weixin_39796878
weixin_39796878
2021-01-07 08:03

Bridge drops all ipv4 traffic

Required information

  • Distribution: Ubuntu
  • Distribution version: 18.04
  • The output of "lxc info" or if that fails:
  • Kernel version: 4.15.0-101-generic
  • LXC version: 3.0.3
  • LXD version: 3.0.3
  • Storage backend in use: btrfs

Issue description

LXC bridge drop all ipv4 traffic.

Steps to reproduce

  1. lxc launch ubuntu:20.04 c1
  2. Container successfully got ipv6 address from my router via RA but DHCP discover messages were dropped, so no ipv4 address.

lxc list                                 
+------+---------+------+-----------------------------------------------+------------+-----------+
| NAME |  STATE  | IPV4 |                     IPV6                      |    TYPE    | SNAPSHOTS |
+------+---------+------+-----------------------------------------------+------------+-----------+
| c1   | RUNNING |      | fd1b:3198:44bb:0:216:3eff:fe4a:f97e (eth0)    | PERSISTENT | 0         |
|      |         |      | 2a02:2168:9000:ca00:216:3eff:fe4a:f97e (eth0) |            |           |
+------+---------+------+-----------------------------------------------+------------+-----------+

3.


cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      dhcp4: no
  bridges:
    br0:
      dhcp4: no
      interfaces:
        - ens160
      addresses:
        - 192.168.0.98/24
      gateway4: 192.168.0.1
      nameservers:
        addresses:
          - 192.168.0.7
          - 1.1.1.1
        search:
          - local
      parameters:
        forward-delay: 0

lxc profile show default                  
config:
  security.syscalls.blacklist: keyctl errno 38
description: Default LXD profile
devices:
  eth0:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: default
used_by:
- /1.0/containers/c1
  1. I can see DHCP discover from c1 container on br0

sudo tcpdump ether host 00:16:3e:4a:f9:7e -i br0 | grep DHCP
Alias tip: _ tcpdump ether host 00:16:3e:4a:f9:7e -i br0 | grep DHCP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:39.314274 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:4a:f9:7e (oui Unknown), length 286
10:42:40.586634 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:4a:f9:7e (oui Unknown), length 286
10:42:44.891155 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:4a:f9:7e (oui Unknown), length 286
10:42:53.764800 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:4a:f9:7e (oui Unknown), length 286

but not on ens160


sudo tcpdump ether host 00:16:3e:4a:f9:7e -i ens160 | grep DHCP
Alias tip: _ tcpdump ether host 00:16:3e:4a:f9:7e -i ens160 | grep DHCP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes

