How to bridge an LXD network for internet access?

I’m using LXD 4.0.9 on Ubuntu 20.04, created a network, a profile, and added storage to a drone like the following …

$ lxc network create drone_lan ipv4.address=none ipv6.address=none 
$ lxc profile create p-drone

$ lxc profile device add p-drone root disk path=/ pool=default
$ lxc profile device add p-drone drone_lan nic name=enp5s0 network drone_lan

Then I create a few instances, attach them to the network, and shell in to the first instance …

$ lxc launch ubuntu:20.04 drone1
$ lxc launch ubuntu:20.04 drone2
$ lxc network attach drone_lan drone1
$ lxc network attach drone_lan drone2
$ lxc exec drone1 -- bash

From within drone1, I want to install a package, but get the following:

root@drone1:~# sudo apt install tree
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package tree

Because the network bridge is managed for drone_lan, it appears all I need to do is the following according to https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/

As I’m on Ubunto 20.04, I did the following to no avail.

$ sudo ufw allow in on drone_lan
$ sudo ufw route allow in on drone_lan
$ sudo ufw route allow out on drone_lan

And as I also have Docker and cannot remove it, also did the following:

Uncommented the line in /etc/sysctl.d/99-sysctl.conf

net.ipv4.conf.all.forwarding=1

And restarted with sudo systemctl restart systemd-sysctl

Then restarted the drone1 instance and tried to do an apt install. Did not work.

I’d like to have all instances connected to the drone_lan be able to access the internet.

Can anyone advise?

Asked By: Ender

||
Source

Here’s one way:

On the HOST, create a bridge using Netplan:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s7:
      dhcp4: false
      dhcp6: false

  bridges:
    br0:
      interfaces: [enp0s7]
      dhcp4: true
      dhcp6: true

Beware: The IP address (from DHCP) of the host will change when applied! The br0 MAC address is different from the enp0s7 MAC address. To connect to the host, use the new br0 IP address.

Add to the profile of each container (or add to default profile, or create a named "network" profile):

devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic

This method requires no mucking about with firewalld, nor vlans. No packet forwarding. You can see that each nic talks directly the host bridge. IP addresses are handed out by the upstream router, so host server and all containers are on the same LAN, and all are visible to the router.

Of course, this is a very simple working example on a test system. You can make it as complex as you wish.

Answered By: user535733
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.