so that confirms it, and there are there are the DHCP rules.
So I’m not sure how LXD decided that nftables was in use (its possible there was a rule in there at some point), but now those LXD rules are there it becomes a self-fulfilling prophecy as it will pick nftables every time now.
So what I suggest is:
Stop LXD
Run nft flush ruleset
Start LXD
Run lxc info again and check if firewall detected is xtables.
An additional step is to uninstall the nftables package to remove the nft command entirely.
Yes its a bit of a tricky situation. You don’t have “proper” xtables installed (ebtables is the nftables wrapper which doesn’t support all of the features the legacy ebtables does, and LXD depends on those when using xtables driver). But ufw is using iptables, so we can’t use nftables properly.
So we’re left in a situation where you don’t have a fully functioning xtables system, but we can’t use nftables because iptables is in use (and can’t reliably mix rules concurrently on both systems).
Well lets try that first, but you’ll probably end up at your original problem, a partially operational xtables implementation.
So assuming ufw doesn’t support nftables (I’m not familiar with ufw) and you want to continue using that, then you’re stuck with iptables, in which case you’re best bet is to remove nftables, and switch to ebtables-legacy to get a fully functioning xtables driver in LXD.
could you kindly give some cmd exemples how to do that?
(Cause in the debian link you posted, I don’t understand what they are talking about ebtables.
…and regarding this header there
Should I mix nftables and iptables/ebtables/arptables rulesets?
You may need to reboot too so that the nft rules from ufw (via the iptables shim) are removed and ufw applies its rules using the iptables legacy commands.
The root cause of all of this confusion is that the iptables/ebtables “compatibility” layers for nftables don’t provide a 100% compatible experience compared to the original commands.
Finally it works!! What a long story.
Sorry, for any misleading items from my side. But to be honest: I didn’t thought that you must be a specialist in linux firewalls here. (imo there too much fw diversity here, alike all the different distros out there, alike all the different package manager, and so on…)
In the end I will thank you and Stephane very much for all your patient and kindly help.
That’s really something exemplary in this world of linux