Ubuntu
lxc package

lxc containers failing dhcp

Bug #1254338 reported by Robert Collins on 2013-11-23

This bug report is a duplicate of: Bug #930962: dhcp3-server reports many bad udp checksums to syslog using virtio NIC. Edit Remove

22

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	lxc (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

I just noticed this about a week ago when I was leaving Hong Kong after the ODS. My older containers (e.g. precise, or lucid) are failing to bring up networking. Checking syslog in the container:

Nov 23 06:39:59 subunit-lucid dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
Nov 23 06:39:59 subunit-lucid dhclient: 5 bad udp checksums in 5 packets
Nov 23 06:40:07 subunit-lucid dhclient: No DHCPOFFERS received.
Nov 23 06:40:07 subunit-lucid dhclient: No working leases in persistent database - sleeping.
Nov 23 06:44:03 subunit-lucid dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4

Which makes me think that the host lxc bridge no longer does checksum fixups, which will break older containers. Without networking updating the containers to do a local fix is uhm, hard - if I'm right there's a bunch of folk out there scratching their heads and recreating containers (with appropriate swear words...)

Revision history for this message

Robert Collins (lifeless) wrote on 2013-11-23:

#1

Indeed - running

sudo iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

In the host permits networking to work correctly.

Revision history for this message

Robert Collins (lifeless) wrote on 2013-11-23:

#2

I can see this:
dhcp3 (3.1.3-2ubuntu3.5) lucid-proposed; urgency=low

  * Include patch from RedHat/Fedora to deal with hardware/xen/virtio offload
    of UDP checksums. (LP: #930962)
  * Update apparmor profile to add required the "network packet raw" rule
    for the checksum change.

-- Stéphane Graber <email address hidden> Thu, 23 May 2013 19:58:28 -0400

In the dhcp3-client changelog, but this won't help anyone with existing containers: surely the thing to do is to wait for that to be in the default for all new containers (e.g. 5 years) then remove the checksum-fill support?

Revision history for this message

Robert Collins (lifeless) wrote on 2013-11-23:

#3

Adding
iptables -t mangle -A POSTROUTING -o ${LXC_NETWORK} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
to /etc/init/lxc-net.conf

will fix it on boot for anyone suffering this - I'm happy to wrap that up in a debdiff if this is considered an appropriate fix.

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2013-11-25: Re: [Bug 1254338] Re: lxc containers failing dhcp

#4

Hi Robert,

so you'd say this was a bug in lxc versus linux because lxc should
detect the kernel version and add this iptables rule in lxc-net.conf?

I guess I don't really see a downside to that...

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-11-29:

#5

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #930962 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.