Privileged container network issue.

V

vrlm

New Member
Jan 19, 2025
1
0
1
Does anyone knows why privileged lxc container might not be able to have network connectivity?

I did two identical containers with vanilla default settings. The ONLY difference between two containers, is the fact that one of them is privileged and another one is not.

Privileged container can not resolve any network related requests. Running apt update I get this response

root@lxc-jellyfin:/# apt update
Ign:1 http://archive.ubuntu.com/ubuntu oracular InRelease
Ign:2 http://archive.ubuntu.com/ubuntu oracular-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu oracular-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu oracular InRelease
Ign:2 http://archive.ubuntu.com/ubuntu oracular-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu oracular-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu oracular InRelease
Ign:2 http://archive.ubuntu.com/ubuntu oracular-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu oracular-security InRelease
Err:1 http://archive.ubuntu.com/ubuntu oracular InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://archive.ubuntu.com/ubuntu oracular-updates InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu oracular-security InRelease
Temporary failure resolving 'archive.ubuntu.com'
All packages are up to date.
Warning: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/oracular/InRelease Temporary failure resolving 'archive.ubuntu.com'
Warning: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/oracular-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
Warning: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/oracular-security/InRelease Temporary failure resolving 'archive.ubuntu.com'
Warning: Some index files failed to download. They have been ignored, or old ones used instead.
root@lxc-jellyfin:/#




I have not fiddled with any networks settings. I even replicated that issues by continuously deleting container and reinstalling it. Each time privileged container have connectivity issues and unprivileged works totally fine.

Has anybody encountered that issue or have an idea what could be the problem ?
 
Show ip a output for container.
Is it only a DNS issue or does it have no NW connection at all? Have you tried pinging using numeric IP address only?

vrlm said:
The ONLY difference between two containers
Click to expand...
Have you checked for a NW conflict, same MAC addresses etc.?

If you show the pct config <CTID> output of both LXCs - maybe someone can help you.
 
I joined the forum just now to pile on to this issue. In the last few days I’ve created and destroyed 8 plain vanilla Debian and one Ubuntu containers to host Plex because the containers keep failing at starting the networking service. I’ve tried dhcp I’ve tried static ip. Pinging 8.8.8.8 works fine but I can’t access the Plex dashboard or anything.
 
I am also having issues: I tested UbuntuServer 22, 23, 24, Debian 12, and I selected unprivileged and privileged. I found that creating a new container with Ubuntu24 did not complete the boot cycle. I got a black screen with just a cursor. When I checked my router, no IP was showing. This was all with DHCP for IPv4. IPv6 was left static. NOTE that I was able to "pct enter id"
 
JennyLucas said:
I am also having issues: I tested UbuntuServer 22, 23, 24, Debian 12, and I selected unprivileged and privileged. I found that creating a new container with Ubuntu24 did not complete the boot cycle. I got a black screen with just a cursor. When I checked my router, no IP was showing. This was all with DHCP for IPv4. IPv6 was left static. NOTE that I was able to "pct enter id"
Click to expand...
this sounds like my issue. when you PCT enter'd the container, did you check "systemctl status" to see what was delayed/failed? for me, it was networking.service.

though, when you say you left your IPv6 static, did you assign anything? that could be causing a separate issue.
 
Closing the loop on my related issue, one of the other comments made me go back and look at my ipv6 settings. i was setting ipv6 to dhcp as per the instructions i was following to set up the Plex server, but what resolved my issue was setting ipv6 to static and leaving it blank, i.e. "None". then, my networking service issues went away.
 
I didn't check systemctl for errors. As for IPv6, I left it static and blank.

I'm suspicious of networking due to no IP being assigned.

I'm just going to use Debian 12 as a workaround.

I have deleted the non-working instances. All of them infortunately. I just tried again and they worked. Darn. If I see the issue again, I will post the config.
 
gfngfn256 said:
Provide pct config <CTID> output of the non-working LXC.
Click to expand...

Hi, I have basically the same issue. When I create a container unprivileged, the network interfaces get the static IP addresses assigned. But when I do it as privileged container the addresses are not set.

If I now have a privileged container and add a new interface with static IP address, the new interface is configured and setup correctly during runtime.

