lxc-net fails to start when configuring IPV6

Bug #2053011 reported by hansvschoot
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)

Bug Description

Running on Ubuntu 22.04.3 LTS jammy
  Installed: 1:5.0.0~git2209-g5a7b9ce67-0ubuntu1.1

When configuring IPV6 on the default lxcbr0 LXC bridge in /etc/default/lxc-net, using the following:

The lxc-net service fails to start: systemctl restart lxc-net

Starting LXC network bridge setup...
Error: conflicting protocols specified: ip6 vs. ip
Failed to setup lxc-net.
lxc-net.service: Main process exited, code=exited, status=1/FAILURE
lxc-net.service: Failed with result 'exit-code'.
Failed to start LXC network bridge setup.

Turns out this is due to a syntax error in /usr/lib/x86_64-linux-gnu/lxc/lxc-net on line 174:
add rule ip6 lxc postrouting ip saddr ${LXC_IPV6_NETWORK} ip daddr != ${LXC_IPV6_NETWORK} counter masquerade;
Should mention "ip6 saddr" and "ip6 daddr" in the line, like so:
add rule ip6 lxc postrouting ip6 saddr ${LXC_IPV6_NETWORK} ip6 daddr != ${LXC_IPV6_NETWORK} counter masquerade;

After manually editing the /usr/lib/x86_64-linux-gnu/lxc/lxc-net file to include the correct ip6 syntax, lxc-net starts up fine and IPV6 networking works on my LXC containers.

This fix seems to already live in the upstream lxc project on github: https://github.com/lxc/lxc/commit/4de047f51365cc06a626ee9de49fec5f76556c66#diff-f16b43004d25f547f78c7457ba74cb05eaaa2bcf979dac8173314916ef36e7f4 and as far as I can tell made it into lxc-utils 5.0.3.
Unfortunately Ubuntu jammy ships with lxc-utils 5.0.0

Tags: jammy
Revision history for this message
hansvschoot (hansvschoot) wrote :

not really bug related, but in case somebody else is playing around with this and ends up here: I also needed to add a firewall rule to UFW before DHCP from my unprivileged containers started working:
 ufw allow in on lxcbr0
(this can probably be restricted a bit further to only allow DHCP requests)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.