Resolve Host Top Level Domain to Bridge IP inside LXD network?

Hello there!
I stumbled across a problem with some LXD/LXC containers that need to communicate with each other, but “through” the Host so to speak.

I am trying to set up a drone.io instance on my webserver, with gitea already running in another container. The problem I have comes from the fact, that drone wants to do OAuth with gitea and is also doing redirects on the frontend, and thus is using the “real” domain from my server, precise the sub-domain where gitea is hosted (the domains are handled by another container which runs traefik, but I hope that doesn’t matter once this problem is resolved).

What I’m getting is as follows:

  • the drone.io web interface under “drone.mydomain.tld” shows
    Login Failed. Post “https://git.mydomain.tld/login/oauth/access_token”: dial tcp 46.4.X.X:443: connect: connection refused
  • if I try to curl https://git.mydomain.tld from inside the drone container, i get the same error. But i changed the proxy configuration in the meantime, so that LXD would create proxy devices on ports 80 and 443 and tunnel them through to the webproxy-container. before that i modified the iptables rules I had created when I did the setup of the server so that traffic from 46.4.X.X would get NATed through to the webproxy, which resulted in a timeout.

The described timeout error came when I allowed traffic from the container subnet to go through to 46.4.X.X - I then tried all sorts of NAT configurations, but that didn’t help. Also I could not figure out how to set up a route from the LXD network to the Host-IP and back, if that makes any sense.
The last thing that came to my mind now was to change the DNS resolution inside the LXD managed network (all defaults on lxdbr0 - this server is a dedicated machine in a server center with only one public IP, so it’s not possible for me to “bridge” the containers into the public network) to always resolve “mydomain.tld” to the IP used by the bridge and then figure things out from there, but I can’t find any information in the docs how one would do that, if it’s even possible.

Edit: Now I get a constant timeout with LXD proxying the requests on Ports 80 and 443 and my additions to the iptables rules removed when I try to open the drone web ui.

Ok, I did some further investigation and what I found out is that maybe this is some kind of follow up to https://github.com/lxc/lxd/issues/7205

I more or less have the same situation as described in the issue, with one container (drone) trying to access another container via the public DNS name. I changed a few things around, and now have the following setup:

LXD is running in version 4.2 (so the fix mentioned in the issue should be applied)

root@host ~ # lxc --version
4.2

The Host itself is running Ubuntu 18.04 Server with the latest updates and kernel version 4.15.0-106-generic

My lxdbr0 is configured like this:

root@host ~ # lxc network show lxdbr0
config:
  ipv4.address: 10.170.238.1/24
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: lxdbr0
type: bridge
used_by:
[... containers]
managed: true
status: Created
locations:
- none

I then gave my webproxy container (running traefik) a static ip and configured proxy devices so that LXD would route any HTTP/HTTPS traffic to the proxy:

root@host ~ # lxc config show webproxy
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20191205)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20191205"
  image.type: squashfs
  image.version: "18.04"
  raw.idmap: both 0 0
  volatile.base_image: f75468c572cc50eca7f76391182e6fdaf58431f84c3d35a2c92e83814e701698
  volatile.eth0.host_name: veth1aea0764
  volatile.eth0.hwaddr: 00:16:3e:ac:a9:3d
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1000001,"Nsid":1,"Maprange":999999999},{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1000001,"Nsid":1,"Maprange":999999999}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1000001,"Nsid":1,"Maprange":999999999},{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1000001,"Nsid":1,"Maprange":999999999}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1000001,"Nsid":1,"Maprange":999999999},{"Isuid":true,"Isgid":true,"Hostid":0,"Nsid":0,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1000001,"Nsid":1,"Maprange":999999999}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    ipv4.address: 10.170.238.189
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  letsencrypt:
    path: /etc/letsencrypt
    source: /etc/letsencrypt
    type: disk
  proxyhttp:
    connect: tcp:0.0.0.0:80
    listen: tcp:46.4.X.X:80
    nat: "true"
    type: proxy
  proxyhttps:
    connect: tcp:0.0.0.0:443
    listen: tcp:46.4.X.X:443
    nat: "true"
    type: proxy
ephemeral: false
profiles:
- default
stateful: false
description: ""

Now if I do a curl -v https://git.mydomain.tld I get output on the webproxy container (so this means the fix mentioned in the ticket seems to be active) but timeouts in my other containers. How could I check what LXD is doing on my machine and why all the other containers won’t get a connection to the proxy devices?

Please show output of iptables-save.

Also, do you see any warnings in your log, as that particular github issue you referenced had a pull-request where we added support for doing this.

In that we added a specific check for whether the br_netfilter module is loaded which is required for this to work with the bridge. See https://github.com/lxc/lxd/blob/master/lxd/device/proxy.go#L368-L371

The reason we don’t automatically load the br_netfilter kernel module is because it may cause unexpected issues if you have other firewall rules on the system that are suddenly applied to your bridge traffic.