Code: 
root@px1:~# LZ="1234"
TEMPLATE=$(pveam list local | grep ubuntu- | head -n1 | awk '{print $1}')
NEXTID=$(pvesh get /cluster/nextid)
pct create ${NEXTID} ${TEMPLATE} \
  --description "storage-netboot-test-1" \
  --arch amd64 \
  --storage local-zfs \
  --cores 1 \
  --cpulimit 1 \
  --hostname storage-netboot-test-1 \
  --memory 512 \
  --net0 name=mgmt,bridge=vmbr0,gw=10.1.14.254,gw6=fd00:1234:${LZ}:47::6a7e,ip=10.1.14.238/24,ip6=fd00:1234:${LZ}:47::238/64,mtu=1500,tag=47,type=veth \
  --net1 name=pxeboot,bridge=vmbr0,ip=10.254.254.238/22,tag=4069,type=veth \
  --onboot 1 \
  --ostype ubuntu \
  --rootfs local-zfs:10 \
  --swap 0 \
  --tty 1 \
  --unprivileged 1
extracting archive '/var/lib/vz/template/cache/ubuntu-24.04-standard_24.04-2_amd64.tar.zst'
Total bytes read: 564490240 (539MiB, 214MiB/s)
...

root@px1:~# pct config ${NEXTID}
arch: amd64
cores: 1
cpulimit: 1
description: storage-netboot-test-1%0A
hostname: storage-netboot-test-1
memory: 512
net0: name=mgmt,bridge=vmbr0,gw=10.1.14.254,gw6=fd00:1234:1234:47::6a7e,hwaddr=BC:24:11:03:D4:35,ip=10.1.14.238/24,ip6=fd00:1234:1234:47::238/64,mtu=1500,tag=47,type=veth
net1: name=pxeboot,bridge=vmbr0,hwaddr=BC:24:11:A5:93:8D,ip=10.254.254.238/22,tag=4069,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-zfs:subvol-102-disk-0,size=10G
swap: 0
tty: 1
unprivileged: 1

root@px1:~# pct start ${NEXTID}
root@px1:~# pct enter ${NEXTID}

root@storage-netboot-test-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: mgmt@if60: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:03:d4:35 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.1.14.238/24 brd 10.1.14.255 scope global mgmt
       valid_lft forever preferred_lft forever
    inet6 fd00:1234:1234:47::238/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fe03:d435/64 scope link
       valid_lft forever preferred_lft forever
3: pxeboot@if61: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:a5:93:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.254.254.238/22 brd 10.254.255.255 scope global pxeboot
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fea5:938d/64 scope link
       valid_lft forever preferred_lft forever


Code: 
root@px1:~# LZ="1234"
TEMPLATE=$(pveam list local | grep ubuntu- | head -n1 | awk '{print $1}')
NEXTID=$(pvesh get /cluster/nextid)
pct create ${NEXTID} ${TEMPLATE} \
  --description "storage-netboot-test-1" \
  --arch amd64 \
  --storage local-zfs \
  --cores 1 \
  --cpulimit 1 \
  --hostname storage-netboot-test-1 \
  --memory 512 \
  --net0 name=mgmt,bridge=vmbr0,gw=10.1.14.254,gw6=fd00:1234:${LZ}:47::6a7e,ip=10.1.14.238/24,ip6=fd00:1234:${LZ}:47::238/64,mtu=1500,tag=47,type=veth \
  --net1 name=pxeboot,bridge=vmbr0,ip=10.254.254.238/22,tag=4069,type=veth \
  --onboot 1 \
  --ostype ubuntu \
  --rootfs local-zfs:10 \
  --swap 0 \
  --tty 1 \
  --unprivileged 0
extracting archive '/var/lib/vz/template/cache/ubuntu-24.04-standard_24.04-2_amd64.tar.zst'
Total bytes read: 564490240 (539MiB, 214MiB/s)
...

