Canonical Juju

juju openstack provider --to lxd results in unit behind NAT (unreachable)

Bug #1615917 reported by Ryan Beisner on 2016-08-23

This bug report is a duplicate of: Bug #1614364: container addressability: lxc/lxd units are behind NAT on manual and openstack providers. Edit Remove

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	High	Richard Harding	Canonical Juju 2.0.1

Bug Description

Deploying to containers (lxc or lxd) using the Juju OpenStack provider results in units which are connected behind NAT on the lxc/lxd bridge. The units in containers are unreachable from outside that host instance, and are unreachable from other containers in the model.

The reproducer is simply:

juju deploy ubuntu
juju add-unit ubuntu --to lxd:0
juju add-unit ubuntu --to lxd:0

The IP addresses of 0/lxd/N will be (likely) 10.0.x.x addresses, not within the tenant's network range, and masquerading as the IP address of the hosting instance.

The hosting instance, and any other containers on the hosting instance, can successfully reach 0/lxd/N addresses via TCP/ICMP, but no other hosts can reach the container addresses.

This is essentially identical to the behavior seen in the manual provider, reference: https://bugs.launchpad.net/bugs/1614364.

For clarity, this is not related to the use of nova-lxd or the lxd charm. Advance apologies for the initial lack of accompanying evidence, and/or the potentially duplicate bug. On my next iteration, I'll gather logs, interface info, status outputs and attach here. In the mean time, please see the ultra-simple reproducer.

This needs to be re-confirmed as affecting 1.25.6 and 2.0 current beta/rc, but I do believe it affects both.

Tags:

Anastasia (anastasia-macmood) on 2016-08-23

Changed in juju:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → 2.0-beta17

Curtis Hovey (sinzui) on 2016-09-01

Changed in juju:
milestone:	2.0-beta17 → 2.0-beta18

Curtis Hovey (sinzui) on 2016-09-09

Changed in juju:
milestone:	2.0-beta18 → 2.0-beta19

Anastasia (anastasia-macmood) on 2016-09-11

Changed in juju:
milestone:	2.0-beta19 → 2.0-rc1

Revision history for this message

Ryan Beisner (1chb1n) wrote on 2016-09-19:

Confirmed with user on IRC today that this is affecting them on Juju 2.0-beta18.

Richard Harding (rharding) on 2016-09-19

tags:

added: network

Richard Harding (rharding) on 2016-09-20

Changed in juju:
assignee:	nobody → Richard Harding (rharding)
milestone:	2.0-rc1 → 2.0-rc2

Richard Harding (rharding) on 2016-09-29

Changed in juju:
milestone:	2.0-rc2 → 2.0.0

Richard Harding (rharding) on 2016-10-05

tags:

added: teamb

Richard Harding (rharding) on 2016-10-05

tags:

added: rteam
removed: teamb

Curtis Hovey (sinzui) on 2016-10-06

Changed in juju:
milestone:	2.0-rc3 → 2.0.0

Richard Harding (rharding) on 2016-10-11

Changed in juju:
milestone:	2.0.0 → 2.0.1

Revision history for this message

Mick Gregg (macgreagoir) wrote on 2016-10-19:

@1chb1n Looking at the code and testing with 1.25 and 2.0, I _believe_ this is working as expected for OpenStack (and pubic clouds): lxd config on the OpenStack instance creates lxdbr0 and configures it for DHCP and NAT for any containers deployed to that instance. The work on addressable containers is not yet completed across all providers, so what you can expect from containers deployed to MAAS nodes will differ for OpenStack, for example.

Are you seeing a difference from what you've previously used?

Anastasia (anastasia-macmood) on 2016-10-19

Changed in juju:
status:	Triaged → Incomplete

Revision history for this message

Ryan Beisner (1chb1n) wrote on 2016-10-20:

Right, this is not necessarily a new issue or a regression. It is a bug to identify a long-standing and existing usability gap with the Juju OpenStack provider, and get it triaged appropriately so that it can either be made to work, or made not to work definitively.

Changed in juju:
status:	Incomplete → New

Anastasia (anastasia-macmood) on 2016-10-20

Changed in juju:
status:	New → Triaged

Revision history for this message

Trent Lloyd (lathiat) wrote on 2016-10-21:

This bug is a duplicate of my bug here:
https://bugs.launchpad.net/bugs/1600546

It's definitely an issue, since juju never even uses this bridge subnet. lxd has long since stopped setting up such a default subnet for exactly this reason, it always interferes with something. It should be able to simply be removed.

Revision history for this message

Richard Harding (rharding) wrote on 2016-11-06:

Updated the duplicate bug. I see this more of the issue where Juju does not allow instructing containers to get a host network address like it does on MAAS.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1614364 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.