Canonical Juju

Juju created LXD containers with MAAS provider do not honor the default gateway on the host

Bug #1710055 reported by Nobuto Murata on 2017-08-11

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	High	Witold Krecicki	Canonical Juju 2.3-rc2

Bug Description

$ juju version
2.2.2-xenial-amd64

maas 2.2.2

The host has 103.X.Y.Z as the default gateway, but created LXD containers on top it have 10.10.23.254 as the default gateway instead. Therefore, created LXD containers cannot reach to hosts in other network because of the unexpected route. FWIW, 10.10.23.254 is the gateway of PXE boot network.

## Host

[curtin-install-cfg.yaml]
...
  - bond_interfaces:
    - eno1
    - eno2
    id: bond0
    mac_address: 24:6e:96:3d:3a:e8
    mtu: 1500
    name: bond0
    params:
      bond-downdelay: 0
      bond-lacp-rate: fast
      bond-miimon: 100
      bond-mode: 802.3ad
      bond-updelay: 0
      bond-xmit-hash-policy: layer3+4
    subnets:
    - address: 10.10.22.110/22
      dns_nameservers: []
      type: static
    type: bond
...
  - id: bond0.201
    mtu: 1500
    name: bond0.201
    subnets:
    - address: 103.<snip>/26
      dns_nameservers: []
      gateway: 103.<snip>
      type: static
    type: vlan
    vlan_id: 201
    vlan_link: bond0

$ ip r | grep default
default via 103.<snip> dev br-bond0.201 onlink

## LXD container

[/var/lib/cloud/instance/user-data.txt]
#cloud-config
apt_mirror: ""
bootcmd:
- install -D -m 644 /dev/null '/etc/network/interfaces.templ'
- |-
printf '%s\n' '
auto lo {eth00_16_3e_03_fe_15} {eth00_16_3e_40_6e_90} {eth00_16_3e_fe_2f_1c}

  iface lo inet loopback
    dns-nameservers 10.10.20.21
    dns-search maas

  iface {eth00_16_3e_fe_2f_1c} inet static
    address 10.10.22.106/22
    gateway 10.10.23.254

iface {eth00_16_3e_40_6e_90} inet static
address <snip>/26

  iface {eth00_16_3e_03_fe_15} inet static
    address 10.10.29.12/22
    mtu 9000
  ' > '/etc/network/interfaces.templ'

$ ip r | grep default
default via 10.10.23.254 dev eth0 onlink

Tags:

Revision history for this message

John A Meinel (jameinel) wrote on 2017-08-14:

This sounds like expected behavior based on configuration. We should not inherit the host machine gateway by default.
The container should only be created with access to the subnets that you have specified. And those subnets have configuration what the gateway will be to get out of that subnet. If *that* gateway doesn't have access to public networks, that may be by design. Even if you wanted access, you still need the 10.10.23.254 gateway in order to even get to the 103.* address for it to forward any farther.

It sounds like the actual fix is that you need to fix whatever gateway is at 10.10.23.254 to forward requests further on.

It may be that you need your containers to be in more than one space, if the space for their workloads cannot get public access, and you need that. You could do that with:
juju deploy application --bind private-space --constraints "spaces=public-space"

Changed in juju:
status:	New → Incomplete

Revision history for this message

Ante Karamatić (ivoks) wrote on 2017-08-29:

I think what Nobuto is saying is that:

iface {eth00_16_3e_40_6e_90} inet static
address <snip>/26

is the 103..../26 address (it's public, so he obfuscated it) in the container. So, container and machine both have an IP on the network with default gateway. However, container ends up with a default gateway from wrong space.

Chris Gregan (cgregan) on 2017-09-08

tags:	added: cdo-qa-blocker release-blocker
tags:	added: onsite

Revision history for this message

Ante Karamatić (ivoks) wrote on 2017-09-08:

John, is the information not sufficient? Talking to Tim, it's apparent that this is actually expected outcome considering that Juju doesn't know what is default gateway, doesn't ask MAAS and just sets a gateway from whatever network has it defined.

Chris Gregan (cgregan) on 2017-09-08

tags:

removed: release-blocker

Ante Karamatić (ivoks) on 2017-09-08

tags:

added: cpec
removed: cdo-qa-blocker onsite

Chris Gregan (cgregan) on 2017-09-08

Changed in juju:
status:	Incomplete → Confirmed
assignee:	nobody → Tim Penhey (thumper)
tags:	added: cdo-qa-blocker onsite

Xav Paice (xavpaice) on 2017-09-11

tags:

added: canonical-bootstack

Tim Penhey (thumper) on 2017-09-15

Changed in juju:
assignee:	Tim Penhey (thumper) → nobody
importance:	Undecided → Medium
status:	Confirmed → Triaged

Tim Penhey (thumper) on 2017-09-18

tags:

added: new-york

Chris Gregan (cgregan) on 2017-09-19

tags:

added: cpe-onsite
removed: onsite

Ante Karamatić (ivoks) on 2017-09-27

tags:

removed: cpec

Ian Booth (wallyworld) on 2017-10-06

Changed in juju:
milestone:	none → 2.3-beta2

Canonical Juju QA Bot (juju-qa-bot) on 2017-11-01

Changed in juju:
milestone:	2.3-beta2 → none

Witold Krecicki (wpk) on 2017-11-20

Changed in juju:
status:	Triaged → In Progress
assignee:	nobody → Witold Krecicki (wpk)
importance:	Medium → High

Nicholas Skaggs (nskaggs) on 2017-11-27

Changed in juju:
milestone:	none → 2.3-rc2

Revision history for this message

Ian Booth (wallyworld) wrote on 2017-11-28:

https://github.com/juju/juju/pull/8140

Changed in juju:
status:	In Progress → Fix Committed

Anastasia (anastasia-macmood) on 2017-12-18

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.