lxc machine can't get inet connection after upgrading to 6.4.4

[Sasha]

Exactly (((
lxc machine can't get inet connection after upgrading to 6.4.4 anymore.

Would You advice how to figure out it?
Appreciate for help.

ip r
default via 10.1.1.112 dev eth0 onlink
10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.102

pct config 102
arch: amd64
cores: 2
features: nesting=1
hostname: app
memory: 4096
nameserver: 10.1.1.112
net0: name=eth0,bridge=vmbr1,gw=10.1.1.112,hwaddr=32:F5:\D3:3D:C9:BB,ip=10.1.1.102/24,type=veth
onboot: 1
ostype: debian
rootfs: local-zfs:subvol-102-disk-1,size=20G
searchdomain: domain
startup: order=2
swap: 2048

Here You are an unchangable lxc network config

 

[mira]

Is there anything in the syslog of the CT?

 

[Sasha]

May 3 13:57:00 app kernel: [148664.916265] vmbr0: port 3(veth106i0) entered blocking state
May 3 13:57:00 app kernel: [148664.916315] device veth106i0 entered promiscuous mode

ip r of PVE host is

default via xx.xxx.23.65 dev vmbr0 onlink
10.1.1.0/24 dev vmbr1 proto kernel scope link src 10.1.1.112
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
xx.xxx.23.64/26 dev vmbr0 proto kernel scope link src xx.xxx.23.120

 

[mira]

Which OS and version is running inside the container?
When you change the IP while it is running, is there anything in the syslog then?

 

[Sasha]

uname-a
Linux app 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 GNU/Linux

cat /etc/issue
Debian GNU/Linux 10

Need a time to answer about IP. It's productive container.

 

[Sasha]

By the way syslog activity continues

May 3 14:09:38 app kernel: [149423.207104] device veth106i0 left promiscuous mode
May 3 14:09:38 app kernel: [149423.442296] audit: type=1400 audit(1620032978.603:50): apparmor="STATUS" operation="profile_remove" profile=
May 3 14:18:37 app kernel: [149962.221077] audit: type=1400 audit(1620033517.392:51): apparmor="STATUS" operation="profile_load" profile="/
May 3 14:18:37 app kernel: [149962.546893] vmbr1: port 4(veth106i0) entered blocking state
May 3 14:18:37 app kernel: [149962.546941] device veth106i0 entered promiscuous mode
May 3 14:18:37 app kernel: [149962.565690] eth0: renamed from vethWn1VSS
May 3 14:18:38 app kernel: [149962.865631] vmbr1: port 4(veth106i0) entered blocking state

 

[Remco]

I have the exact same issue after the 6.4 update, this is for my CT's and VM's

 

[Sasha]

Changing IP changes nothing.

 

[mira]

I'm sorry, I misread the first post.
Can you ping the gateway from the container?
How is the host configured? Please provide the /etc/network/interfaces config and don't forget to mask sensitive information.

 

[Remco]

I fixed it, somehow ipv4 forwarding was disabled after the update.

 

[Sasha]

Yes, lxc's containers pigs gateway 10.1.1.112

PVE host's config is

ip r of PVE host is

default via xx.xxx.23.65 dev vmbr0 onlink
10.1.1.0/24 dev vmbr1 proto kernel scope link src 10.1.1.112
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
xx.xxx.23.64/26 dev vmbr0 proto kernel scope link src xx.xxx.23.120

cat /etc/network/interfaces of PVE host is

auto lo
iface lo inet loopback

iface enp0s31f6 inet manual

auto vmbr0
iface vmbr0 inet static
address xx.xxx.23.120
netmask 255.255.255.192
gateway xx.xxx.23.65
bridge_ports enp0s31f6
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet static
address 10.1.1.112
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

 

[Sasha]

I fixed it, somehow ipv4 forwarding was disabled after the update.

Would You explain a steps? I'm alone and linux-admin is not accessible ((

 

[Remco]

Check

cat /proc/sys/net/ipv4/ip_forward

It should say 1

If it's 0 then

echo 1 > /proc/sys/net/ipv4/ip_forward

 

[Sasha]

Well, it's real time temporary changing, right? Should i place that somewhere yet for fixing it after reboot?

 

[Remco]

True, so this works for you as well?
For a permanent change:

edit /etc/sysctl.conf and add or change the following line:
net.ipv4.ip_forward = 1

 

[Sasha]

PVE Host already has:

cat /proc/sys/net/ipv4/ip_forward returns 1
/etc/sysctl.conf contains net.ipv4.ip_forward=1

I'm in stuck...

What's about container itself,

cat /proc/sys/net/ipv4/ip_forward returns 1

/etc/sysctl.conf contains commented
# net.ipv4.ip_forward=1

But as far as i understand the matter is in PVE host that must forward packets...

 

[Sasha]

The matter

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o vmbr0 -j MASQUERADE

was in /etc/rc.local and it failed to start normally after reboot.
I don't know if exist a way lxc-containers having internal IP access inet using PVE host routing, but we use that approach.