container addressability: lxc/lxd units are behind NAT on manual and openstack providers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
John A Meinel | ||
2.1 |
Won't Fix
|
High
|
Unassigned | ||
2.2 |
Won't Fix
|
Undecided
|
Unassigned | ||
Ubuntu on IBM z Systems |
Triaged
|
High
|
Unassigned | ||
juju-core |
Won't Fix
|
Critical
|
Unassigned | ||
1.25 |
Won't Fix
|
Critical
|
Unassigned |
Bug Description
1.25.6: Charm applications deployed to lxc units on multiple manual machines with the manual provider are guaranteed to fail by default.
This is because the lxc units sit behind a NAT bridge interface on each manual machine. The lxc units are not reachable from the controller, and lxc units on a manual machine cannot communicate with lxc units on another manual machine.
An over-simplification of what I'm seeing:
### One Simple Network
192.168.100.0/24
### Bastion (bootstrapped here) - 16.04
This could be your laptop.
192.168.100.10/24
### Machine 1 - 16.04
192.168.100.11/24
1/lxc/0:
10.0.3.12/24
1/lxc/1:
10.0.3.13/24
### Machine 2 - 16.04
192.168.100.12/24
2/lxc/0:
10.0.3.12/24
2/lxc/1:
10.0.3.15/24
### Machine 3 - 16.04
192.168.100.13/24
3/lxc/0:
10.0.3.13/24
3/lxc/1:
10.0.3.22/24
I think a more sane default behavior for the manual provider would be to configure the bridge as a pure L2 ('transparent') bridge, similar to what the Juju MAAS provider creates.
This would require that the user have pre-existing DHCP and DNS services ready on the network in advance. But I think that is in line with the spirit of the manual provider, and that can be documented accordingly.
If this turns out not to be something that is addressed, the docs should be updated to indicate --to lxc:foo is not supported with the manual provider in a default machine configuration.
Changed in juju-core: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → 2.0-beta17 |
affects: | juju-core → juju |
Changed in juju: | |
milestone: | 2.0-beta17 → none |
milestone: | none → 2.0-beta17 |
Changed in juju-core: | |
importance: | Undecided → Critical |
status: | New → Triaged |
Changed in juju: | |
status: | Triaged → Invalid |
Changed in juju: | |
milestone: | 2.0-beta17 → none |
Changed in juju-core: | |
status: | Triaged → Won't Fix |
description: | updated |
Changed in juju: | |
importance: | High → Critical |
milestone: | 2.2.0 → 2.0.3 |
assignee: | nobody → Tim Penhey (thumper) |
Changed in juju: | |
assignee: | Tim Penhey (thumper) → nobody |
importance: | Critical → High |
milestone: | 2.0.3 → 2.2.0 |
tags: | added: openstack-ibm |
Changed in ubuntu-z-systems: | |
status: | New → Confirmed |
summary: |
- manual provider lxc/lxd units are behind NAT, fail by default + juju1 and juju2 - manual provider lxc/lxd units are behind NAT, fail by + default |
Changed in ubuntu-z-systems: | |
importance: | Undecided → Critical |
status: | Confirmed → Triaged |
Changed in juju: | |
assignee: | Richard Harding (rharding) → John A Meinel (jameinel) |
Changed in juju: | |
milestone: | 2.1.0 → 2.1-rc1 |
Changed in juju: | |
milestone: | 2.1-rc1 → 2.2.0-alpha1 |
summary: |
- juju1 and juju2 - manual provider lxc/lxd units are behind NAT, fail by - default + container addresability: manual provider lxc/lxd units are behind NAT, + fail by default on juju1 and juju2 |
summary: |
- container addresability: manual provider lxc/lxd units are behind NAT, + container addressability: manual provider lxc/lxd units are behind NAT, fail by default on juju1 and juju2 |
Changed in juju: | |
importance: | Critical → High |
Changed in juju: | |
status: | Triaged → Fix Committed |
status: | Fix Committed → Triaged |
Changed in juju: | |
milestone: | 2.3-beta3 → none |
For a real example, manual reproducer, juju status and connectivity checks, see the attached file.
It's two machines, 10 containers on each machine.
From the "LAN," all containers are unreachable, metal hosts are reachable.
From a metal host, containers on other metal hosts are unreachable, containers on that metal host are reachable.
From any given container, containers on other metal hosts are unreachable, containers on that metal host are reachable.
This is all as expected given the L3 NAT.