Ubuntu 20 host, unable to give container ipv4 address

Hi

I am newb in LXC.
I am trying to connect a container to the outside/internet but so far I am not even able to get it to take a ipv4 address on the bridge interface.

Could you please advice ?

Thanks and regards :+1:

ip addr
lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 172.27.28.124/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 fd00::b:1c7c/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d0:50:99:d2:2d:16 brd ff:ff:ff:ff:ff:ff
    altname enp3s0f0
    inet PUBLIC-IP-REMOVE-CUTPASTE/24 brd PUBLIC-IP-REMOVE-CUTPASTE scope global dynamic eno1
       valid_lft 83283sec preferred_lft 83283sec
    inet6 2001:41d0:303:b039::/56 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::d250:99ff:fed2:2d16/64 scope link 
       valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether d0:50:99:d2:2d:17 brd ff:ff:ff:ff:ff:ff
    altname enp3s0f1
30: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:a0:3d:52 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fea0:3d52/64 scope link 
       valid_lft forever preferred_lft forever
50: veth9faa8fca@if49: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 32:19:f4:db:dc:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 0

lxc network list
+--------+----------+---------+-----------------+------+-------------+---------+
|  NAME  |   TYPE   | MANAGED |      IPV4       | IPV6 | DESCRIPTION | USED BY |
+--------+----------+---------+-----------------+------+-------------+---------+
| eno1   | physical | NO      |                 |      |             | 0       |
+--------+----------+---------+-----------------+------+-------------+---------+
| eno2   | physical | NO      |                 |      |             | 0       |
+--------+----------+---------+-----------------+------+-------------+---------+
| lxdbr0 | bridge   | YES     | 10.10.10.254/24 | none |             | 2       |
+--------+----------+---------+-----------------+------+-------------+---------+

lxc network show lxdbr0 
config:
  ipv4.address: 10.10.10.254/24
  ipv4.firewall: "false"
  ipv4.nat: "true"
  ipv6.address: none
  ipv6.firewall: "false"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/test
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

lxc network attach lxdbr0 test eth0
lxc config device set test eth0 ipv4.address 10.10.10.2

lxc list
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| test | RUNNING |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+


lxc exec test -- bash
root@test:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
49: eth0@if50: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:10:8d:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::216:3eff:fe10:8dba/64 scope link 
       valid_lft forever preferred_lft forever

Hi!

It looks that you have setup properly the default network configuration.
To verify, check that the following shows that the default profile uses the private network bridge. Your output of lxdbr0 shows that it has been configured correctly, giving out IP address in the range 10.10.10.x.

$ lxc profile show default
config: {}
description: Default LXD profile
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  root:
    path: /
    pool: lxd
    type: disk
name: default
used_by:

Then, when you launch containers as follows, should get them to receive a DHCP lease with an IP address from the range 10.10.10.x.

$ lxc launch ubuntu:20.04 mycontainer

If the container does not get an IP address, then it could be due to a few things. The most common are:

  1. There is a firewall that blocks the DHCP requests from the containers. Adapt the firewall to allow those requests.
  2. There is another DHCP server on the 10.10.10.1 interface (lxdbr0) that does not allow LXD to launch its own DHCP server. Edit that other DHCP server not to listen on lxdbr0.
  3. You use Docker on the host. Docker uses many firewall rules that can messup LXD.

@simos Thanks a lot for your reply.

-> Recreating container, no ip is set

lxc launch ubuntu:20.04 mycontainer
Creating mycontainer
Starting mycontainer 

lxc list 
+-------------+---------+------+------+-----------+-----------+
|    NAME     |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------------+---------+------+------+-----------+-----------+
| mycontainer | RUNNING |      |      | CONTAINER | 0         |
+-------------+---------+------+------+-----------+-----------+
| test        | RUNNING |      |      | CONTAINER | 0         |
+-------------+---------+------+------+-----------+-----------+

-> I was unable to find any other DHCP server and there is no dhcpd daemon running (ps aux | grep dhcpd)

-> Please find below my iptables, I did the test also adding in/out/fwd accept all rules, but the result is the same.

 sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       all  --  127.0.0.0/8          anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply ctstate NEW
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable ctstate NEW
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded ctstate NEW
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem ctstate NEW
ICMPFLOOD  icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,RST/FIN,RST
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:PSH,ACK/PSH
PORTSCAN   tcp  --  anywhere             anywhere             tcp flags:ACK,URG/URG
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             base-address.mcast.net/4 
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
ACCEPT     all  --  102.53.11.160        anywhere            
SSHBRUTE   tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12227 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5000 ctstate NEW
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain SSHBRUTE (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             recent: SET name: SSH side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 10 name: SSH side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere            

Chain ICMPFLOOD (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             recent: SET name: ICMP side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere             recent: UPDATE seconds: 1 hit_count: 5 TTL-Match name: ICMP side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere            

Chain PORTSCAN (11 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  221.181.185.29       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Edit:

  • Docker is not installed

I think you may want to sanitize your firewall rules. There is at least an IP address that you may want to sanitize.
I think the issue is indeed with the firewall rules.

If you create a VM, install and setup LXD and check the firewall rules (without adding ufw or something of that sort), then you can see there are some minimal rules by LXD. I cannot see those in your output.

Here is my try with creating a VM, installing LXD (snap package) and then checking for any iptables rules that LXD may have set.

