Why lxc container doesn’t execute config files on /etc/sysctl.d

lxcsysctl

My host is Ubuntu 16.04.1 LTS with privileged container.

I want to disable ipv6 of container, so I created a config file on /etc/sysctl.d/60-disable-ipv6.conf, I have tried lxc-start and lxc-stop -r my container, container's ipv6 is not disabled until run sudo sysctl -p /etc/sysctl.d/60-disable-ipv6.conf, it works, ipv6 address is disabled.

Why container doesn't load /etc/sysctl.d/*.conf?

Best Answer

Thnaks Phillip's instruction, I found systemd-sysctl.service didn't start in container with this message: ConditionPathIsReadWrite=/proc/sys/ was not met

I have tried lxc.mount.auto=proc and lxc.mount.auto=proc:rw in lxc config, but it doesn't work for me.

Last I found there is an issue of systemd:https://github.com/systemd/systemd/issues/4370, maybe if I could install systemd v232 it solves.(modify systemd-sysctl.service: ConditionPathIsReadWrite to /proc/sys/net could solve it.)

I added sudo sysctl --system on a start up script, it works.

Related Solutions

Linux – LXC container network/routing issues

I created many squeeze/wheezy containers by the same instruction (http://blog.foaa.de/2010/05/lxc-on-debian-squeeze/)

The only thing I do different way is that I use a virtual network bridge. (And I think the problem is that you have a bridge to your network card, not to a virtual device)

Add something like this to your /etc/network/interfaces (using your own numbers):

#VLAN 5
auto eth0.5
iface eth0.5 inet manual
  vlan_raw_device eth0

auto vzbr5
iface vzbr5 inet static
  address 10.11.15.1
  netmask 255.255.255.0
  network 10.11.15.0
  broadcast 10.11.15.255
  bridge_maxwait 0
  bridge_ports none
  post-up /usr/sbin/brctl addif vzbr5 eth0.5
  post-up /sbin/ifconfig eth0.5 up

Then

sudo ifup vzbr5

After that use vzbr5 as a network device.

Please see the complete instruction.

LXC container with bridge networking exposes fake MAC address to external network

The difference is that LXC container on Ubuntu uses IP address from different subnet and has its host's IP as default gateway when LXC container on Debian uses IP from the same subnet as host and has its default gateway the same as host's.

When LXC container has IP from different subnet than its host and uses its host as default gateway then packets from LXC container are routed and when they leave host's network interface they have host's MAC. When LXC container is on the same subnet as host and uses the same gateway then packets are bridged and retain LXC's fake MAC. My solution is to force routing through host even if they are on the same subnet. In this case my LXC container has following /etc/network/interfaces:

auto eth0
iface eth0 inet static
    address   y.y.y.12
    netmask   255.255.255.255
    post-up route add y.y.y.9 dev eth0
    post-up route add default gw y.y.y.9

and LXC host has following in sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.bond0.proxy_arp = 1

and in /etc/network/interfaces:

 auto bond0
 iface bond0 inet static
   address y.y.y.9
   netmask 255.255.255.192
   broadcast y.y.y.63
   gateway y.y.y.1

 auto lxcbr0
 iface lxcbr0 inet static
    bridge_ports none
    bridge_fd 0
    bridge_stp off
    bridge_maxwait 0
    address   192.168.120.1
    netmask   255.255.255.0
    up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
    up /sbin/ip route add to y.y.y.12 dev lxcbr0

I have removed irrelevant options from configs above.

Best Answer

Related Solutions

Linux – LXC container network/routing issues

LXC container with bridge networking exposes fake MAC address to external network

Related Topic