Information to attach

dmesg


[41416.046765] br0: port 2(veth4H46IB) entered learning state
[41418.062733] br0: port 2(veth4H46IB) entered forwarding state
[41418.062752] br0: topology change detected, propagating
[41513.514965] kauditd_printk_skb: 22 callbacks suppressed
[41513.514967] audit: type=1400 audit(1590738254.742:98): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c1_" name="/run/" pid=11259 comm="mount" flags="rw, nosuid, nodev, remount"
[41514.285561] br0: port 2(veth4H46IB) entered disabled state
[41514.287012] device veth4H46IB left promiscuous mode
[41514.287016] br0: port 2(veth4H46IB) entered disabled state
[41514.318722] audit: type=1400 audit(1590738255.546:99): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd-c1_" pid=11370 comm="apparmor_parser"
[41523.783851] audit: type=1400 audit(1590738265.010:100): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-c1_" pid=11517 comm="apparmor_parser"
[41523.795867] br0: port 2(veth67JADH) entered blocking state
[41523.795869] br0: port 2(veth67JADH) entered disabled state
[41523.795923] device veth67JADH entered promiscuous mode
[41523.796007] IPv6: ADDRCONF(NETDEV_UP): veth67JADH: link is not ready
[41523.909984] eth0: renamed from vethNCRIRP
[41523.941448] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[41523.942141] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[41523.942168] IPv6: ADDRCONF(NETDEV_CHANGE): veth67JADH: link becomes ready
[41523.942205] br0: port 2(veth67JADH) entered blocking state
[41523.942207] br0: port 2(veth67JADH) entered listening state
[41524.142380] audit: type=1400 audit(1590738265.370:101): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c1_" name="/run/systemd/unit-root/proc/sys/kernel/domainname" pid=11724 comm="(md-udevd)" flags="ro, nosuid, nodev, noexec, remount, bind"
[41524.281538] audit: type=1400 audit(1590738265.510:102): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="lsb_release" pid=11805 comm="apparmor_parser"
[41524.282687] audit: type=1400 audit(1590738265.510:103): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/bin/man" pid=11808 comm="apparmor_parser"
[41524.282690] audit: type=1400 audit(1590738265.510:104): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="man_filter" pid=11808 comm="apparmor_parser"
[41524.282693] audit: type=1400 audit(1590738265.510:105): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="man_groff" pid=11808 comm="apparmor_parser"
[41524.282799] audit: type=1400 audit(1590738265.510:106): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=11809 comm="apparmor_parser"
[41524.282802] audit: type=1400 audit(1590738265.510:107): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=11809 comm="apparmor_parser"
[41524.283033] audit: type=1400 audit(1590738265.510:108): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="nvidia_modprobe" pid=11806 comm="apparmor_parser"
[41524.283038] audit: type=1400 audit(1590738265.510:109): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="nvidia_modprobe//kmod" pid=11806 comm="apparmor_parser"
[41525.965223] br0: port 2(veth67JADH) entered learning state
[41527.981158] br0: port 2(veth67JADH) entered forwarding state
[41527.981180] br0: topology change detected, propagating
[41569.424352] device br0 left promiscuous mode
[41586.361533] kauditd_printk_skb: 22 callbacks suppressed
[41586.361536] audit: type=1400 audit(1590738327.591:132): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c1_" name="/run/" pid=12361 comm="mount" flags="rw, nosuid, nodev, remount"
[41587.148643] br0: port 2(veth67JADH) entered disabled state
[41587.150614] device veth67JADH left promiscuous mode
[41587.150620] br0: port 2(veth67JADH) entered disabled state
[41587.185082] audit: type=1400 audit(1590738328.415:133): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd-c1_" pid=12465 comm="apparmor_parser"
[41591.776580] audit: type=1400 audit(1590738333.007:134): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-c1_" pid=12620 comm="apparmor_parser"
[41591.781214] br0: port 2(veth4F08SD) entered blocking state
[41591.781216] br0: port 2(veth4F08SD) entered disabled state
[41591.781265] device veth4F08SD entered promiscuous mode
[41591.781341] IPv6: ADDRCONF(NETDEV_UP): veth4F08SD: link is not ready
[41591.888809] eth0: renamed from veth7ITVAK
[41591.916352] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[41591.917056] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[41591.917087] IPv6: ADDRCONF(NETDEV_CHANGE): veth4F08SD: link becomes ready
[41591.917122] br0: port 2(veth4F08SD) entered blocking state
[41591.917124] br0: port 2(veth4F08SD) entered listening state
[41592.126006] audit: type=1400 audit(1590738333.355:135): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c1_" name="/run/systemd/unit-root/proc/sys/kernel/domainname" pid=12826 comm="(md-udevd)" flags="ro, nosuid, nodev, noexec, remount, bind"
[41592.281812] audit: type=1400 audit(1590738333.511:136): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="lsb_release" pid=12927 comm="apparmor_parser"
[41592.282637] audit: type=1400 audit(1590738333.511:137): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/bin/man" pid=12930 comm="apparmor_parser"
[41592.282641] audit: type=1400 audit(1590738333.511:138): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="man_filter" pid=12930 comm="apparmor_parser"
[41592.282643] audit: type=1400 audit(1590738333.511:139): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="man_groff" pid=12930 comm="apparmor_parser"
[41592.282807] audit: type=1400 audit(1590738333.511:140): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/sbin/tcpdump" pid=12933 comm="apparmor_parser"
[41592.283162] audit: type=1400 audit(1590738333.511:141): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="nvidia_modprobe" pid=12928 comm="apparmor_parser"
[41592.283165] audit: type=1400 audit(1590738333.511:142): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="nvidia_modprobe//kmod" pid=12928 comm="apparmor_parser"
[41592.284312] audit: type=1400 audit(1590738333.515:143): apparmor="STATUS" operation="profile_load" label="lxd-c1_//&:lxd-c1_<var-lib-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=12931 comm="apparmor_parser"
[41593.932064] br0: port 2(veth4F08SD) entered learning state
[41595.948093] br0: port 2(veth4F08SD) entered forwarding state
[41595.948113] br0: topology change detected, propagating
</var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd></var-lib-lxd>

Container info


lxc config show c1 --expanded  
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 20.04 LTS amd64 (release) (20200522)
  image.label: release
  image.os: ubuntu
  image.release: focal
  image.serial: "20200522"
  image.version: "20.04"
  security.syscalls.blacklist: keyctl errno 38
  volatile.base_image: 40775fd923e2a77f56ce3c028ce22ad43b9254bb12766b12eeeefb32a3a145da
  volatile.eth0.hwaddr: 00:16:3e:4a:f9:7e
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

