LXD containers not getting IP (v4) address via DHCP unless manually adding iptables rules

leonardozambrano · April 17, 2025, 1:01am

Hi there,

After rebooting two 22.04 (arm based) OCI instances to boot unattended-upgraded linux-image-6.8.0-1023-oracle, all existing containers stopped getting IPv4 addresses via DHCP from the default bridge (lxdbr0) unless manually adding the default lxd generated firewall rules using iptables even though the firewall_driver in use being nftables and “sudo nft list ruleset” showing the default nft rules.

lxc info | grep firewall

network_firewall_filtering

firewall_driver
firewall: nftables

Additionally, unless also adding the MASQUERADE rule in the Chain POSTROUTING as well as the ACCEPT rule in the Chain FORWARD the containers will not have outbound connectivity.

$ lsb_release -a;uptime; df -h .; dpkg -l | grep oracle | grep linux; uname -r; journalctl -p3 -xb
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.5 LTS
Release: 22.04
Codename: jammy
01:00:00 up 3:53, 1 user, load average: 0.00, 0.00, 0.00
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 97G 23G 75G 24% /
ii linux-headers-6.8.0-1022-oracle 6.8.0-1022.23~22.04.1 arm64 Linux kernel headers for version 6.8.0 on ARMv8 SMP
ii linux-headers-6.8.0-1023-oracle 6.8.0-1023.24~22.04.1 arm64 Linux kernel headers for version 6.8.0 on ARMv8 SMP
ii linux-headers-oracle 6.8.0-1023.24~22.04.1 arm64 Linux kernel headers for Oracle systems.
ii linux-image-6.8.0-1022-oracle 6.8.0-1022.23~22.04.1 arm64 Signed kernel image oracle
ii linux-image-6.8.0-1023-oracle 6.8.0-1023.24~22.04.1 arm64 Signed kernel image oracle
ii linux-image-oracle 6.8.0-1023.24~22.04.1 arm64 Linux kernel image for Oracle systems.
ii linux-modules-6.8.0-1022-oracle 6.8.0-1022.23~22.04.1 arm64 Linux kernel extra modules for version 6.8.0 on ARMv8 SMP
ii linux-modules-6.8.0-1023-oracle 6.8.0-1023.24~22.04.1 arm64 Linux kernel extra modules for version 6.8.0 on ARMv8 SMP
ii linux-oracle 6.8.0-1023.24~22.04.1 arm64 Complete Linux kernel for Oracle systems.
ii linux-oracle-6.8-headers-6.8.0-1022 6.8.0-1022.23~22.04.1 all Header files related to Linux kernel version 6.8.0
ii linux-oracle-6.8-headers-6.8.0-1023 6.8.0-1023.24~22.04.1 all Header files related to Linux kernel version 6.8.0
ii linux-oracle-6.8-tools-6.8.0-1022 6.8.0-1022.23~22.04.1 arm64 Linux kernel version specific tools for version 6.8.0-1022
ii linux-oracle-6.8-tools-6.8.0-1023 6.8.0-1023.24~22.04.1 arm64 Linux kernel version specific tools for version 6.8.0-1023
ii linux-tools-6.8.0-1022-oracle 6.8.0-1022.23~22.04.1 arm64 Linux kernel version specific tools for version 6.8.0-1022
ii linux-tools-6.8.0-1023-oracle 6.8.0-1023.24~22.04.1 arm64 Linux kernel version specific tools for version 6.8.0-1023
6.8.0-1023-oracle

$ lxd --version
5.0.4

$ snap list --all
Name Version Rev Tracking Publisher Notes
core18 20240920 2848 latest/stable canonical✓ base,disabled
core18 20250123 2857 latest/stable canonical✓ base
core20 20241206 2499 latest/stable canonical✓ base,disabled
core20 20250213 2503 latest/stable canonical✓ base
lxd 5.0.3-80aeff7 29353 5.0/stable/… canonical✓ disabled
lxd 5.0.4-497fe1e 31335 5.0/stable/… canonical✓ -
oracle-cloud-agent 1.39.0-9 73 latest/stable/… oci.osi disabled,classic,held
oracle-cloud-agent 1.48.0-17 95 latest/stable/… oci.osi classic,held
snapd 2.67 23546 latest/stable canonical✓ snapd,disabled
snapd 2.67.1 23772 latest/stable canonical✓ snapd

tomp · April 17, 2025, 7:22am

This might help

https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker

leonardozambrano · April 17, 2025, 1:59pm

Hi @tomp, first of all thanks for your reply.

Please note there’s is no application installed on any of the instances to manage the iptables/nftables rules and apart from the LXD generated nftables rules there are the Oracle OCI default rules which are created with iptables.

In addition, docker is not installed and what puzzles me is that those instances has been working on a production environment for years without this issues that just started yesterday after the instances where rebooted to boot the latest kernel.

Last but not least I tried downgrading latest apt upgraded packages (systems among others) in both the host and the container which didn’t solve the issue, consequently I also thought about the root cause being a snap package (either core or lxd) upgrade.

Once again, thank you for your assistance.

I’ll keep and eye in case you have any other ideas/suggestions that might help us root cause and solve this issue.

tomp · April 23, 2025, 2:50pm

What does sudo iptables-save and sudo nft list ruleset show (you might need to install nftables to run that command).