Subnet/Hetzner Port Forwarding

asmar

Active Member
Nov 15, 2014
108
0
36
I'm getting nuts with this problem.
Any help is very much appreciated.

My new subnet is:
Subnet: 88.99.181.208 /28
Usable IP addresses: 88.99.181.209 to 88.99.181.222

I enabled forwarding:
Code:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

In my host server I got:

Code:
# Loopback device:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address  88.99.148.25
        netmask  255.255.255.255
        pointopoint     88.99.148.1
        gateway  88.99.148.1

iface eth0 inet6 static
  address 2a01:4f8:10a:2c58::2
  netmask 64
  gateway fe80::1
  up sysctl -p

# for subnet
auto vmbr1
iface vmbr1 inet static
        address 88.99.181.209
        netmask  255.255.255.240
        bridge_ports none
        bridge_stp off
        bridge_fd 0

Rebooted the server and setup on LXC with:
IP 88.99.181.209/28
and gateway 88.99.148.1

but no luck, the VM can't communicate with Internet and when I ssh into its IP all I'm achieving is to connect to the host. It seems that port forwarding is not working properly?

Any advise is highly appreciated.
 
Thanks a lot for the reply, it worked fine!

It's not clear however to me how the next IPs should be assigned in order to use all available IPs, from .209 to 222?
 
The next would be .211 and so on with the same gateway.

The important part is the IP .209 on your host. This acts as a gateway/router for all your other IPs and packages are routed through your PVE. So, just increment the IP and go on.

Same is true for the IPv6 address which work the same way, but a little bit different, you need to set the SAME IPv6 address on eth0 and vmbr0 and just the static IPv6 address to your LXC (of course another one, e.g. ...::3 or even ...::1:1 for better differentiation)
 
Thanks LnxBill.

I've tried adding a 2nd LXC with .211 IP and .209 as the gateway but it doesn't start at all.

Under my host interfaces file I haven't added any new vmbr.
Am I missing something?
 
You do not need to change anything on your host, so no new vmbr. Just use the one you have already with your first container.
 
This is what I did but the new LXC doesn't start at all.

Code:
systemctl status lxc@101.service -l
● lxc@101.service - LXC Container: 101
   Loaded: loaded (/lib/systemd/system/lxc@.service; disabled)
   Active: failed (Result: exit-code) since Thu 2017-03-09 22:50:36 CET; 24s ago
     Docs: man:lxc-start
           man:lxc
  Process: 3424 ExecStart=/usr/bin/lxc-start -n %i (code=exited, status=1/FAILURE)

Mar 09 22:50:36 proxmox0 lxc-start[3424]: lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
Mar 09 22:50:36 proxmox0 lxc-start[3424]: lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
Mar 09 22:50:36 proxmox0 lxc-start[3424]: lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
Mar 09 22:50:36 proxmox0 systemd[1]: lxc@101.service: control process exited, code=exited status=1
Mar 09 22:50:36 proxmox0 systemd[1]: Failed to start LXC Container: 101.
Mar 09 22:50:36 proxmox0 systemd[1]: Unit lxc@101.service entered failed state.
 
ok it worked now. I removed and created again the LXC and works perfect.

Many many thanks for your help.
 
It is strange however that a 3rd LXC doesn't start. Same behaviour like the 2nd one which I needed to remove it completely and create it again.
The problem with this one is that it is been re-created and still doesn't start. Same template like the previous 2.
I'm pasting below the debug info in case anyone can help.

Code:
root@proxmox0 ~ # cat /tmp/log.txt
      lxc-start 20170309222840.691 INFO     lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/102/config
      lxc-start 20170309222840.691 WARN     lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20170309222840.691 WARN     lxc_start - start.c:lxc_check_inherited:238 - Inherited fd: 3.
      lxc-start 20170309222840.691 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for reject_force_umount action 0.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .[all].
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .kexec_load errno 1.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for kexec_load action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for kexec_load action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .open_by_handle_at errno 1.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .init_module errno 1.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for init_module action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for init_module action 327681.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .finit_module errno 1.
      lxc-start 20170309222840.691 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for finit_module action 327681.
      lxc-start 20170309222840.692 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
      lxc-start 20170309222840.692 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
      lxc-start 20170309222840.692 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for finit_module action 327681.
      lxc-start 20170309222840.692 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
      lxc-start 20170309222840.692 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
      lxc-start 20170309222840.692 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .delete_module errno 1.
      lxc-start 20170309222840.692 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for delete_module action 327681.
      lxc-start 20170309222840.692 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for delete_module action 327681.
      lxc-start 20170309222840.692 INFO     lxc_seccomp - seccomp.c:parse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20170309222840.692 INFO     lxc_conf - conf.c:run_script_argv:424 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "102", config section "lxc".
      lxc-start 20170309222840.998 ERROR    lxc_conf - conf.c:run_buffer:405 - Script exited with status 1.
      lxc-start 20170309222840.998 ERROR    lxc_start - start.c:lxc_init:450 - Failed to run lxc.hook.pre-start for container "102".
      lxc-start 20170309222840.998 ERROR    lxc_start - start.c:__lxc_start:1321 - Failed to initialize container "102".
      lxc-start 20170309222840.998 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170309222840.998 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --l
 
No clue what goes wrong in /usr/share/lxc/hooks/lxc-pve-prestart-hook. Normally the container should not fail if something is wrong with the networking.

