Strange network behavior

jmhickman · July 26, 2020, 10:14pm

Hi,

I’ve installed snap and the LXD package on my Fedora 32 system.

Networking is controlled via systemd-networkd and systemd-resolved. I have a bridge br0 on the system, and local networking works properly.

I let lxd init create the default lxdbr0 bridge for when I want/need a container to be behind NAT, but I also want containers to be able to attach directly to my local network and receive DHCP addresses from my router.

However, the containers set up this way seem to still be getting the NAT’d addresses even when I specify the correct network:

lxc launch images:kali --network=br0

jon@akane $ lxc list
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+-----------------+---------+-------------------+-----------------------------------------------+-----------+-----------+
|      NAME       |  STATE  |       IPV4        |                     IPV6                      |   TYPE    | SNAPSHOTS |
+-----------------+---------+-------------------+-----------------------------------------------+-----------+-----------+
| supreme-herring | RUNNING | 10.2.2.105 (eth0) | fd42:2900:fe9a:98e4:216:3eff:fe89:2faf (eth0) | 
CONTAINER | 0         |
+-----------------+---------+-------------------+-----------------------------------------------+-----------+-----------+

This should have had a 10.1.1.0/24 address.

I also get non-sensical output like this:

jon@akane $ lxc network show br0
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
config: {}
description: ""
name: br0
type: bridge
used_by:
- /1.0/instances/supreme-herring
managed: false
status: ""
locations: []
~
jon@akane $ lxc network show lxdbr0
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
config:
  ipv4.address: 10.2.2.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:2900:fe9a:98e4::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/supreme-herring
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

The container shows it’s using both profiles even though I explicitly set it to use only one.

Any ideas what is going on?

stgraber · July 27, 2020, 2:08am

--network only works well if you don’t have another network device in your default profile.
In your case, if you do lxc config show --expanded on your container, you’ll see it’s getting two interfaces, one on lxdbr0 and one on br0.

To avoid this, one way is to do:

lxc init images:kali
lxc config device add NAME eth0 nic nictype=bridged parent=br0 name=eth0

This will effectively override the eth0 device coming from your profile and replace it with your own bridge.

To make things easier, you could create a profile which does that for you:

lxc profile create ext-net
lxc config device add ext-net eth0 nic nictype=bridged parent=br0 name=eth0

And then can launch containers using external networking with:

lxc launch images:kali -p default -p ext-net

jmhickman · July 27, 2020, 11:59am

Thank you very much for the reply.

Would another way of addressing this to be to remove the lxdbr0 device from the default profile? I don’t particularly mind specifying the network device on each container create.

stgraber · July 27, 2020, 1:39pm

Yeah, not having the eth0 device in the default profile should also make this work.