Container log


lxc info c1 --show-log  
Name: c1
Remote: unix://
Architecture: x86_64
Created: 2020/05/28 17:19 UTC
Status: Running
Type: persistent
Profiles: default
Pid: 12623
Ips:
  eth0: inet6   fd1b:3198:44bb:0:216:3eff:fe4a:f97e     veth4F08SD
  eth0: inet6   2a02:2168:9000:ca00:216:3eff:fe4a:f97e  veth4F08SD
  eth0: inet6   fe80::216:3eff:fe4a:f97e        veth4F08SD
  lo:   inet    127.0.0.1
  lo:   inet6   ::1
Resources:
  Processes: 40
  CPU usage:
    CPU usage (in seconds): 4
  Memory usage:
    Memory (current): 77.66MB
    Memory (peak): 110.88MB
  Network usage:
    eth0:
      Bytes received: 10.46kB
      Bytes sent: 5.93kB
      Packets received: 153
      Packets sent: 41
    lo:
      Bytes received: 2.12kB
      Bytes sent: 2.12kB
      Packets received: 24
      Packets sent: 24

Log:

lxc c1 20200529074533.201 WARN     conf - conf.c:lxc_setup_devpts:1616 - Invalid argument - Failed to unmount old devpts instance

Main log


cat  /var/log/lxd/lxd.log                          
t=2020-05-29T10:29:52+0300 lvl=warn msg="Detected poll(POLLNVAL) event." 
t=2020-05-29T10:38:42+0300 lvl=info msg="Deleting container" created=2020-05-28T20:21:56+0300 ephemeral=false name=c2 used=2020-05-28T20:22:02+0300
t=2020-05-29T10:38:42+0300 lvl=info msg="Deleted container" created=2020-05-28T20:21:56+0300 ephemeral=false name=c2 used=2020-05-28T20:22:02+0300
t=2020-05-29T10:42:24+0300 lvl=warn msg="Detected poll(POLLNVAL) event." 
t=2020-05-29T10:42:29+0300 lvl=info msg="Shutting down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-28T23:12:30+0300
t=2020-05-29T10:42:30+0300 lvl=info msg="Shut down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-28T23:12:30+0300
t=2020-05-29T10:42:35+0300 lvl=info msg="Starting container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-28T23:12:30+0300
t=2020-05-29T10:42:35+0300 lvl=info msg="Started container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-28T23:12:30+0300
t=2020-05-29T10:44:14+0300 lvl=info msg="Shutting down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-29T10:42:35+0300
t=2020-05-29T10:44:15+0300 lvl=info msg="Shut down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-29T10:42:35+0300
t=2020-05-29T10:44:24+0300 lvl=info msg="Starting container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-29T10:42:35+0300
t=2020-05-29T10:44:25+0300 lvl=info msg="Started container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-29T10:42:35+0300
t=2020-05-29T10:45:27+0300 lvl=info msg="Shutting down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-29T10:44:24+0300
t=2020-05-29T10:45:28+0300 lvl=info msg="Shut down container" action=shutdown created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 timeout=-1s used=2020-05-29T10:44:24+0300
t=2020-05-29T10:45:32+0300 lvl=info msg="Starting container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-29T10:44:24+0300
t=2020-05-29T10:45:33+0300 lvl=info msg="Started container" action=start created=2020-05-28T20:19:03+0300 ephemeral=false name=c1 stateful=false used=2020-05-29T10:44:24+0300

该提问来源于开源项目:lxc/lxd

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

4条回答

  • weixin_39688875 weixin_39688875 4月前

    Can you show: - ps fauxww - iptables -L

    点赞 评论 复制链接分享
  • weixin_39688875 weixin_39688875 4月前

    Actually since you're using bridged networking, only the latter is likely to be relevant.

    点赞 评论 复制链接分享
  • weixin_39688875 weixin_39688875 4月前

    The answer to such weirdness is usually Docker or firewalld both of which have a tendancy to enabled br-netfilter causing the bridge to hit the firewall, combined with firewalling rules that end up dropping all IPv4 traffic.

    点赞 评论 复制链接分享
  • weixin_39796878 weixin_39796878 4月前

    You are absolutely right. I've googled why my FORWARD chain is set to DROP and it is said that this is done by Docker by default. Need to read about what for it does this. Setting it to ACCEPT solves the issue. Sorry for bothering you.

    点赞 评论 复制链接分享

相关推荐