Unable to ping other hosts from container

jeremy1 · July 21, 2021, 1:01am

I’ve been using lxc for years, but I’m stumped on this one. I have an Ubuntu focal host with a single bionic container. From the container, I cannot ping any other hosts. The focal host is using netplan with bridge networking. The container is using ifconfig.

Host config:
# cat /etc/netplan/00-installer-config.yaml
# This is the network config written by ‘subiquity’
network:
version: 2

  bridges:
    br0:
      interfaces: [ens160]
      addresses:
       - 172.27.30.51/24
      gateway4: 172.27.30.2
      nameservers:
        addresses:
        - 172.27.9.2
        search:
        - drugbenefit.com
  ethernets:
    ens160: {}

Container network config:

# Network configuration
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:fd:81:fe
lxc.net.0.ipv4.address = 172.27.30.45/24
lxc.net.0.ipv4.gateway = 172.27.30.1

Container /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
dns-nameservers 172.27.9.2 172.27.9.245

Host ip commands

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 00:50:56:01:4b:92 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:50:56:01:4b:92 brd ff:ff:ff:ff:ff:ff
    inet 172.27.30.51/24 brd 172.27.30.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::cce9:d7ff:feeb:d183/64 scope link
       valid_lft forever preferred_lft forever
4: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
       valid_lft forever preferred_lft forever
8: veth6ioCW8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether fe:36:32:05:34:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::fc36:32ff:fe05:34b5/64 scope link
       valid_lft forever preferred_lft forever
root@exp1:/# ip r
default via 172.27.30.2 dev br0 proto static
10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1 linkdown
172.27.30.0/24 dev br0 proto kernel scope link src 172.27.30.51

container

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:fd:81:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.27.30.45/24 brd 172.27.30.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fefd:81fe/64 scope link
       valid_lft forever preferred_lft forever
root@terra:/# ip r
default via 172.27.30.1 dev eth0
172.27.30.0/24 dev eth0 proto kernel scope link src 172.27.30.45

ping from host

# ping 172.27.30.1 -c1
PING 172.27.30.1 (172.27.30.1) 56(84) bytes of data.
64 bytes from 172.27.30.1: icmp_seq=1 ttl=64 time=0.205 ms

--- 172.27.30.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms

ping from container

# ping 172.27.30.1 -c1
PING 172.27.30.1 (172.27.30.1) 56(84) bytes of data.
From 172.27.30.45 icmp_seq=1 Destination Host Unreachable

--- 172.27.30.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

I’m stumped!

tomp · July 21, 2021, 8:16am

Can you ping the LXC host on 172.27.30.51 from the container, and vice versa?

Have you checked using tcpdump whether the packets from the container destined for 172.27.30.1 are leaving the LXC host’s external ens160 interface?

jeremy1 · July 21, 2021, 9:02pm

Yes. I can ping the container from the host and vice versa. Using tcpdump is a great idea, and I’ll try that next when I get a little time.

I also found another post on this board with a similar problem and the issue was promiscuous mode not being enabled on a vswitch. This is a new environment this host is running in, so that might be it too. Out of curiosity, what function does the promiscuous mode serve in this context?

tomp · July 22, 2021, 10:51am

Probably not relevant, its normally relevant when running LXD inside a VM and you need to enable the VM’s interface to listen for all traffic on the external network (not just frames for its MAC address).

jeremy1 · July 28, 2021, 1:48pm

Ok, so I did a ping test and monitored with tcpdump and did not see any outbound ICMP packets when pinging out from the guest. (I also did this on another working lxc host/guest to confirm my methodology worked, and it did).

As an aside, I also tested with the built in NAT/virtual interface (lxcbr0), and this one works fine.