Ask Your Question
1

Fedora-25 HOST + CentOS-6 GUESTS Linux/LXC: Guests can't connect to each other or to default router ...

asked 2017-08-01 18:16:17 -0500

nyceyes gravatar image

updated 2017-08-01 18:17:38 -0500

Hello Friends:

I also submitted this as a bug question, here:

I'm not sure if this is a bug, but here is my sudden issue.


The Linux/LXC single-box cluster setup:

  • I use Fedora x8664 (currently Fedora-25) as the LXC/HOST O/S. I use CentOS-6 x8664 (currently CentOS-6.9 Final) for the six (qty. 6) LXC/GUEST O/S'.

  • This was working for a long time (a few years), but suddenly does not after a 'sudo dnf -y update' (HOST) and 'sudo yum -y update' (GUESTS).

  • It has been a few months since I booted this HOST/GUESTS LXC "cluster" and, as usual, O/S updates are the first thing that I perform. This may provide a hint if some underlying system-level component(s)/behavior(s) changed during that time.

  • The Fedora HOST and CentOS-6 GUESTS are on the same subnet, and share the same default router: 192.168.0.0/24; 192.168.0.1 (all standard stuff).

  • The Fedora Host does not have any firewall/firewalld RPM packages installed, and therefore doesn't not run a firewall. I removed this long ago to simplify things.



The issue

  • After performing the above O/S updates to the HOST and GUESTS, from within any GUEST, I can no longer (a) successfully ping/ssh guest-to-guest or (b) ping the default router.

  • I can, however, ping/ssh HOST-to-GUEST and GUEST-to-HOST with no issue.

  • From any computer outside this setup -- which, by the way, are also on the same subnet and share the same default router as above -- I can ping/ssh to the HOST but cannot to any of the GUESTS.

  • Other than performing the aforementioned O/S updates, I didn't alter anything.



Some output

  • Here is output from the HOST: HOST.txt
  • Here is output from a GUEST: ONE_GUEST.txt

  • Note that the GUESTS are named vps00, vps01, vps02, vps03, vps04 and vps10, and have identical configurations except MAC and IP addresses (so I only provided output for one of them). While the HOST is named lxc-host. Throughout the attachments, you'll see some in-line notes that I annotated them with.


Any ideas? Thank you in advance! =:)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-08-02 18:59:16 -0500

nyceyes gravatar image

updated 2017-08-02 20:44:09 -0500

Thanks to the accepted answer in this POST, I was able to finally figure out the iptables(1M) entries that were missing. Here they are:

sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -i br0 -j ACCEPT
sudo iptables -A FORWARD -i br0 -j ACCEPT

I don't know what Fedora HOST O/S changes occurred to make these entries not be there suddenly (meaning after doing "dnf -y update; reboot" after a few months of not doing that), but would sure love to know because now I have to hardcode these entries in somewhere (which I'm not thrilled about LoL).

I hope this helps other who bridge their LXC guests like I do.

ADDITION-1:

Here are the sequence of commands I used to permanently incorporate them, after interactively executive the above commands (in-memory):

root# cd /etc/sysconfig/
root# cp iptables iptables.FCS               # Backup the current contents.
root# iptables-save > ./iptables             # Overwrite with in-memory contents.
root# reboot
root# sudo systemctl start iptables.service  # Not yet committed.
root# sudo iptables -L -n -v | more          # Inspect in-memory. changes
root# sudo systemctl enable iptables.service # If all looks good, commit them permanently.
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-08-01 18:16:17 -0500

Seen: 276 times

Last updated: Aug 02 '17