[lxc-users] Networking issue

Fajar A. Nugraha list at fajar.net
Wed Nov 9 08:50:52 UTC 2016


On Wed, Nov 9, 2016 at 1:33 PM, Saint Michael <venefax at gmail.com> wrote:

> It was working fine until a week ago.
> I have two sites, it happened on both, so the issue is not on my router or
> my switch, since they are different sites and we did not upgrade anything.
> Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
> LXC installed from apt-get install lxc1
> iptables off in both hosts and containers. I protect my network at the
> perimeter.
>
> All my container networking is defined
>
> lxc.network.type=macvlan
>

ah, macvlan :)


> lxc.network.macvlan.mode=bridge
> lxc.network.link=eth1
> lxc.network.name = eth0
> lxc.network.flags=up
> lxc.network.hwaddr = XX:XX:XX:XX:XX:XX
> lxc.network.ipv4 = 0.0.0.0/24
>
> Now suppose I have a machine, not a container, in the same broadcast
> domain as the containers, same subnet.
> It cannot ping or ssh into a container, which is accessible from outside
> my network.
> However, from inside the container the packets come and go perfectly, when
> the connection is originated by the container.
> A container can ping that host I mentioned, but the host cannot ping back
> the container.
> It all started a few days ago.
> Also, from the host, this test works
> arping -I eth0 (container IP address)
> it shows that we share the same broadcast domain.
>
> My guess is that the most recent kernel update in the LXC host, is
> blocking the communication to the containers, but it allows connections
> from the containers or connections from IP addresses not on the same
> broadcast domain.
> Any idea?
>
>
If you still have the old kernel, Janjaap's suggestion is relevant. Try
downgrading your kernel. If downgrading works, file a bug (see
https://wiki.ubuntu.com/Kernel/Bugs)

Another way to check is using generic methods to test network connectivity:
- from both the other machine and the container, ping each other, and then
"arp -n". Verify that the mac listed there is correct, and not (for
example) the hosts's MAC address. arping should also show which MAC address
is replying.
- ping from the other machine, and while its running, do a tcpdump on all
relevant interfaces (e.g. on container's eth0, on host's eth1, etc),
something like

tcpdump -n -i eth1 "(icmp or arp) and host container_ip_address"

and see where the traffic dissappears.

I had problems with macvlan when combined with proxyarp on the same host.
It works fine now with just macvlan on kernel 4.4.0-38-generic.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161109/09d7b409/attachment.html>


More information about the lxc-users mailing list