[lxc-devel] [lxd/master] firewalld & lxd : allow containers to access the internet

kerphi on Github lxc-bot at linuxcontainers.org
Wed Apr 15 13:55:37 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 382 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200415/b18f43b3/attachment.bin>
-------------- next part --------------
From 11ce947e520c23e2cafd012cfd69198dfd5f4697 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Gully?= <stephane.gully at gmail.com>
Date: Wed, 15 Apr 2020 15:55:18 +0200
Subject: [PATCH] firewalld & lxd : allow containers to access the internet

Few documentation is better than nothing.
There is maybe a better way to fix it.
---
 doc/networks.md | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/doc/networks.md b/doc/networks.md
index af5b7a5dc2..be55b7d7f0 100644
--- a/doc/networks.md
+++ b/doc/networks.md
@@ -146,7 +146,9 @@ exists, so you must repeat this command each reboot and after
 LXD is restarted.  Also note this only works if the bridge
 `dns.mode` is not `none`.
 
-## Allow DHCP, DNS with Firewalld
+## Integration with Firewalld
+
+### Allow DHCP, DNS
 
 In order to allow instances to access the DHCP and DNS server that LXD runs on the host when using firewalld
 you need to add the host's bridge interface to the `trusted` zone in firewalld.
@@ -164,3 +166,22 @@ firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent
 ```
 
 This will then allow LXD's own firewall rules to take effect.
+
+### Allow containers to access the internet
+
+When firewalld daemon is started after lxd daemon, it breaks LXC iptables rules and especially rules taking care of containers internet access. To fix it, you could force firewalld daemon to start before lxd daemon.
+
+When using systemd, you have to add the `Before` parameter in the `/lib/systemd/system/lxd.socket` systemd file:
+```
+[Unit]
+Description=LXD - unix socket
+Documentation=man:lxd(1)
+Before=firewalld.service
+
+[...]
+```
+Then juste reboot your linux of restart lxd daemon:
+```
+systemctl restart lxd
+```
+Then you will be able to access internet from your containers. Ex: `lxc exec MyContainer apt update` (will then be ok)


More information about the lxc-devel mailing list