[lxc-users] LXD containers lose outbound network
Fajar A. Nugraha
list at fajar.net
Mon Jun 27 14:00:17 UTC 2016
On Mon, Jun 27, 2016 at 5:15 PM, <david.andel at bli.uzh.ch> wrote:
> However, I cannot ping an outside IP:
> root at taskd:~# ping
> 8.8.8.8
>
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
>
> On the host I see:
> 11:30:14.343238 IP 10.0.8.54 > google-public-dns-a.google.com: ICMP echo
> request, id 12902, seq 1, length 64
>
Is this on lxdbr0?
What do you get when you tcpdump your host public interface (e.g. eth0),
using a filter like
tcpdump -n -i eth0 host 8.8.8.8
My GUESS is your host stops forwarding packets, and no container traffic is
seen on eth0
> After running
>
> service lxd stop
> service lxd-bridge stop
> service lxd start
>
> on the host, everything works again.
>
>
Some basic things to check when your outgoing networking stops:
- look at syslog for error messages, esp. related to network or iptables
- verify that your iptables NAT rules are still in place, "iptables -nL -t
nat" (lxd-bridge should create a MASQUERADE rule when it starts)
- verify that there is NO filter rule blocking traffic from container
(iptables -nL)
- verify that "cat /proc/sys/net/ipv4/ip_forward" still shows 1
Again, if you DON'T see container packets on eth0 when testing ping 8.8.8.8
from the container, then my GUESS is you have some cron job that disables
packet forwarding.
All I can say is that I've been using lxd since 2.0.0-beta days on trusty,
wily, and now mostly 2.0.2 on xenial, and I didn't have your problem. Then
again, this is a customized install where (among others) I prune all
unnecessary packages, so it might be a factor.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160627/1179e613/attachment.html>
More information about the lxc-users
mailing list