root@px1:~# pct config ${NEXTID}
arch: amd64
cores: 1
cpulimit: 1
description: storage-netboot-test-1%0A
hostname: storage-netboot-test-1
memory: 512
net0: name=mgmt,bridge=vmbr0,gw=10.1.14.254,gw6=fd00:1234:1234:47::6a7e,hwaddr=BC:24:11:C8:7B:A4,ip=10.1.14.238/24,ip6=fd00:1234:1234:47::238/64,mtu=1500,tag=47,type=veth
net1: name=pxeboot,bridge=vmbr0,hwaddr=BC:24:11:1F:24:0F,ip=10.254.254.238/22,tag=4069,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-zfs:subvol-102-disk-0,size=10G
swap: 0
tty: 1

root@px1:~# pct start ${NEXTID}
root@px1:~# pct enter ${NEXTID}

root@storage-netboot-test-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: mgmt@if62: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether bc:24:11:c8:7b:a4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
3: pxeboot@if63: <BROADCAST,MULTICAST> mtu 9200 qdisc noop state DOWN group default qlen 1000
    link/ether bc:24:11:1f:24:0f brd ff:ff:ff:ff:ff:ff link-netnsid 0

Edit:

This looks like an error with the networkd-dispatcher.

The privileged container got this error
Code: 
root@storage-netboot-test-1:~# journalctl -u networkd-dispatcher
Mar 03 09:36:14 storage-netboot-test-1 systemd[1]: Starting networkd-dispatcher.service - Dispatcher daemon for systemd-networkd...
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: No valid path found for iwconfig
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: No valid path found for iw
Mar 03 09:36:14 storage-netboot-test-1 networkctl[458]: systemd-networkd is not running, output might be incomplete.
Mar 03 09:36:14 storage-netboot-test-1 systemd[1]: networkd-dispatcher.service: Got notification message from PID 458, but reception only permitted for main PID 370
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: ERROR:Unknown state for interface NetworkctlListState(idx=1, name='lo', type='loopback', operational='-', administrative='unmanaged'): -
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: Traceback (most recent call last):
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 299, in trigger_all
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     self.handle_state(iface_name,
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 349, in handle_state
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     raise UnknownState(operational_state)
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: UnknownState: -
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: ERROR:Unknown state for interface NetworkctlListState(idx=2, name='mgmt', type='ether', operational='-', administrative='unmanaged'): -
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: Traceback (most recent call last):
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 299, in trigger_all
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     self.handle_state(iface_name,
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 349, in handle_state
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     raise UnknownState(operational_state)
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: UnknownState: -
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: ERROR:Unknown state for interface NetworkctlListState(idx=3, name='pxeboot', type='ether', operational='-', administrative='unmanaged'): -
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: Traceback (most recent call last):
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 299, in trigger_all
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     self.handle_state(iface_name,
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:   File "/usr/bin/networkd-dispatcher", line 349, in handle_state
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]:     raise UnknownState(operational_state)
Mar 03 09:36:14 storage-netboot-test-1 networkd-dispatcher[370]: UnknownState: -
Mar 03 09:36:14 storage-netboot-test-1 systemd[1]: Started networkd-dispatcher.service - Dispatcher daemon for systemd-networkd.
root@storage-netboot-test-1:~#

and the unprivileged container looks like this:
Code: 
root@storage-netboot-test-1:~# journalctl -u networkd-dispatcher
Mar 03 09:43:42 storage-netboot-test-1 systemd[1]: Starting networkd-dispatcher.service - Dispatcher daemon for systemd-networkd...
Mar 03 09:43:42 storage-netboot-test-1 networkd-dispatcher[351]: No valid path found for iwconfig
Mar 03 09:43:42 storage-netboot-test-1 networkd-dispatcher[351]: No valid path found for iw
Mar 03 09:43:42 storage-netboot-test-1 systemd[1]: networkd-dispatcher.service: Got notification message from PID 374, but reception only permitted for main PID 351
Mar 03 09:43:42 storage-netboot-test-1 systemd[1]: Started networkd-dispatcher.service - Dispatcher daemon for systemd-networkd.
root@storage-netboot-test-1:~#

Edit2: For me this looks an issue with the ubuntu-24.04-standard_24.04-2_amd64.tar.zst image. Just tested with the ubuntu-22.04-standard_22.04-1_amd64.tar.zst image, which works like a charm.
 
Last edited:
You must log in or register to reply here.
Top Bottom