OS: Debian 11. LXD was working fine until certain point, though I’m not sure exactly when. Now when I try to start a container I get
Bash 5.1 :) lxc start ubcon
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Error: Failed preparing container for start: Failed to start device "eth0": Parent device "lxdbr0" doesn't exist
Try `lxc info --show-log ubcon` for more info
But log is empty:
bash 5.1 :) lxc info --show-log ubcon
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Name: ubcon
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2021/05/20 05:13 UTC
Last Used: 2021/07/20 14:07 UTC
Log:
And lxdbr0 appears in network list
bash 5.1 :) lxc network list
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
+--------+----------+---------+-----------------+---------------------------+-------------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY |
+--------+----------+---------+-----------------+---------------------------+-------------+---------+
| lxdbr0 | bridge | YES | 10.208.106.1/24 | fd42:22de:f638:b119::1/64 | | 2 |
+--------+----------+---------+-----------------+---------------------------+-------------+---------+
| virbr0 | bridge | NO | | | | 0 |
+--------+----------+---------+-----------------+---------------------------+-------------+---------+
| wlp1s0 | physical | NO | | | | 0 |
+--------+----------+---------+-----------------+---------------------------+-------------+---------+
But doesn’t show up in system as an interface
bash 5.1 :) ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7c:2a:31:17:88:dd brd ff:ff:ff:ff:ff:ff
inet 192.168.223.83/24 brd 192.168.223.255 scope global dynamic noprefixroute wlp1s0
valid_lft 2618sec preferred_lft 2618sec
inet6 2607:fb90:3127:317f:946d:a9ed:408c:a310/64 scope global dynamic noprefixroute
valid_lft 3311sec preferred_lft 3311sec
inet6 fe80::bace:b177:dbed:4d24/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:14:a7:f2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
Upon trying to create a new bridge, I encounter
bash 5.1 :) lxc network create lxdbr1
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Error: Failed to setup firewall: Failed adding ICMP, DHCP and DNS access rules for network "lxdbr1" (inet): Failed apply nftables config: Failed to run: nft
table inet lxd {
chain in.lxdbr1 {
type filter hook input priority 0; policy accept;
iifname "lxdbr1" tcp dport 53 accept
iifname "lxdbr1" udp dport 53 accept
iifname "lxdbr1" icmp type {3, 11, 12} accept
iifname "lxdbr1" udp dport 67 accept
iifname "lxdbr1" icmpv6 type {1, 2, 3, 4, 133, 135, 136, 143} accept
iifname "lxdbr1" udp dport 547 accept
}
chain out.lxdbr1 {
type filter hook output priority 0; policy accept;
oifname "lxdbr1" tcp sport 53 accept
oifname "lxdbr1" udp sport 53 accept
oifname "lxdbr1" icmp type {3, 11, 12} accept
oifname "lxdbr1" udp sport 67 accept
oifname "lxdbr1" icmpv6 type {1, 2, 3, 4, 128, 134, 135, 136, 143} accept
oifname "lxdbr1" udp sport 547 accept
}
}
: Error: Could not process rule: Operation not supported
^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^
Error: Could not process rule: Operation not supported
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Operation not supported
^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^
Error: Could not process rule: Operation not supported
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And upon examining nftables, lxd rules are already there
bash 5.1 :) sudo nft list ruleset
table ip filter {
chain LIBVIRT_INP {
iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 794 bytes 98210 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
oifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
oifname "virbr0" meta l4proto tcp tcp dport 68 counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 865 bytes 66477 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
iifname "virbr0" counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
oifname "virbr0" counter packets 0 bytes 0 reject
}
chain LIBVIRT_FWX {
iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
}
}
table ip nat {
chain LIBVIRT_PRT {
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 6 bytes 413 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 395 bytes 28317 jump LIBVIRT_PRT
}
}
table ip mangle {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 952 bytes 75272 jump LIBVIRT_PRT
}
}
table ip6 filter {
chain LIBVIRT_INP {
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 11448 bytes 10059142 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 10852 bytes 2251399 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
}
chain LIBVIRT_FWX {
}
}
table ip6 nat {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 60 bytes 13967 jump LIBVIRT_PRT
}
}
table ip6 mangle {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 10881 bytes 2254933 jump LIBVIRT_PRT
}
}
table inet lxd {
chain pstrt.lxdbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.208.106.0/24 ip daddr != 10.208.106.0/24 masquerade
ip6 saddr fd42:22de:f638:b119::/64 ip6 daddr != fd42:22de:f638:b119::/64 masquerade
}
chain fwd.lxdbr0 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "lxdbr0" accept
ip version 4 iifname "lxdbr0" accept
ip6 version 6 oifname "lxdbr0" accept
ip6 version 6 iifname "lxdbr0" accept
}
chain pstrt.lxdbr1 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.53.48.0/24 ip daddr != 10.53.48.0/24 masquerade
ip6 saddr fd42:ff9:37f6:fcde::/64 ip6 daddr != fd42:ff9:37f6:fcde::/64 masquerade
}
chain fwd.lxdbr1 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "lxdbr1" accept
ip version 4 iifname "lxdbr1" accept
ip6 version 6 oifname "lxdbr1" accept
ip6 version 6 iifname "lxdbr1" accept
}
}
I thought it could be due to something I messed up when I rebuilt the kernel, but comparing my kernel to that around 5/20 (when container was created) and 7/20 (when it was last used), I don’t see any netfilter option being unchecked.