Setting up an LXC without unprivileged container vs with

[virtualizerforlife]

Hi,

So I have following question:
When I'm creating a new LXC with "unprivileged container" setting unchecked, then my container's os cannot connect to the internet (ubuntu in this case).
But, when I have checked "unprivileged container" setting (and also nesting enabled), then the internet works correctly and I'm able to update and upgrade my os with apt for example.

Is this how it is supposed to work like and why it is behaving like this? Does privileged container require extra setups so that the container would work?

 

[jklocker]

Hi,

Networking shouldn't be affected by switching between privileged and unprivileged containers - both should work the same way for basic internet access, so I'd guess something else is going on here.

Could you post pct config <vmid> for both containers (the working privileged one and the broken unprivileged one) so we can compare? And from inside the broken container, please try:

ping 8.8.8.8
ping google.com

If the first works but the second doesn't, it's a DNS issue. If neither works, it should be routing or the bridge.

Please also provide the output from inside the broken container:

ip a
ip r

 

[virtualizerforlife]

Hi,

Networking shouldn't be affected by switching between privileged and unprivileged containers - both should work the same way for basic internet access, so I'd guess something else is going on here.

Could you post pct config <vmid> for both containers (the working privileged one and the broken unprivileged one) so we can compare? And from inside the broken container, please try:

ping 8.8.8.8
ping google.com

If the first works but the second doesn't, it's a DNS issue. If neither works, it should be routing or the bridge.

Please also provide the output from inside the broken container:

ip a
ip r

Privileged (unchecked the unprivileged container option when creating CT):

root@privileged2:~# ping 8.8.8.8
ping: connect: Network is unreachable

root@privileged2:~# ping google.com
ping: google.com: Temporary failure in name resolution

Unprivileged container with nesting checked:

root@unprivileged:~# ping 8.8.8.8
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7011ms

root@unprivileged:~# ping google.com
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms

In the broken container the ip r didnt return anything.

ip a returns following:

root@unprivileged:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0@if26: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff link-netnsid 0

 

[virtualizerforlife]

pct config <id> gives following information for working container:

arch: amd64
cores: 2
features: nesting=1
hostname: unprivileged
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=XX:XX:XX:XX:XX:XX,,ip=dhcp,ip6=dhcp,type=veth
ostype: ubuntu
rootfs: local:100/vm-100-disk-0.raw,size=100G
swap: 512
unprivileged: 1

and for broken container

arch: amd64
cores: 2
hostname: privileged
memory: 2208
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=XX:XX:XX:XX:XX:XX,ip=dhcp,ip6=dhcp,type=veth
ostype: ubuntu
rootfs: local:101/vm-101-disk-0.raw,size=75G
swap: 512

 

[Impact]

Please use code blocks to preserve formatting and don't censor so much and needlessly. Using local for virtual disks is a bad idea too (IMHO).
Try to start the CT like this to get more information

lxc-start -n 101 -F -l DEBUG

Also try to enable nesting for your privileged CT too.