LXC Container, no LAN – Internet access

containerslxc

I'm setting up an LXC container on an openSuSE 42.1 host.

The host has full Internet access but the container hasn't. The container can ping the host, but nothing else on the LAN or Internet.

I think the issue could be how the bridge is configured on the host, but I can't see how to resolve this.

The host has eth0 and br0. br0 has been assigned a static IP Address etc.

In YAST I have the Default IPv4 Gateway as 192.168.2.1 and the Device as br0

Here is the network detail for the host

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway.localdo 0.0.0.0         UG    0      0        0 br0
192.168.2.0    *               255.255.255.0   U     0      0        0 br0

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.2.1    0.0.0.0         UG        0 0          0 br0
192.168.2.0    0.0.0.0         255.255.255.0   U         0 0          0 br0

ifconfig -a
br0       Link encap:Ethernet  HWaddr 08:00:27:E5:C3:27  
          inet addr:192.168.2.197  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee5:c327/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:266675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60989 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1391858642 (1327.3 Mb)  TX bytes:4049229 (3.8 Mb)

eth0      Link encap:Ethernet  HWaddr 08:00:27:E5:C3:27  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1259099 errors:0 dropped:5 overruns:0 frame:0
          TX packets:220712 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1449135910 (1382.0 Mb)  TX bytes:51279387 (48.9 Mb)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11033 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11033 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:968389 (945.6 Kb)  TX bytes:968389 (945.6 Kb)

vethYW604 Link encap:Ethernet  HWaddr FE:A8:5F:48:80:7E  
          inet6 addr: fe80::fca8:5fff:fe48:807e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:75398 (73.6 Kb)  TX bytes:71086180 (67.7 Mb)

gateway.localdomain resolves to 192.168.2.1

The containers config file is:

lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/TestLXC/rootfs
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.arch = x86_64
lxc.utsname = TestLXC
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0

lxc.network.hwaddr = 08:00:27:e5:c3:29
lxc.aa_allow_incomplete = 1

lxc.network.ipv4 = 192.168.2.221/24
lxc.network.ipv4.gateway = 192.168.2.197

and it's network details are:

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.197  0.0.0.0         UG    0      0        0 eth0
192.168.2.0    *               255.255.255.0   U     0      0        0 eth0

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.2.197  0.0.0.0         UG        0 0          0 eth0
192.168.2.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 08:00:27:E5:C3:29  
          inet addr:192.168.2.221  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee5:c329/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:133802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78627055 (74.9 Mb)  TX bytes:82972 (81.0 Kb)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:26 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2152 (2.1 Kb)  TX bytes:2152 (2.1 Kb)

Can anyone advise how I can get my LXC container to have full network and Internet access.

Thanks

Best Answer

You configured bridge, which means host and container are on the same subnet. Therefore the container should use the same gateway as the host, but you did set the host's IP as default gateway. Set it to 192.168.2.1 instead

Related Solutions

LXC container templates

Yes, an LXC container is some config files and a directory within the whole server. If you copy this directory and config files and adjust the parameters you can use it as a template. Just tar it and untar it to the new machine's directory.

Is it possible to start LXC container inside LXC container

I'm going to dispel a few myths here.

This is just a bad idea. I'm sorry. – Jacob Mar 5 at 20:30

I don't see how this is a bad idea. It's really just a chroot inside a chroot. On one hand, it could possibly decrease performance in some negligible manner (nothing compared to running a VM inside a VM). On the other hand, it's likely to be more secure (e.g. more isolated from the root host system and it's constituents).

Do you actually have a real reason to do this? Please remember that questions here should be about actual problems that you face. – Zoredache Mar 5 at 21:52

I agree 100% with the poster's following comment. Furthermore, I think it's safe to assume that everybody who posts a question on here likely thinks that they have a real reason to do [ it ]..

I think, that lxc should be able to simplify VM migration(and backup+recovery too). But I'm not sure about cases, when there is no access to host OS(cheap vps for example). – Mikhail Mar 6 at 11:17

I actually came across this question back in June when I was first diving into LXC for PaaS/IaaS projects, and I was particularly interested in the ability to allow users to emulate cloud environments for development purposes.

LXCeption. We're too deep. – Tom O'Connor Mar 6 at 22:46

I laughed a little bit when I read this one, but that's not, at all, the case :)

Anyway, I eventually set up a VirtualBox environment with a stock install of Ubuntu 12.04 LTS Server Edition after reading all this, thinking that this was 100% possible. After installing LXC, I created a new container, and installed LXC inside the container with apt-get. Most of the installation progressed well, but resulted in error eventually due to a problem with the cgroup-lite package, whose upstart job failed to start after the package had been installed.

After a bit of searching, I came across this fine article at stgraber.org (the goodies are hiding under the "Container Nesting" section):

sudo apt-get install lxc
sudo lxc-create -t ubuntu -n my-host-container -t ubuntu
sudo wget https://www.stgraber.org/download/lxc-with-nesting -O /etc/apparmor.d/lxc/lxc-with-nesting
sudo /etc/init.d/apparmor reload
sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" /var/lib/lxc/my-host-container/config
sudo lxc-start -n my-host-container
(in my-host-container) sudo apt-get install lxc
(in my-host-container) sudo stop lxc
(in my-host-container) sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc
(in my-host-container) sudo start lxc
(in my-host-container) sudo lxc-create -n my-sub-container -t ubuntu
(in my-host-container) sudo lxc-start -n my-sub-container

Installing that AppArmor policy and restarting the daemon did the trick (don't forget to change the network ranges, though!). In fact, I thought that particular snippet was so important that I mirrored it @ http://pastebin.com/JDFp6cTB just in case the article ever goes offline.

After that, sudo /etc/init.d/cgroup-lite start succeeded and it was smooth sailing.

So, yes, it is possible to start an LXC container inside of another LXC container :)

Best Answer

Related Solutions

LXC container templates

Is it possible to start LXC container inside LXC container

Related Topic