Hi,
I am using lxd version 3.16, created a container using mcvlan.
After installing my required packages on the container I setup ufw accordingly. All commands below are run in the container
ufw enable
Firewall is active and enabled on system startup
Upon doing so required ports are open and I can interact accordingly. But when I restart lxd container or the host system is rebooted. UFW gets inactive and I have to run manually each time by exec the following command:
ufw enable
systemctl status ufw shows:
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2019-08-14 07:55:25 PKT; 20min ago
Docs: man:ufw(8)
Process: 64 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
Main PID: 64 (code=exited, status=0/SUCCESS)
ufw.conf
cat /etc/ufw/ufw.conf
# /etc/ufw/ufw.conf
#
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
Kindly help on how to keep ufw running after reboot of container of host.
Note that when you use ufw in a container, it will not be able to load modules (see /lib/ufw/ufw-init-functions, function ufw_start) if required because a container can’t load kernel modules.
UFW runs fine here. Whenever the container is restarted, the UFW rules are applied automatically.
To make sense whether it works or not, we should have a common test.
Here it is,
Launch a new container,
lxc launch ubuntu:18.04 ufw
Get a shell into the container and install a Web server.
sudo apt update
sudo apt install -y nginx
logout
Test that the Web server is accessible from the host.
$ curl http://10.10.10.100/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
Get back into the container and enable UFW.
$ sudo ufw enable
Firewall is active and enabled on system startup
Then, try to access the web server from the host.
$ curl http://10.10.10.100/
(does not connect!)
Restart the container and try to access again.
$ lxc restart ufw
$ curl http://10.10.10.100/
(does not connect!)
Thank you for the guidance I will definitely look into it. Can you please guide if there is a way Round to solve this issue. The problem is that in case of power outage the host reboots and then lxc containers start. But due to ufw being inactive I cannot interact with the container applications until I enable the ufw again.
Problem is that in your post there was nothing anormal, as I have tried to explain, so there is nothing to try to answer.
Try to run the tests posted by @simos and post the results, it could make things clearer.
Thank you so much for the common test. I did as is and found that the new container is behaving as expected. UFW is active even after restart ufw. The culprit was iRedMail. Someone else already has this issue. iRedMail runs some iptables script that conflicts with ufw. However I am not yet able to figure out how to find and stop that script from running. discussed at:
