Wrong interfaces assignement when creating containers with terraform and multiple interfaces

roman · April 19, 2022, 6:48pm

Hi. Before posting it in terraform-lxd provider repository I thought to check here first.

My LXD host is setup with two bridge interfaces (bridge-utils), and I configure profile to use them for containers. So my containers have two interfaces too. I do not use DHCP, my network config is static. I use cloud-init I think, not sure but it works.

See my terraform code below for reference.

Half of the time the container network is created wrong (does not often happen if you create one container, but almost always happens when I create like 8 containers). The internal interface is assigned to the wrong host interface. If I ping something from within container and monitor traffic with tcpdump, I can see that traffic is being sent out via the wrong interface.

For example see the part of the config from the lxc config edit <container>:

config:
  ...
  volatile.eth0.host_name: vetheyxxxyyy
  volatile.eth0.hwaddr: 00:1x:xx:xx:xx:yy
  volatile.eth0.name: eth1
  volatile.eth1.host_name: veth6xxx6xxx
  volatile.eth1.hwaddr: 00:1x:xx:xx:xx:xx
  volatile.eth1.name: eth0

I have to fix these two lines, restart container and then network works as expected.

volatile.eth0.name: eth0
volatile.eth1.name: eth1

Looks like a race condition to me. Should I let people on terraform-lxd github know about this or is this something for you guys to look at?

My profile:

$ lxc profile show myprofile
config: {}
description: Created by Terraform
devices:
  eth0:
    nictype: bridged
    parent: br0
    type: nic
  eth1:
    nictype: bridged
    parent: br1
    type: nic

This is some of my terraform code:

# this is modules/container/main.tf, scroll down for network.yml template
resource "lxd_container" "container" {
  name = var.name
  image = var.image
  ephemeral = var.ephemeral
  profiles = var.profiles

  config = {
    "user.network-config" : data.template_file.network_config.rendered
  }
}

data "template_file" "network_config" {
  template = file("${path.module}/network.yml")
  vars = {
    eth0_ip = var.eth0_ip
    eth0_netmask = var.eth0_netmask
    eth0_gateway = var.eth0_gateway
    eth1_ip = var.eth1_ip
    eth1_netmask = var.eth1_netmask
    nameserver = var.nameserver
  }
}

# this is modules/container/network.yml
network:
  version: 1
  config:
    - type: physical
      name: eth0
      subnets:
        - type: static
          ipv4: true
          address: ${eth0_ip}
          netmask: ${eth0_netmask}
          gateway: ${eth0_gateway}
          control: auto
    - type: physical
      name: eth1
      subnets:
        - type: static
          ipv4: true
          address: ${eth1_ip}
          netmask: ${eth1_netmask}
          control: auto

# this is project
module "mycontainer1" {
  source = "./modules/container"
  name = "mycontainer1"
  image = "images:debian/buster/cloud/amd64"
  profiles = ["myprofile"]

  eth0_ip = "xxxxx"
  eth0_netmask = "255.255.255.0"
  eth0_gateway = "xxxxxxx"
  eth1_ip = "xxxxxxx"
  eth1_netmask = "255.255.255.0"
  nameserver = "xxxxxxx"
}

Feel free to ask any questions. Code above was sanitized a bit so may be few mistakes made during copy/paste.

Edit1: there is another lxd terraform glitch, when you use modules - terraform will fail to download lxd provider binaries. I had to add providers into the module itself, and pass variables to the module. If someone will be testing terraform and experience this issue, please let me know and I will help.

tomp · April 20, 2022, 8:28am

Is Terraform creating these instances concurrently? If so it could be a bug in LXD’s interface assignment logic.

Please could you open an issue here Issues · lxc/lxd · GitHub

Thanks

roman · April 20, 2022, 8:40am

Is Terraform creating these instances concurrently?

I believe so as all of the containers appear on the lxc ls list at once.

Thanks @tomp what information in particular should I mention from my post in the bug report?

tomp · April 20, 2022, 8:43am

Everything you mentioned here basically. That way it won’t get lost in the forum

tomp · April 20, 2022, 9:22am

github.com/lxc/lxd

Wrong interfaces assignement when creating containers with terraform and multiple interfaces

opened 08:57AM - 20 Apr 22 UTC

invizus

# Required information * Distribution: Debian 10 * Distribution version: 1…0.11 * The output of "lxc info" or if that fails: (it was 413 lines long, so here is the summary below) * Kernel version: * LXC version: * LXD version: * Storage backend in use: dir ``` driver: lxc | qemu driver_version: 4.0.12 | 6.1.1 firewall: xtables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "false" netnsid_getifaddrs: "false" seccomp_listener: "false" seccomp_listener_continue: "false" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 4.19.0-19-amd64 lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Debian GNU/Linux os_version: "10" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_pid: 17878 server_version: 5.0.0 storage: dir storage_version: "1" ``` # Issue description Just FYI I can work around this, as this is not breaking my devops workflows, but something you may be interested to fix some time in future. My LXD host is setup with two bridge interfaces (`bridge-utils`), and I configure profile to use them for containers. So my containers have two interfaces too. I do not use DHCP, my network config is static. I use cloud-init I think, not sure but it works. See my terraform code below for reference. Half of the time the container network is created wrong (does not often happen if you create one container, but almost always happens when I create like 8 containers). The internal interface is assigned to the wrong host interface. If I ping something from within container and monitor traffic with tcpdump, I can see that traffic is being sent out via the wrong interface. One of the maintainers asked whether containers are created concurrently? I believe so. When I monitor `lxc ls`, I see all new containers that are being created appear at the same time together. # Steps to reproduce For example see the part of the config from the `lxc config edit <container>`: ``` config: ... volatile.eth0.host_name: vetheyxxxyyy volatile.eth0.hwaddr: 00:1x:xx:xx:xx:yy volatile.eth0.name: eth1 volatile.eth1.host_name: veth6xxx6xxx volatile.eth1.hwaddr: 00:1x:xx:xx:xx:xx volatile.eth1.name: eth0 ``` I have to fix these two lines, restart container and then network works as expected. ``` volatile.eth0.name: eth0 volatile.eth1.name: eth1 ``` Looks like a race condition to me. Should I let people on terraform-lxd github know about this or is this something for you guys to look at? My profile: ``` $ lxc profile show myprofile config: {} description: Created by Terraform devices: eth0: nictype: bridged parent: br0 type: nic eth1: nictype: bridged parent: br1 type: nic ``` This is some of my terraform code: ``` # this is modules/container/main.tf, scroll down for network.yml template resource "lxd_container" "container" { name = var.name image = var.image ephemeral = var.ephemeral profiles = var.profiles config = { "user.network-config" : data.template_file.network_config.rendered } } data "template_file" "network_config" { template = file("${path.module}/network.yml") vars = { eth0_ip = var.eth0_ip eth0_netmask = var.eth0_netmask eth0_gateway = var.eth0_gateway eth1_ip = var.eth1_ip eth1_netmask = var.eth1_netmask nameserver = var.nameserver } } # this is modules/container/network.yml network: version: 1 config: - type: physical name: eth0 subnets: - type: static ipv4: true address: ${eth0_ip} netmask: ${eth0_netmask} gateway: ${eth0_gateway} control: auto - type: physical name: eth1 subnets: - type: static ipv4: true address: ${eth1_ip} netmask: ${eth1_netmask} control: auto ``` ``` # this is project module "mycontainer1" { source = "./modules/container" name = "mycontainer1" image = "images:debian/buster/cloud/amd64" profiles = ["myprofile"] eth0_ip = "xxxxx" eth0_netmask = "255.255.255.0" eth0_gateway = "xxxxxxx" eth1_ip = "xxxxxxx" eth1_netmask = "255.255.255.0" nameserver = "xxxxxxx" } ``` Feel free to ask any questions. Code above was sanitized a bit so may be few mistakes made during copy/paste. There is another lxd terraform glitch, when you use modules - terraform will fail to download lxd provider binaries. I had to add providers into the module itself, and pass variables to the module. If someone will be testing terraform and experience this issue, please let me know and I will help. # Information to attach - [ ] Any relevant kernel output (`dmesg`) - [ ] Container log (`lxc info NAME --show-log`) - [ ] Container configuration (`lxc config show NAME --expanded`) - [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log) - [ ] Output of the client with --debug - [ ] Output of the daemon with --debug (alternatively output of `lxc monitor` while reproducing the issue) Originally reported at https://discuss.linuxcontainers.org/t/wrong-interfaces-assignement-when-creating-containers-with-terraform-and-multiple-interfaces/13877

tomp · April 20, 2022, 1:39pm

github.com/lxc/lxd

Instance: Ensure that devices are added and removed in the correct order

lxc:master ← tomponline:tp-instance-device-add-order

opened 01:36PM - 20 Apr 22 UTC

tomponline

+18 -26

Because Go maps are iterated in a random order, if there were multiple NICs with…out a `name` property then the generated interface name stored in volatile may be unexpected based on the order the devices were added. E.g. for 2 NICs (eth0, and eth1), they may end up with respective volatile interface names of eth1 and eth0. Fixes #10282 Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

roman · April 20, 2022, 2:54pm

Thanks so much, that was very fast. Looking forward to trying.

roman · April 21, 2022, 2:12pm

@tomp
if you don’t mind me asking, when will this fix be published in downloadable version from snap? I have noticed that 5.0 got updated on 20 April which was yesterday, but no release was published on github. I have refreshed LXD from snap, tried deploying containers but problem persists. So I assume fix was not added to the release yet. Just wondering.

Thank you in advance.

tomp · April 22, 2022, 9:38am

The next time @stgraber does a cherry-pick and push of the LXD 5.0 snap package it will be available a few hours after that.

You can keep an eye out for the cherry-pick of the commit in:

github.com

lxc/lxd-pkg-snap/blob/latest-candidate/snapcraft.yaml

name: lxd
base: core20
assumes:
  - snapd2.39
version: "5.0.0"
grade: stable
summary: LXD - container and VM manager
description: |-
 LXD is a system container and virtual machine manager.

 It offers a simple CLI and REST API to manage local or remote instances,
 uses an image based workflow and support for a variety of advanced features.

 Images are available for all Ubuntu releases and architectures as well
 as for a wide number of other Linux distributions. Existing
 integrations with many deployment and operation tools, makes it work
 just like a public cloud, except everything is under your control.

 LXD containers are lightweight, secure by default and a great
 alternative to virtual machines when running Linux on Linux.

This file has been truncated. show original