Problem with LXD and ufw on a fresh system

karjala · November 13, 2021, 8:26am

Hi. I just installed Kubuntu 21.10, ufw and snap LXD (in that order) on a new laptop, and am having the same trouble as on my old laptop (having Kubuntu 21.04) when ufw is enabled.

I enable/disable ufw through gufw. No rules have been added.

The problem shows when I do lxc list: I see no addresses when the container has been started while ufw was running (and can only enter it through lxc exec mycontainer bash).

+-------------+---------+------+------+-----------+-----------+
|    NAME     |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------------+---------+------+------+-----------+-----------+
| mycontainer | RUNNING |      |      | CONTAINER | 0         |
+-------------+---------+------+------+-----------+-----------+

When I disable ufw and restart the container, I see:

+-------------+---------+-----------------------+------+-----------+-----------+
|    NAME     |  STATE  |         IPV4          | IPV6 |   TYPE    | SNAPSHOTS |
+-------------+---------+-----------------------+------+-----------+-----------+
| mycontainer | RUNNING | 10.100.200.150 (eth0) |      | CONTAINER | 0         |
+-------------+---------+-----------------------+------+-----------+-----------+

Is there a way to use LXD with ufw? Has anyone else encountered these issues between LXD and ufw?

Perhaps a guide should be written to help users who want to use ufw and LXD together, especially as there is no indication that it was ufw that was causing the lack of IP address, and I had no idea what was going on until I discovered it.

Allowing everything on lxdbr0 through ufw somehow solves the problem, but that seems too permissive.

Please help?

cemzafer · November 13, 2021, 9:02am

Hi karjala,
Could you post the outputs of the following commands?

sudo ufw status verbose
lxc network ls
lxc network show lxdbr0

Thanks.

karjala · November 13, 2021, 10:06am

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

$ lxc network ls
+--------+----------+---------+-----------------+------+-------------+---------+
|  NAME  |   TYPE   | MANAGED |      IPV4       | IPV6 | DESCRIPTION | USED BY |
+--------+----------+---------+-----------------+------+-------------+---------+
| lxdbr0 | bridge   | YES     | 10.100.200.1/24 | none |             | 2       |
+--------+----------+---------+-----------------+------+-------------+---------+
| wlo1   | physical | NO      |                 |      |             | 0       |
+--------+----------+---------+-----------------+------+-------------+---------+

$ lxc network show lxdbr0
config:
  ipv4.address: 10.100.200.1/24
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/mycontainer
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

tomp · November 13, 2021, 10:53am

Your ufw policy is denying incoming and routed traffic by default. This will prevent dhcp and DNS requests from arriving at lxdbr0 interface and will prevent routed traffic between lxdbr0 and your external network.

See Lxd bridge doesn't work with IPv4 and UFW with nftables - #17 by tomp for a fix.

cemzafer · November 13, 2021, 11:21am

Upps sorry, I didnt catch up on the deny(routed) part.

karjala · November 14, 2021, 4:44am

Aren’t these two rules suggested by the other post too permissive?

sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0

Doesn’t it mean that the containers will be able to attempt to ssh on the host machine, for example?

What is the minimum number of ports I need to allow on the host, for LXD to work?

Thank you,

cemzafer · November 14, 2021, 6:09am

Hi karjala,
As @tomp mentioned that, I suppose 2 UDP ports: 67 and 68 for DHCP and TCP/UDP 53 for DNS is enough for minimum number of ports and ssh/22 typically.
Regards.

karjala · November 14, 2021, 8:06am

By adding these two ufw rules listed here:

ufw allow in on lxdbr0 to 10.100.200.1 port 53
ufw allow in on lxdbr0 proto udp to 255.255.255.255 port 67:68

…it worked. Thanks.

tomp · November 15, 2021, 8:38am

If you run:

sudo apt install nftables
sudo nft list table inet lxd

You will see the rules that LXD adds to its own lxd nftables table, which normally would take effect if there wasn’t another nftables table with a default drop rule.

You can then replicate those into your ufw ruleset.