I am trying to set up a container with a fixed IP in order to use a proxy device in NAT mode.
I have done this in the past, but now with LXD 4.17 I am running into several errors.
First I am wondering why one cannot specify a fixed IP address right at the beginning when launching a new container.
david@nnwh:~$ lxc config device set c1 eth0 ipv4.address 10.65.76.163
Error: Device from profile(s) cannot be modified for individual instance. Override device or modify profile instead
So it seems one needs to do this in several steps manually.
That seems to have worked. However, we cannot start the container anymore:
david@nnwh:~$ lxc start c1
Error: Proxy connect IP cannot be used with any of the instance NICs static IPs
Try lxc info --show-log c1 for more info
david@nnwh:~$ lxc info --show-log c1
Name: c1
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2021/09/02 08:26 UTC
Last Used: 2021/09/02 08:38 UTC
Log:
lxc c1 20210902083815.566 WARN conf - conf.c:lxc_map_ids:3389 - newuidmap binary is missing
lxc c1 20210902083815.566 WARN conf - conf.c:lxc_map_ids:3395 - newgidmap binary is missing
lxc c1 20210902083815.567 WARN conf - conf.c:lxc_map_ids:3389 - newuidmap binary is missing
lxc c1 20210902083815.567 WARN conf - conf.c:lxc_map_ids:3395 - newgidmap binary is missing
lxc c1 20210902083815.568 WARN cgfsng - cgroups/cgfsng.c:fchowmodat:1293 - No such file or directory - Failed to fchownat(43, memory.oom.group, 1000000000, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )
lxc c1 20210902083816.774 WARN conf - conf.c:lxc_map_ids:3389 - newuidmap binary is missing
lxc c1 20210902083816.843 WARN conf - conf.c:lxc_map_ids:3395 - newgidmap binary is missing
When modifying a NIC that comes from a profile you can use the lxc config device override command to make a copy of the NIC into the instance and modify it at the same time, e.g.
Then when adding a proxy device in NAT mode, because this uses firewall rules on the host to forward packets over the network connection between the host and the container, you must use the containerās actual IP address and not the local loopback address (127.0.0.1), as otherwise that would refer to the local loopback address on the host.
So either specify the connect IP explicitly, or you can specify the shortcut 0.0.0.0 or :: (for IPv6) that will then select the statically assigned IP for the instance.
Either way when using nat=true the instanceās NIC requires a static IP to ensure it wonāt change later on and end up forwarding packets to a different instance.
The āError: Proxy connect IP cannot be used with any of the instance NICs static IPsā message is saying that the connect IP you have specified (127.0.0.1) is not one of the instanceās NIC addresses.
You should also ensure that the service you are connecting to is listening on the connect IP (or wildcard address) inside the container.
You can only use 127.0.0.1 as the connect IP when using nat=false mode because this then uses a separate proxy process to actually relay the packets from the host namespace to the containerās network namespace (and doesnāt go over the network connection itself). In fact you can use a proxy device in non-nat mode even if it doesnāt have a network connection at all.