Linux – LXC container can only access host via bridge

bridgelinuxlxcnetworkingUbuntu

I have an LXC container with i686 Ubuntu 12.04 running on a x86_64 Ubuntu 12.04 host. I've set up a bridge using instructions here. However the ping from the container only goes through to the host and not to other machines on the local network. Similarly only the host and not the other machines see the container OS.

The host's /etc/network/interfaces file looks as follows:

auto lo
iface lo inet loopback

iface eth0 inet manual

auto br0
iface br0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

The container's /etc/network/interfaces file looks as follows:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

And here's the relevant part of the container's config:

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

Any ideas what I'm doing wrong?

Additional info:

The output of iptables-save on host:

$ sudo iptables-save
# Generated by iptables-save v1.4.12 on Sat Oct 26 06:06:48 2013
*filter
:INPUT ACCEPT [6854:721708]
:FORWARD ACCEPT [4067:538895]
:OUTPUT ACCEPT [4967:522405]
COMMIT
# Completed on Sat Oct 26 06:06:48 2013
# Generated by iptables-save v1.4.12 on Sat Oct 26 06:06:48 2013
*nat
:PREROUTING ACCEPT [82235:21547307]
:INPUT ACCEPT [16:1070]
:OUTPUT ACCEPT [9386:583359]
:POSTROUTING ACCEPT [14693:1291952]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Oct 26 06:06:48 2013

The output of brctl show on host:

$ brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.080027409684   no      eth0
                            vethBkwWyV

The output of ifconfig br0 on host:

$ ifconfig br0
br0       Link encap:Ethernet  HWaddr 08:00:27:40:96:84  
          inet addr:192.168.1.11  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe40:9684/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:232863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:34437354 (34.4 MB)  TX bytes:198492871 (198.4 MB)

The output of ifconfig eth0 on host:

$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 08:00:27:40:96:84  
          inet6 addr: fe80::a00:27ff:fe40:9684/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:299419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:203569 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:59077446 (59.0 MB)  TX bytes:372056540 (372.0 MB)

The output of ifconfig eth0 on container:

$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:16:3e:74:08:2b  
          inet addr:192.168.1.12  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe74:82b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81 errors:0 dropped:0 overruns:0 frame:0
          TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:8506 (8.5 KB)  TX bytes:9021 (9.0 KB)

Best Answer

To resolve the issue you can check the follwong:

  1. ip addresses of br0 (host) and eth0 (container) are in the same subnet.
  2. ip forwarding is on: cat /proc/sys/net/ipv4/ip_forward
  3. traffic is not blocked by iptables.

UPD: if the above will not resolve the issue:

  1. check arp cache state on container and lan hosts arp -n
  2. debug arp and icmp packets with tcpdump: /usr/sbin/tcpdump -n -i <ifname> arp or icmp
  3. check route tables with route
Related Topic