Ubuntu
snapcraft package

lxd hanging at Waiting for network to be ready...

Bug #1967611 reported by Heinrich Schuchardt
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
snapcraft (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Snapcraft hangs waiting for network

$ snapcraft --use-lxd
Launching a container.
Build environment is in unknown state, cleaning first.
Waiting for container to be ready
Created symlink /etc/systemd/system/dbus-org.freedesktop.network1.service → /lib/systemd/system/systemd-networkd.service.
Waiting for network to be ready...

It is not a problem with network on my host machine:
ping launchpad.net works fine

$ snap list
Name Version Rev Tracking Publisher Notes
bare 1.0 5 latest/stable canonical✓ base
core 16-2.54.4 12821 latest/stable canonical✓ core
core18 20220309 2344 latest/stable canonical✓ base
core20 20220318 1405 latest/stable canonical✓ base
distrobuilder 2.0 1125 latest/stable stgraber classic
firefox 98.0.2-1 1154 latest/stable mozilla✓ -
git-ubuntu 1.0 474 latest/stable canonical✓ classic
gnome-3-38-2004 0+git.1f9014a 99 latest/stable canonical✓ -
gtk-common-themes 0.1-59-g7bca6ae 1519 latest/stable canonical✓ -
hello 2.12 52 latest/edge canonical✓ -
lxd 4.24-c92c0b2 22754 latest/stable canonical✓ -
multipass 1.8.0 6130 latest/stable canonical✓ -
snap-store 3.38.0-66-gbd5b8f7 558 latest/stable canonical✓ -
snapcraft 6.1 7201 latest/stable canonical✓ classic
snapd 2.54.4 15177 latest/stable canonical✓ snapd

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapcraft (Ubuntu):
status: New → Confirmed
Revision history for this message
Matthew Thomas (mattwthomas) wrote :

This also affects me on Jammy.

Revision history for this message
Dennis Loose (dloose) wrote :

I experienced the same bug until I realized the problem was caused by ufw, which was keeping the lxd container from obtaining an ipv4 address. Did you setup ufw? Does the problem persist if you disable it?

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

/var/log/syslog has:

Oct 7 15:42:33 laptop kernel: [21375.839338] [UFW BLOCK] IN=lxdbr0 OUT= PHYSIN=vethdfc21f4f MAC=00:16:3e:38:26:a2:00:16:3e:4d:c5:95:86:dd SRC=fe80:0000:0000:0000:0216:3eff:fe4d:c595 DST=fe80:0000:0000:0000:0216:3eff:fe38:26a2 LEN=78 TC=0 HOPLIMIT=64 FLOWLBL=740385 PROTO=UDP SPT=32931 DPT=53 LEN=38

So DNS is blocked.

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

Disabling ufw is a usable workaround.

BUT disabling ufw is not recommendable security-wise. snapcraft should come with the necessary ruleset for running behind ufw.

Revision history for this message
Heinrich Schuchardt (xypron) wrote (last edit ):

There is an NFT rule allowing routing:

        chain out.lxdbr0 {
                type filter hook output priority filter; policy accept;
                oifname "lxdbr0" tcp sport 53 accept
                oifname "lxdbr0" udp sport 53 accept
                oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
                oifname "lxdbr0" udp sport 67 accept
                oifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
                oifname "lxdbr0" udp sport 547 accept
        }

But that is irrelevant as iptables forbid it:

Chain FORWARD (policy DROP)

Why do we have this mixture of iptables and nft?

Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

The problem only occurs if ufw firewall is active. The package should install firewall rules.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.