Here is the output of iptables-save

iptables-save
# Generated by iptables-save v1.6.1 on Fri Jun 12 16:37:38 2020
*mangle
:PREROUTING ACCEPT [45202:17490422]
:INPUT ACCEPT [6127:620242]
:FORWARD ACCEPT [39075:16870180]
:OUTPUT ACCEPT [5931:886230]
:POSTROUTING ACCEPT [44411:17729201]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Jun 12 16:37:38 2020
# Generated by iptables-save v1.6.1 on Fri Jun 12 16:37:38 2020
*nat
:PREROUTING ACCEPT [1313:78384]
:INPUT ACCEPT [553:44451]
:OUTPUT ACCEPT [234:20496]
:POSTROUTING ACCEPT [346:26764]
-A PREROUTING -d 46.4.X.X/32 -p tcp -m tcp --dport 443 -m comment --comment "generated for LXD container webproxy (proxyhttps)" -j DNAT --to-destination 10.170.238.189:443
-A PREROUTING -d 46.4.X.X/32 -p tcp -m tcp --dport 80 -m comment --comment "generated for LXD container webproxy (proxyhttp)" -j DNAT --to-destination 10.170.238.189:80
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.170.238.232:25
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.170.238.232:143
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 10.170.238.232:587
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 10011 -j DNAT --to-destination 10.170.238.23:10011
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 30033 -j DNAT --to-destination 10.170.238.23:30033
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 41144 -j DNAT --to-destination 10.170.238.23:41144
-A PREROUTING -i enp2s0 -p udp -m udp --dport 9987 -j DNAT --to-destination 10.170.238.23:9987
-A PREROUTING -i enp2s0 -p udp -m udp --dport 9988 -j DNAT --to-destination 10.170.238.23:9988
-A PREROUTING -i enp2s0 -p udp -m udp --dport 9989 -j DNAT --to-destination 10.170.238.23:9989
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 27017 -j DNAT --to-destination 10.170.238.38:27017
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.170.238.117:2222
-A PREROUTING -i enp2s0 -p udp -m udp --dport 7777 -j DNAT --to-destination 10.170.238.199:7777
-A PREROUTING -i enp2s0 -p udp -m udp --dport 7778 -j DNAT --to-destination 10.170.238.199:7778
-A PREROUTING -i enp2s0 -p udp -m udp --dport 27015 -j DNAT --to-destination 10.170.238.199:27015
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 32330 -j DNAT --to-destination 10.170.238.199:32330
-A OUTPUT -d 46.4.X.X/32 -p tcp -m tcp --dport 443 -m comment --comment "generated for LXD container webproxy (proxyhttps)" -j DNAT --to-destination 10.170.238.189:443
-A OUTPUT -d 46.4.X.X/32 -p tcp -m tcp --dport 80 -m comment --comment "generated for LXD container webproxy (proxyhttp)" -j DNAT --to-destination 10.170.238.189:80
-A POSTROUTING -s 10.170.238.189/32 -d 10.170.238.189/32 -p tcp -m tcp --dport 443 -m comment --comment "generated for LXD container webproxy (proxyhttps)" -j MASQUERADE
-A POSTROUTING -s 10.170.238.189/32 -d 10.170.238.189/32 -p tcp -m tcp --dport 80 -m comment --comment "generated for LXD container webproxy (proxyhttp)" -j MASQUERADE
-A POSTROUTING -s 10.170.238.0/24 ! -d 10.170.238.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
COMMIT
# Completed on Fri Jun 12 16:37:38 2020
# Generated by iptables-save v1.6.1 on Fri Jun 12 16:37:38 2020
*filter
:INPUT DROP [198:8915]
:FORWARD DROP [576:24466]
:OUTPUT ACCEPT [10:669]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A FORWARD -o lxdbr0 -j ACCEPT
-A FORWARD -i lxdbr0 -j ACCEPT
-A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -i lxdbr0 -p udp -m udp --dport 53 -j ACCEPT
-A ufw-user-input -i lxdbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw-user-input -i lxdbr0 -p udp -m udp --dport 67 -j ACCEPT
-A ufw-user-input -i lxdbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A ufw-user-input -i lxdbr0 -p tcp -m tcp --dport 8888 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9887 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9987 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9988 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9989 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10011 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 10011 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 30033 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 30033 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 41144 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 41144 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 27017 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 27017 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2222 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 2222 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 7777 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 7777 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 7778 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 7778 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 27015 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 27015 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 32330 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 32330 -j ACCEPT
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-logging-forward -j RETURN
-A ufw-user-logging-input -j RETURN
-A ufw-user-logging-output -j RETURN
COMMIT
# Completed on Fri Jun 12 16:37:38 2020

But I see the warning in /var/snap/lxd/common/lxd/logs/lxd.log:

t=2020-06-12T15:57:24+0200 lvl=warn msg="Proxy bridge netfilter not enabled: br_netfilter not loaded: open /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory. Instances using the bridge will not be able to connect to the proxy's listen IP"
t=2020-06-12T15:57:24+0200 lvl=warn msg="Proxy bridge netfilter not enabled: br_netfilter not loaded: open /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory. Instances using the bridge will not be able to connect to the proxy's listen IP"
t=2020-06-12T15:57:24+0200 lvl=info msg="Started container" action=start created=2019-12-19T00:53:44+0100 ephemeral=false name=webproxy project=default stateful=false used=2020-06-12T02:49:59+0200

So that means that br_netfilter is not loaded/enabled, if it’s even installed. Would it be risky to enable/load it manually in that case? As I only have remote access to this machine (SSH) it would not be great if the network would drop. Or is there another workaround?

As long as you can remotely reboot the server if you get locked out then you can try loading that module when time is good for you.

It basically makes traffic that traverses the bridge go via the FORWARD iptables table, and I can’t see anything obvious that might drop traffic. That being said I’m not familiar with the ufw rules so there might be something in those chains that could cause a problem. You’re unlikely to lose access to the host itself, as that isn’t using bridge traffic now.

Yes, I think I could even boot into some kind of emergency system if everything goes wrong. But remotely rebooting is definitly possible. So I will give that a try and report back if it works.

Ok, that was quick - module loaded, and after i restarted the webproxy container i can now curl -v https://git.mydomain.tld on the drone LXD container and actually get a response from my gitea.

Unfortunately, drone itself now shows: Login Failed. unauthorized_client: client is not authorized - but I think that’s something on drone’s end, so the initial problem I had seems to be fixed. Thank you @tomp :slight_smile:

1 Like