当桥接 lxdbr0 和 ens3 之间的接口时,我的 LXC 主机无法访问互联网。当桥接有效时,LXC 客户机也无法访问 WAN。
我的 vps 托管提供商提供了一个网卡 ens3,其静态 IP 为 123.456.789.012,作为 dhcp。我正在尝试将 lxdbr0 也设置为 dhcp,以便可以为容器分配 IP。我在 Ubuntu 22.04 上使用 netplan。
# cat /etc/netplan/*
network:
version: 2
ethernets:
ens3:
accept-ra: false
addresses:
- 1234:1234:123:1234::6475/56
dhcp4: true
match:
macaddress: fa:16:3e:16:b6:35
mtu: 1500
nameservers:
addresses:
- 205.168.44.66
search: []
routes:
- to: ::/0
via: 1234:1234:123:1234::1
set-name: ens3
bridges:
lxdbr0:
dhcp4: true
interfaces:
- ens3
# lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: cPool
type: disk
name: default
used_by:
- /1.0/instances/template
奇怪的是,该文件混合了 ipv4 和 ipv6,但我打算使用 ipv4。
在 netplan 中匹配网桥的 mac 地址之后,我的互联网访问对于主机继续有效,但对于容器尚无效。
# cat /etc/netplan/ovsbr0-config.yaml
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: false
bridges:
ovsbr0:
dhcp4: true
dhcp6: true
interfaces:
- ens3
accept-ra: false
addresses:
- [static_ipv4/24]
- [static_ipv6/56]
# match:
macaddress: fa:16:3e:16:b8:35
# set-name: ens3
mtu: 1500
nameservers:
addresses:
- 123.456.78.99
search: []
routes:
- to: ::/0
via: ipv6_gw_address::1
所以现在我正在尝试以下配置。一旦我输入“netplan apply”,在设置子网桥时我就会失去与主机的连接。lxdbr0 用于获取私有子网 IP 范围。
# cat /etc/netplan/ovsbr0-lxdbr0.yaml
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: false
bridges:
ovsbr0:
dhcp4: true
dhcp6: true
interfaces:
- ens3
accept-ra: false
addresses:
- [static_ipv4/24]
- [static_ipv6/56]
# match:
macaddress: fa:16:3e:16:b8:35
# set-name: ens3
mtu: 1500
nameservers:
addresses:
- 123.456.78.99
search: []
routes:
- to: ::/0
via: ipv6_gw_address::1
lxdbr0:
dhcp4: true
dhcp6: true
interfaces:
- ovsbr0
addresses:
- 10.0.23.1/24
nameservers:
addresses:
- 123.456.78.99
search: []
在 lxd 方面,无论 lxdbr0 是否受管理,容器都无法获得 dhcp IPv4 地址。例如,lxd init 创建 lxdbr0 并设置为同时使用 IPv4 和 IPv6。启动容器时,我们只看到 IPv6,没有 IPv4。进一步查看时,为 lxdbr0 网络添加了一条路由,并lxc network list显示了 IPv4,但容器没有被分配任何 IPv4。
# lxc list
+----------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+----------+---------+------+-----------------------------------------------+-----------+-----------+
| template | RUNNING | | fd42:649e:38c9:81f9:216:3eff:fe24:8b17 (eth0) | CONTAINER | 0 |
+----------+---------+------+-----------------------------------------------+-----------+-----------+
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 167.114.169.1 0.0.0.0 UG 100 0 0 ovsbr0
10.20.20.0 0.0.0.0 255.255.255.0 U 0 0 0 lxdbr0
167.114.169.0 0.0.0.0 255.255.255.0 U 0 0 0 ovsbr0
167.114.169.1 0.0.0.0 255.255.255.255 UH 100 0 0 ovsbr0
213.186.38.99 167.114.169.1 255.255.255.255 UGH 100 0 0 ovsbr0
# lxc network list
+--------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY | STATE |
+--------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| ens3 | physical | NO | | | | 0 | |
+--------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| lxdbr0 | bridge | YES | 10.20.20.1/24 | fd42:649e:38c9:81f9::1/64 | | 1 | CREATED |
+--------+----------+---------+---------------+---------------------------+-------------+---------+---------+
| ovsbr0 | bridge | NO | | | | 0 | |
+--------+----------+---------+---------------+---------------------------+-------------+---------+---------+
我发现的问题与我在此处报告的问题完全相同:lxc 容器没有传出流量。唯一的问题是它的内容今天似乎已经过时了。我验证了主机可以 ping 容器,容器可以相互 ping,但没有传出连接。我还注意到输入时容器中没有输出ip route。有想法如何解决这个问题吗?谢谢
答案1
该问题现已在 LXD 文档的帮助下得到解决如何配置防火墙。
我需要调整我的ufw规则并确保 LXD 自己的防火墙不会干扰:
sudo ufw allow in on <network_bridge>
sudo ufw route allow in on <network_bridge>
sudo ufw route allow out on <network_bridge>
lxc network set <network_bridge> ipv6.firewall false
lxc network set <network_bridge> ipv4.firewall false
就我而言:
sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0
sudo ufw route allow out on lxdbr0
lxc network set lxdbr0 ipv6.firewall false
lxc network set lxdbr0 ipv4.firewall false
我的容器现在动态接收 IPv4 地址,并且主机和容器都可以通过单个 WAN IP 访问互联网。