$ lxc launch ubuntu:18.04 --vm myvm --profile default --profile vm
Creating myvm
Starting myvm
$ lxc console myvm
Ubuntu 18.04.5 LTS myvm ttyS0

myvm login: ubuntu
Password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64)
...

ubuntu@myvm:~$ sudo snap install lxd
2021-03-06T10:23:16Z INFO Waiting for automatic snapd restart...
lxd 4.11 from Canonical✓ installed
ubuntu@myvm:~$ sudo lxd.migrate 
=> Connecting to source server
=> Connecting to destination server
=> Running sanity checks
The source server is empty, no migration needed.

The migration is now complete and your containers should be back online.
Do you want to uninstall the old LXD (yes/no) [default=yes]? 

All done. You may need to close your current shell and open a new one to have the "lxc" command work.
To migrate your existing client configuration, move ~/.config/lxc to ~/snap/lxd/current/.config/lxc
ubuntu@myvm:~$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm, zfs, ceph) [default=zfs]: dir
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
ubuntu@myvm:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* generated for LXD network lxdbr0 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps /* generated for LXD network lxdbr0 */
ubuntu@myvm:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.76.70.0/24       !10.76.70.0/24        /* generated for LXD network lxdbr0 */
ubuntu@myvm:~$ 

I restared the server and now have this kind of issue wih lxd-agent… The issue might be else where, ongoing…

lxd-agent.service - LXD - agent
     Loaded: loaded (/lib/systemd/system/lxd-agent.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Sat 2021-03-06 13:30:03 UTC; 4min 9s ago
             └─ ConditionPathExists=/dev/virtio-ports/org.linuxcontainers.lxd was not met
       Docs: https://linuxcontainers.org/lxd

Also try setting
ipv4.firewall: true
on the lxdbr0 network so that lxd adds the rules to allow dhcp and DNS access

I did a full re install of LXC, lxd-agent.service is not related to the issue (not here after re install).

Hi @tomp
This does not seems to be the solution.

lxc stop test
lxc network attach lxdbr0 test eth0
lxc config device set test eth0 ipv4.address 10.250.56.5 
lxc network set lxdbr0 ipv4.firewall true
lxc start test
lxc list
+------+---------+------+------+-----------+-----------+
| NAME |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+------+------+-----------+-----------+
| test | RUNNING |      |      | CONTAINER | 0         |
+------+---------+------+------+-----------+-----------+


 lxc info test
Name: test
Location: none
Remote: unix://
Architecture: x86_64
Created: 2021/03/06 17:04 UTC
Status: Running
Type: container
Profiles: default
Pid: 9977
Ips:
  eth0: inet6   fe80::216:3eff:fefa:bef5        vethf459d861
  lo:   inet    127.0.0.1
  lo:   inet6   ::1
Resources:
  Processes: 13
  CPU usage:
    CPU usage (in seconds): 0
  Memory usage:
    Memory (current): 39.51MB
    Memory (peak): 43.11MB
  Network usage:
    eth0:
      Bytes received: 427B
      Bytes sent: 2.11kB
      Packets received: 3
      Packets sent: 14
    lo:
      Bytes received: 0B
      Bytes sent: 0B
      Packets received: 0
      Packets sent: 0

Try disabling your firewall entirely (temporarily) to prove it is a firewall issue

iptables -F

And or

nft flush ruleset

sudo iptables -F
sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (0 references)
target     prot opt source               destination         

Then I restarted the container; still no IP :’(

Did you flush the nft ruleset too? As LXD may be using nftables and not iptables if something else is.

Also, you should check whether you have some other process listening on a wildcard port that is preventing LXD’s dnsmasq from starting.

sudo ss -tlpn

and

ps aux | grep dnsmasq

Congratulation nft flush ruleset fixed the issue :clap:
(I have zero knowledge in “nft”)

lxc list
+------+---------+--------------------+------+-----------+-----------+
| NAME |  STATE  |        IPV4        | IPV6 |   TYPE    | SNAPSHOTS |
+------+---------+--------------------+------+-----------+-----------+
| test | RUNNING | 10.250.56.5 (eth0) |      | CONTAINER | 0         |

Followup issue (ongoing researches):

  • I am able to ping 10.250.56.1 (bridge)
  • I am not able to ping outside (8.8.8.8)

Yeah you won’t be able to as you cleared the NAT rules LXD adds for outbound internet access.

Now reload LXD using:

sudo systemctl reload snap.lxd.daemon

That should restore them.

Then if that works you can see the rules LXD added by doing;

sudo apt install nftables -y
sudo nft list ruleset

Then what remains is to get the firewall(s) you’re using to play nicely with LXD’s rules so they dont remove or interfere with them.

It all gets rather complicated because there are two types of iptables, the ‘legacy’ one, and the nftables shim, that actually uses nftables, but looks like iptables. So if you’re using the latter, then LXD will choose to use nftables directly rather than traditional iptables.

See also: Lxd bridge doesn't work with IPv4 and UFW with nftables for tips on getting it to work with the ufw firewall which seems to be quite popular.

Well, I am NOT using UFW (and nftables) or at least i’m not aware of it.

What I only “need” are iptables to work => Should I look for a way to disable UFW/nftables or is that something that is required/linked to LXC?

If you restart your machine, and then run sudo nft list ruleset you’ll see what is adding nftables rules that makes LXD use it.

Also please show output of iptables -v

nft list ruleset (No output)

iptables -L -v
Chain INPUT (policy ACCEPT 23488 packets, 57M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2103  614K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 21518 packets, 6666K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2066  610K RETURN     all  --  any    any     anywhere             anywhere            

(This is default, with fail2ban default rules, I removed all my other iptables rules to isolate the issue)

Thanks for the help

Disabling firewalld / nftables was apparently the solution for me.
systemctl mask firewalld
systemctl stop firewalld

I suppose I dont need firewalld / nftables and will still rely on iptables.

1 Like