LXC container can only access host via bridge

Question

I have an LXC container with i686 Ubuntu 12.04 running on a x86_64 Ubuntu 12.04 host. I've set up a bridge using instructions here. However the ping from the container only goes through to the host and not to other machines on the local network. Similarly only the host and not the other machines see the container OS.

The host's /etc/network/interfaces file looks as follows:

auto lo
iface lo inet loopback

iface eth0 inet manual

auto br0
iface br0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

The container's /etc/network/interfaces file looks as follows:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

And here's the relevant part of the container's config:

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

Any ideas what I'm doing wrong?

Additional info:

The output of iptables-save on host:

$ sudo iptables-save
# Generated by iptables-save v1.4.12 on Sat Oct 26 06:06:48 2013
*filter
:INPUT ACCEPT [6854:721708]
:FORWARD ACCEPT [4067:538895]
:OUTPUT ACCEPT [4967:522405]
COMMIT
# Completed on Sat Oct 26 06:06:48 2013
# Generated by iptables-save v1.4.12 on Sat Oct 26 06:06:48 2013
*nat
:PREROUTING ACCEPT [82235:21547307]
:INPUT ACCEPT [16:1070]
:OUTPUT ACCEPT [9386:583359]
:POSTROUTING ACCEPT [14693:1291952]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Oct 26 06:06:48 2013

The output of brctl show on host:

$ brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.080027409684   no      eth0
                            vethBkwWyV

The output of ifconfig br0 on host:

$ ifconfig br0
br0       Link encap:Ethernet  HWaddr 08:00:27:40:96:84  
          inet addr:192.168.1.11  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe40:9684/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:232863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:34437354 (34.4 MB)  TX bytes:198492871 (198.4 MB)

The output of ifconfig eth0 on host:

$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 08:00:27:40:96:84  
          inet6 addr: fe80::a00:27ff:fe40:9684/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:299419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:203569 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:59077446 (59.0 MB)  TX bytes:372056540 (372.0 MB)

The output of ifconfig eth0 on container:

$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:16:3e:74:08:2b  
          inet addr:192.168.1.12  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe74:82b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81 errors:0 dropped:0 overruns:0 frame:0
          TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:8506 (8.5 KB)  TX bytes:9021 (9.0 KB)

Veniamin · Answer 1 · 2013-10-27T10:57:44.637

1

To resolve the issue you can check the follwong:

ip addresses of br0 (host) and eth0 (container) are in the same subnet.
ip forwarding is on: cat /proc/sys/net/ipv4/ip_forward
traffic is not blocked by iptables.

UPD: if the above will not resolve the issue:

check arp cache state on container and lan hosts arp -n
debug arp and icmp packets with tcpdump: /usr/sbin/tcpdump -n -i <ifname> arp or icmp
check route tables with route

edited Oct 27 '13 at 10:57

answered Oct 25 '13 at 19:23

Veniamin

853
6
11

Thanks for the answer. IP addresses of br0 (host) and eth0 (container) are in the same subnet 192.168.1.0/24, cat /proc/sys/net/ipv4/ip_forward prints 1 which I guess means it's on. I am not sure about iptables, how do I check that? – vitaut Oct 25 '13 at 19:31
Try # service iptables stop – Veniamin Oct 25 '13 at 20:07
As it turned out iptables is not a service. I've tried setting the default policies to ACCEPT as described here: http://serverfault.com/questions/129086/how-to-start-stop-iptables-on-ubuntu but this didn't help either. – vitaut Oct 25 '13 at 20:39
Forgive my ignorance, "service iptables stop" is relevant to RedHat. If eth0 in the container gets ip address then the bridge seems to work properly. Can you add the output of iptables-save (host). As well as brctl show (host), ifconfig br0 (host), ifconfig eth0 (host), ifconfig eth0 (container). – Veniamin Oct 26 '13 at 08:04
I've updated the question with additional info. I really appreciate your help. – vitaut Oct 26 '13 at 13:17
@vitaut Not at all. Thats all is very strange. Everithing looks fine. And I am interested to explore the issue. I will do similar setup in my enviroment and update you. – Veniamin Oct 26 '13 at 19:08
I just recreated this setup on Ubuntu 12.04.3 LTS and all works fine. I updated my answer with additional possible debug which may help. – Veniamin Oct 27 '13 at 11:01

LXC container can only access host via bridge

1 Answers1