[lxc-users] Networking issue
Saint Michael
venefax at gmail.com
Wed Nov 9 14:45:25 UTC 2016
I want to confirm that both the LXC Host and the Container see the packets
going back and forth with
tcpdump -n -i eth1 "(icmp)"
There is no rp_filter
sysctl -a | grep [.]rp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth3.rp_filter = 0
net.ipv4.conf.eth4.rp_filter = 0
net.ipv4.conf.eth5.rp_filter = 0
net.ipv4.conf.eth6.rp_filter = 0
net.ipv4.conf.eth7.rp_filter = 0
net.ipv4.conf.eth8.rp_filter = 0
net.ipv4.conf.eth9.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
But the response from the container never reach the machine that is trying
to ping the container.
Any idea what can be wrong?
The fact is I did not change anything on my network.
On Wed, Nov 9, 2016 at 9:42 AM, Saint Michael <venefax at gmail.com> wrote:
> I don't know how to downgrade the kernel.
> This is Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
>
> I always use apt-get -y update and apt-get -y dist-upgrade
>
>
>
>
> On Wed, Nov 9, 2016 at 2:22 AM, Janjaap Bos <janjaapbos at gmail.com> wrote:
>
>> Downgrade the kernel to verify your guess, as the other feedback you got
>> also points to the kernel. If that solves it, go file a kernel bug.
>>
>> 2016-11-09 7:33 GMT+01:00 Saint Michael <venefax at gmail.com>:
>>
>>> It was working fine until a week ago.
>>> I have two sites, it happened on both, so the issue is not on my router
>>> or my switch, since they are different sites and we did not upgrade
>>> anything.
>>> Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
>>> LXC installed from apt-get install lxc1
>>> iptables off in both hosts and containers. I protect my network at the
>>> perimeter.
>>>
>>> All my container networking is defined
>>>
>>> lxc.network.type=macvlan
>>> lxc.network.macvlan.mode=bridge
>>> lxc.network.link=eth1
>>> lxc.network.name = eth0
>>> lxc.network.flags=up
>>> lxc.network.hwaddr = XX:XX:XX:XX:XX:XX
>>> lxc.network.ipv4 = 0.0.0.0/24
>>>
>>> Now suppose I have a machine, not a container, in the same broadcast
>>> domain as the containers, same subnet.
>>> It cannot ping or ssh into a container, which is accessible from outside
>>> my network.
>>> However, from inside the container the packets come and go perfectly,
>>> when the connection is originated by the container.
>>> A container can ping that host I mentioned, but the host cannot ping
>>> back the container.
>>> It all started a few days ago.
>>> Also, from the host, this test works
>>> arping -I eth0 (container IP address)
>>> it shows that we share the same broadcast domain.
>>>
>>> My guess is that the most recent kernel update in the LXC host, is
>>> blocking the communication to the containers, but it allows connections
>>> from the containers or connections from IP addresses not on the same
>>> broadcast domain.
>>> Any idea?
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161109/c85aab9c/attachment.html>
More information about the lxc-users
mailing list