[lxc-users] LXD containers lose outbound network

Fajar A. Nugraha list at fajar.net
Mon May 30 05:14:18 UTC 2016 

On Sun, May 29, 2016 at 1:30 PM, <david.andel at bli.uzh.ch> wrote:

> Hi
>
> My LXD has the following network configuration:
>
> root at qumind:~# egrep -v '(^#|^$)' /etc/default/lxd-bridge
> USE_LXD_BRIDGE="true"
> LXD_BRIDGE="lxdbr0"
> UPDATE_PROFILE="true"
> LXD_CONFILE=""
> LXD_DOMAIN="lxd"
> LXD_IPV4_ADDR="10.0.8.1"
> LXD_IPV4_NETMASK="255.255.255.0"
> LXD_IPV4_NETWORK="10.0.8.0/24"
> LXD_IPV4_DHCP_RANGE="10.0.8.2,10.0.8.254"
> LXD_IPV4_DHCP_MAX="253"
> LXD_IPV4_NAT="true"
> LXD_IPV6_ADDR=""
> LXD_IPV6_MASK=""
> LXD_IPV6_NETWORK=""
> LXD_IPV6_NAT="false"
> LXD_IPV6_PROXY="false"
>
> And the network works fine at first. However, after some time outbound
> connections fail, while inbound connections continue working.
> It affects all LXD containers.
>

What do you mean "outbound" and "inbound"?

>From that setup, you have a NAT network. So others servers in your LAN
shouldn't be able to access your containers, unless you also setup port
forwarding (which you didn't mention). So "inbound" can't mean "other
servers in your LAN accessing your container" in your case.

If by "inbound" you mean "even the host can't access the container", then
something is definitely wrong. I'd start by using simple "ping" test when
that happens, coupled with "tcpdump" on both the host (lxdbr0 and veth*)
and container (eth0) side.



>
> And it is not enough to just run
>
> root at qumind:~# service lxd-bridge stop
> Job for lxd-bridge.service canceled.
> root at qumind:~# service lxd restart
>
> while the containers are running. The behaviour stays the same.
>
>
Obviously. You can't delete a bridge that has interfaces attached (which is
the case when containers are running)



> I have to stop the containers first, then restart the LXD bridge and start
> the containers again.
> Only then the outbound connections work again - until I have to restart it
> all again.
>
> What could be the culprit?
>


Start with the basics:
- test host <-> container networking first. Use "ping" and "tcpdump" to help
- look for error/weird messages at syslog, e.g. "iptables" or "conntrack"



> Thanks
>
> PS:
> To stop all running containers I am using
> for i in $(lxc list | grep RUNNING | awk -F'|' '{print $2}' | tr -d
> [:blank:]); do lxc stop $i; done
> I think it would be convenient to be able to just say
> lxc stop all
>
>
"service lxd stop" would stop all running containers before stopping lxd.
And "service lxd start" after that will start containers that were
previously started, as well as containers with boot.autostart: "true"

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160530/0e1ccc55/attachment.html>

More information about the lxc-users mailing list