I'm fishing now, but do a backup of one container, restore it to another id and change the IP.

What version on PVE are you using (please run pveversion)?
Please post the output of this command:

Code:
$ diff /etc/pve/lxc/100.conf /etc/pve/lxc/102.conf
 
Hi LnxBill,

pve-manager/4.4-12/e71b7a74 (running kernel: 4.4.44-1-pve)

The VM that doesn't start is a new one, just did the OS installation and tried to started afterwards, nothing else.
 
you can get more debugging output by running "lxc-start -n 102 -lDEBUG -F -o /tmp/lxc-debug.log"
 
Hi Fabian,

Here is the output with the debug option:

Code:
root@proxmox0 ~ # lxc-start -n 102 -lDEBUG -F -o /tmp/lxc-debug.log
unable to open file '/fastboot.tmp.27847' - Read-only file system
error in setup task PVE::LXC::Setup::pre_start_hook
lxc-start: conf.c: run_buffer: 405 Script exited with status 1.
lxc-start: start.c: lxc_init: 450 Failed to run lxc.hook.pre-start for container "102".
lxc-start: start.c: __lxc_start: 1321 Failed to initialize container "102".
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
root@proxmox0 ~ # cat /tmp/lxc-debug.log
      lxc-start 20170310072709.853 INFO     lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/102/config
      lxc-start 20170310072709.854 WARN     lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20170310072709.854 WARN     lxc_start - start.c:lxc_check_inherited:238 - Inherited fd: 3.
      lxc-start 20170310072709.854 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for reject_force_umount action 0.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .[all].
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .kexec_load errno 1.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for kexec_load action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for kexec_load action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .open_by_handle_at errno 1.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .init_module errno 1.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for init_module action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for init_module action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .finit_module errno 1.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for finit_module action 327681.
      lxc-start 20170310072709.854 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
      lxc-start 20170310072709.854 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for finit_module action 327681.
      lxc-start 20170310072709.854 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
      lxc-start 20170310072709.854 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .delete_module errno 1.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for delete_module action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for delete_module action 327681.
      lxc-start 20170310072709.854 INFO     lxc_seccomp - seccomp.c:parse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20170310072709.854 INFO     lxc_conf - conf.c:run_script_argv:424 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "102", config section "lxc".
      lxc-start 20170310072710.123 ERROR    lxc_conf - conf.c:run_buffer:405 - Script exited with status 1.
      lxc-start 20170310072710.123 ERROR    lxc_start - start.c:lxc_init:450 - Failed to run lxc.hook.pre-start for container "102".
      lxc-start 20170310072710.123 ERROR    lxc_start - start.c:__lxc_start:1321 - Failed to initialize container "102".
      lxc-start 20170310072710.123 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170310072710.123 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
 
Further to my post, just to add that any new LXC I'm creating gets the same error.
This is on a clean server with a fresh installation, no modifications at all apart from the network config of course.
 
and the diff as asked before (just replaced the hostname)

Code:
root@proxmox0 ~ # diff /etc/pve/lxc/100.conf /etc/pve/lxc/102.conf
2,4c2,4
< cores: 4
< hostname: domain1.mydomain.com
< memory: 4096
---
> cores: 1
> hostname: domain2.mydomain.com
> memory: 4192
6,7c6
< net0: name=eth0,bridge=vmbr1,gw=88.99.181.209,hwaddr=72:86:32:FE:A9:10,ip=88.99.181.210/28,type=veth
< onboot: 1
---
> net0: name=eth0,bridge=vmbr1,gw=88.99.181.209,hwaddr=BA:E6:82:BA:E8:E9,ip=88.99.181.212/28,type=veth
9c8
< rootfs: local:100/vm-100-disk-1.raw,size=100G
---
> rootfs: local:102/vm-102-disk-1.raw,ro=1,size=80G
11c10
< swap: 4096
---
> swap: 4192
 
There must be a bug, can't be explained. I've re-formatted the server, restored those 2 VMs and then tried to create a 3rd one and it fails.
Same error output as posted above.
 
the rootfs of your 102 container is set to be read-only - that does not work (but unfortunately seems to be possible even via the GUI?)

if you want, feel free to file a bug report (either to forbid ro for rootfs, or to support it better)
 
Fabian, is not very clear to me what you are saying. How the rootfs is read only and is there a work around?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!