No internet access from inside containers

makrand · August 27, 2024, 10:02am

Hi all,

Checking system containers on GCP VM. OS is ubuntu 20.04 LTS.

name: lxdbr0
description: ""
type: bridge
managed: true
status: Created
config:
  ipv4.address: 10.2.0.1/20
  ipv4.dhcp.ranges: 10.2.1.2-10.2.15.254
  ipv4.firewall: "false"
  ipv4.nat: "true"
  ipv4.nat.address: PUBLIC IP of VM
used_by:
- /1.0/instances/master
- /1.0/instances/master2
- /1.0/instances/w1
- /1.0/profiles/default
- /1.0/profiles/k8s
locations:
- none

This is how my lxd network bridge looks like.

On host VM - ufw is disabled. no firewalld. No Docker installed.

not rules configured for iptables either

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Config looks like below

config:
  core.https_address: '[::]:65443'
  images.auto_update_interval: "24"

Any idea what might be wrong? Can not access internet from insdie any of the system containers.

I have similar setup on other metal server containers net access is working there fine .

sdeziel1 · August 29, 2024, 6:23pm

I’d first start to check if your instances do get IPv4 addresses, lxc list should tell you that. Next would be to verify if a given instance can ping 10.2.0.1 and if that works try ping 8.8.8.8. You can also sudo tcpdump -ni any icmp on the host to observe the traffic. The ICMP packet should have a source IP inside the 10.2.0.0/20 range when they reach lxdbr0 but should have their source rewritten to that of the GCP instance when going out toward the Internet.

tomp · September 5, 2024, 8:44am

Yeah agree, first we need to better define what “no internet access” means in this context.

Does it mean “no IPs”, “no default route”, “no DNS” or does it mean “packets are being lost/blocked somewhere”.